A production-ready Terraform configuration for provisioning secure Google Kubernetes Engine (GKE) clusters with enterprise-grade security features and best practices.
🔐 Security First
- Custom Node Pool: Complete separation between control plane and workloads
- Workload Identity: Keyless, secure access for pods to Google Cloud services
- Network Policies: Advanced network segmentation for enhanced security
⚙️ Flexible Configuration
- Easily customizable region, machine type, and node count
- Variable-driven configuration for different environments
- Production-ready defaults with override capabilities
🏗️ Best Practices Built-in
- Infrastructure as Code (IaC) approach
- Modular and maintainable Terraform structure
- Cloud-native security patterns
Before you begin, ensure you have the following installed and configured:
| Tool | Purpose | Installation Link |
|---|---|---|
| Terraform | Infrastructure provisioning | Install Terraform |
| Google Cloud SDK | GCP authentication & CLI | Install gcloud |
| kubectl | Kubernetes cluster management | Install kubectl |
Configure your Google Cloud authentication:
gcloud auth application-default loginterraform initReplace your-gcp-project-id with your actual Google Cloud Project ID:
terraform plan -var="project_id=your-gcp-project-id"terraform apply -var="project_id=your-gcp-project-id"💡 Tip: Use
-auto-approveflag to skip the confirmation prompt for automated deployments.
After successful deployment, configure kubectl:
gcloud container clusters get-credentials <cluster-name> --region <region> --project <project-id>| Variable | Description | Default | Required |
|---|---|---|---|
project_id |
Google Cloud Project ID | - | ✅ |
region |
GCP region for resources | us-central1 |
❌ |
node_count |
Number of nodes per zone | 1 |
❌ |
machine_type |
GCE machine type | e2-medium |
❌ |
Create a terraform.tfvars file:
project_id = "my-gcp-project"
region = "us-west1"
node_count = 3
machine_type = "e2-standard-4"├── main.tf # Primary Terraform configuration
├── variables.tf # Variable definitions
├── outputs.tf # Output values
├── terraform.tfvars # Variable values (create this)
└── README.md # This file
Enables secure access to Google Cloud services without storing service account keys:
# Example pod configuration
apiVersion: v1
kind: Pod
metadata:
annotations:
iam.gke.io/gcp-service-account: [email protected]Implement microsegmentation with Kubernetes Network Policies:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- EgressTo avoid ongoing charges, destroy the resources when finished:
terraform destroy -var="project_id=your-gcp-project-id"
⚠️ Warning: This will permanently delete all resources created by this Terraform configuration.
- Use Spot VMs for non-critical workloads
- Enable Cluster Autoscaling for dynamic scaling
- Configure Horizontal Pod Autoscaling for applications
- Monitor usage with Google Cloud Billing
- Fork the repository
- Create a feature branch:
git checkout -b feature/amazing-feature - Commit your changes:
git commit -m 'Add amazing feature' - Push to the branch:
git push origin feature/amazing-feature - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.