This module installs Anthos Config Management (ACM) in a Kubernetes cluster.
Specifically, this module automates the following steps for installing ACM:
- Enabling the ACM feature on the fleet
- Registering the cluster to the fleet
- Optionally, generating an SSH key for accessing Git and providing it to the Operator
- Configuring the ACM feature on your cluster
- Optionally, installing ACM Policy Controller Policy Bundle(s)
- Optionally, create and configure a Google Cloud Service Account for writing ACM metrics to Cloud Monitoring
Only the first cluster in a fleet should activate the ACM fleet feature.
Other clusters should disable feature activation by setting enable_fleet_feature = false.
There is a full example provided. Simple usage is as follows:
data "google_client_config" "default" {}
provider "kubernetes" {
host = "https://${module.gke.endpoint}"
token = data.google_client_config.default.access_token
cluster_ca_certificate = base64decode(module.gke.ca_certificate)
}
module "acm" {
source = "terraform-google-modules/kubernetes-engine/google//modules/acm"
project_id = "my-project-id"
cluster_name = "my-cluster-name"
location = module.gke.location
sync_repo = "[email protected]:GoogleCloudPlatform/anthos-config-management-samples.git"
sync_branch = "1.0.0"
policy_dir = "foo-corp"
# ACM Policy Controller Policy Essentials Policy Bundle: https://cloud.google.com/anthos-config-management/docs/how-to/using-policy-essentials-v2022
policy_bundles = ["https://github.com/GoogleCloudPlatform/acm-policy-controller-library/bundles/policy-essentials-v2022#e4094aacb91a35b0219f6f4cf6a31580e85b3c28"]
create_metrics_gcp_sa = true
}To deploy this config:
- Configure the Kubernetes Provider for the target cluster, for example:
provider "kubernetes" {
host = "https://${module.gke.endpoint}"
token = data.google_client_config.default.access_token
cluster_ca_certificate = base64decode(module.gke.ca_certificate)
}
data "google_client_config" "default" {}
- Run
terraform apply - Inspect the
git_creds_publicoutput to retrieve the public key used for accessing Git. Whitelist this key for access to your Git repo. Instructions for some popular Git hosting providers are included for convenience:
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cluster_membership_id | The cluster membership ID. If unset, one will be autogenerated. | string |
"" |
no |
| cluster_name | GCP cluster Name used to reach cluster and which becomes the cluster name in the Config Sync kubernetes custom resource. | string |
n/a | yes |
| configmanagement_version | Version of ACM. | string |
"" |
no |
| create_metrics_gcp_sa | Create a Google service account for ACM metrics writing | bool |
false |
no |
| create_ssh_key | Controls whether a key will be generated for Git authentication | bool |
true |
no |
| enable_config_sync | Whether to enable the ACM Config Sync on the cluster | bool |
true |
no |
| enable_fleet_feature | Whether to enable the ACM feature on the fleet. | bool |
true |
no |
| enable_fleet_registration | Whether to create a new membership. | bool |
true |
no |
| enable_log_denies | Whether to enable logging of all denies and dryrun failures for ACM Policy Controller. | bool |
false |
no |
| enable_policy_controller | Whether to enable the ACM Policy Controller on the cluster | bool |
true |
no |
| enable_referential_rules | Enables referential constraints which reference another object in it definition and are therefore eventually consistent. | bool |
true |
no |
| hierarchy_controller | Configurations for Hierarchy Controller. See Hierarchy Controller docs for more details | map(any) |
null |
no |
| https_proxy | URL for the HTTPS proxy to be used when communicating with the Git repo. | string |
null |
no |
| install_template_library | Whether to install the default Policy Controller template library | bool |
true |
no |
| location | GCP location used to reach cluster. | string |
n/a | yes |
| metrics_gcp_sa_name | The name of the Google service account for ACM metrics writing | string |
"acm-metrics-writer" |
no |
| policy_bundles | A list of Policy Controller policy bundles git urls (example: https://github.com/GoogleCloudPlatform/acm-policy-controller-library.git/bundles/policy-essentials-v2022) to install on the cluster. | list(string) |
[] |
no |
| policy_dir | Subfolder containing configs in ACM Git repo. If un-set, uses Config Management default. | string |
"" |
no |
| project_id | GCP project_id used to reach cluster. | string |
n/a | yes |
| secret_type | git authentication secret type, is passed through to ConfigManagement spec.git.secretType. Overriden to value 'ssh' if create_ssh_key is true |
string |
"ssh" |
no |
| source_format | Configures a non-hierarchical repo if set to 'unstructured'. Uses ACM defaults when unset. | string |
"" |
no |
| ssh_auth_key | Key for Git authentication. Overrides 'create_ssh_key' variable. Can be set using 'file(path/to/file)'-function. | string |
null |
no |
| sync_branch | ACM repo Git branch. If un-set, uses Config Management default. | string |
"" |
no |
| sync_repo | ACM Git repo address | string |
"" |
no |
| sync_revision | ACM repo Git revision. If un-set, uses Config Management default. | string |
"" |
no |
| Name | Description |
|---|---|
| acm_metrics_writer_sa | The ACM metrics writer Service Account |
| configmanagement_version | Version of ACM installed. |
| git_creds_public | Public key of SSH keypair to allow the Anthos Config Management Operator to authenticate to your Git repository. |
| wait | An output to use when you want to depend on cmd finishing |