Added a Terraform example using Terraform 0.12 beta

Author: garethr

examples/terraform/.gitignore

@@ -0,0 +1 @@
+.terraform

examples/terraform/Makefile

@@ -0,0 +1,27 @@
+NAME := gke
+
+COMMAND := terraform
+PLAN = $(NAME)-plan.tfplan
+SHOW = $(NAME)-show.json
+CODE = $(NAME).tf
+
+
+all: test
+
+plan: $(PLAN)
+
+$(PLAN): $(CODE)
+	$(COMMAND) plan -out $(PLAN)
+
+show: $(SHOW)
+
+$(SHOW): plan
+	$(COMMAND) show -json $(PLAN) > $(SHOW)
+
+test: show
+	cat $(SHOW) | conftest -
+
+clean:
+	@rm -f $(PLAN) $(SHOW)
+
+.PHONY: plan show test all clean

examples/terraform/gke-plan.tfplan

@@ -0,0 +1 @@
+{"format_version":"0.1","terraform_version":"0.12.0-beta2","planned_values":{"outputs":{"client_certificate":{"sensitive":false},"client_key":{"sensitive":false},"cluster_ca_certificate":{"sensitive":false}},"root_module":{"resources":[{"address":"google_container_cluster.primary","mode":"managed","type":"google_container_cluster","name":"primary","provider_name":"google","schema_version":1,"values":{"description":null,"enable_kubernetes_alpha":false,"enable_legacy_abac":false,"initial_node_count":1,"location":"us-central1","maintenance_policy":[],"master_auth":[{"client_certificate_config":[],"password":null,"username":null}],"master_authorized_networks_config":[],"min_master_version":null,"name":"my-gke-cluster","network":"default","pod_security_policy_config":[],"private_cluster_config":[],"remove_default_node_pool":true,"resource_labels":null,"timeouts":null}},{"address":"google_container_node_pool.primary_preemptible_nodes","mode":"managed","type":"google_container_node_pool","name":"primary_preemptible_nodes","provider_name":"google","schema_version":1,"values":{"autoscaling":[],"cluster":"my-gke-cluster","location":"us-central1","name":"my-node-pool","node_config":[{"labels":null,"machine_type":"n1-standard-1","metadata":{"disable-legacy-endpoints":"true"},"min_cpu_platform":null,"oauth_scopes":["https://www.googleapis.com/auth/monitoring","https://www.googleapis.com/auth/logging.write"],"preemptible":true,"tags":null,"taint":[],"workload_metadata_config":[]}],"node_count":1,"timeouts":null}}]}},"resource_changes":[{"address":"google_container_cluster.primary","mode":"managed","type":"google_container_cluster","name":"primary","provider_name":"google","change":{"actions":["create"],"before":null,"after":{"description":null,"enable_kubernetes_alpha":false,"enable_legacy_abac":false,"initial_node_count":1,"location":"us-central1","maintenance_policy":[],"master_auth":[{"client_certificate_config":[],"password":null,"username":null}],"master_authorized_networks_config":[],"min_master_version":null,"name":"my-gke-cluster","network":"default","pod_security_policy_config":[],"private_cluster_config":[],"remove_default_node_pool":true,"resource_labels":null,"timeouts":null},"after_unknown":{"additional_zones":true,"addons_config":true,"cluster_autoscaling":true,"cluster_ipv4_cidr":true,"description":false,"enable_binary_authorization":true,"enable_kubernetes_alpha":false,"enable_legacy_abac":false,"enable_tpu":true,"endpoint":true,"id":true,"initial_node_count":false,"instance_group_urls":true,"ip_allocation_policy":true,"location":false,"logging_service":true,"maintenance_policy":false,"master_auth":[{"client_certificate":true,"client_certificate_config":false,"client_key":true,"cluster_ca_certificate":true,"password":false,"username":false}],"master_authorized_networks_config":false,"master_version":true,"min_master_version":false,"monitoring_service":true,"name":false,"network":false,"network_policy":true,"node_config":true,"node_locations":true,"node_pool":true,"node_version":true,"pod_security_policy_config":false,"private_cluster_config":false,"project":true,"region":true,"remove_default_node_pool":false,"resource_labels":false,"subnetwork":true,"timeouts":false,"zone":true}}},{"address":"google_container_node_pool.primary_preemptible_nodes","mode":"managed","type":"google_container_node_pool","name":"primary_preemptible_nodes","provider_name":"google","change":{"actions":["create"],"before":null,"after":{"autoscaling":[],"cluster":"my-gke-cluster","location":"us-central1","name":"my-node-pool","node_config":[{"labels":null,"machine_type":"n1-standard-1","metadata":{"disable-legacy-endpoints":"true"},"min_cpu_platform":null,"oauth_scopes":["https://www.googleapis.com/auth/monitoring","https://www.googleapis.com/auth/logging.write"],"preemptible":true,"tags":null,"taint":[],"workload_metadata_config":[]}],"node_count":1,"timeouts":null},"after_unknown":{"autoscaling":false,"cluster":false,"id":true,"initial_node_count":true,"instance_group_urls":true,"location":false,"management":true,"max_pods_per_node":true,"name":false,"name_prefix":true,"node_config":[{"disk_size_gb":true,"disk_type":true,"guest_accelerator":true,"image_type":true,"labels":false,"local_ssd_count":true,"machine_type":false,"metadata":{"disable-legacy-endpoints":false},"min_cpu_platform":false,"oauth_scopes":[false],"preemptible":false,"service_account":true,"tags":false,"taint":false,"workload_metadata_config":false}],"node_count":false,"project":true,"region":true,"timeouts":false,"version":true,"zone":true}}}],"output_changes":{"client_certificate":{"actions":["create"],"before":null,"after_unknown":true},"client_key":{"actions":["create"],"before":null,"after_unknown":true},"cluster_ca_certificate":{"actions":["create"],"before":null,"after_unknown":true}},"configuration":{"provider_config":{"google":{"name":"google","version_constraint":"2.5.0","expressions":{"project":{"constant_value":"instrumenta"},"region":{"constant_value":"europe-west2"}}}},"root_module":{"outputs":{"client_certificate":{"expression":{"references":["google_container_cluster.primary"]}},"client_key":{"expression":{"references":["google_container_cluster.primary"]}},"cluster_ca_certificate":{"expression":{"references":["google_container_cluster.primary"]}}},"resources":[{"address":"google_container_cluster.primary","mode":"managed","type":"google_container_cluster","name":"primary","provider_config_key":"google","expressions":{"initial_node_count":{"constant_value":1},"location":{"constant_value":"us-central1"},"master_auth":[{"password":{"constant_value":""},"username":{"constant_value":""}}],"name":{"constant_value":"my-gke-cluster"},"remove_default_node_pool":{"constant_value":true}},"schema_version":1},{"address":"google_container_node_pool.primary_preemptible_nodes","mode":"managed","type":"google_container_node_pool","name":"primary_preemptible_nodes","provider_config_key":"google","expressions":{"cluster":{"references":["google_container_cluster.primary"]},"location":{"constant_value":"us-central1"},"name":{"constant_value":"my-node-pool"},"node_config":[{"machine_type":{"constant_value":"n1-standard-1"},"metadata":{"constant_value":{"disable-legacy-endpoints":"true"}},"oauth_scopes":{"constant_value":["https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring"]},"preemptible":{"constant_value":true}}],"node_count":{"constant_value":1}},"schema_version":1}]}}}

examples/terraform/gke-show.json

@@ -0,0 +1,60 @@
+provider "google" {
+  version = "2.5.0"
+  project = "instrumenta"
+  region = "europe-west2"
+
+
+}
+
+resource "google_container_cluster" "primary" {
+  name     = "my-gke-cluster"
+  location = "us-central1"
+
+  # We can't create a cluster with no node pool defined, but we want to only use
+  # separately managed node pools. So we create the smallest possible default
+  # node pool and immediately delete it.
+  remove_default_node_pool = true
+  initial_node_count = 1
+
+  # Setting an empty username and password explicitly disables basic auth
+  master_auth {
+    username = ""
+    password = ""
+  }
+}
+
+resource "google_container_node_pool" "primary_preemptible_nodes" {
+  name       = "my-node-pool"
+  location   = "us-central1"
+  cluster    = "${google_container_cluster.primary.name}"
+  node_count = 1
+
+  node_config {
+    preemptible  = true
+    machine_type = "n1-standard-1"
+
+    metadata = {
+      disable-legacy-endpoints = "true"
+    }
+
+    oauth_scopes = [
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring",
+    ]
+  }
+}
+
+# The following outputs allow authentication and connectivity to the GKE Cluster
+# by using certificate-based authentication.
+output "client_certificate" {
+  value = "${google_container_cluster.primary.master_auth.0.client_certificate}"
+}
+
+output "client_key" {
+  value = "${google_container_cluster.primary.master_auth.0.client_key}"
+}
+
+output "cluster_ca_certificate" {
+  value = "${google_container_cluster.primary.master_auth.0.cluster_ca_certificate}"
+}
+

examples/terraform/gke.tf

@@ -0,0 +1,18 @@
+package main
+
+
+blacklist = [
+  "google_iam",
+  "google_container"
+]
+
+deny[msg] {
+  check_resources(input.resource_changes, blacklist)
+  banned := concat(", ", blacklist)
+  msg = sprintf("Terraform plan will change prohibited resources in the following namespaces: %v", [banned])
+}
+
+# Checks whether the plan will cause resources with certain prefixes to change
+check_resources(resources, disallowed_prefixes) {
+  startswith(resources[_].type, disallowed_prefixes[_])
+}