[DLAB-773] GCP k8s implementation on GCP
diff --git a/infrastructure-provisioning/terraform/gcp/main/main.tf b/infrastructure-provisioning/terraform/gcp/computational_resources/main/main.tf
similarity index 100%
rename from infrastructure-provisioning/terraform/gcp/main/main.tf
rename to infrastructure-provisioning/terraform/gcp/computational_resources/main/main.tf
diff --git a/infrastructure-provisioning/terraform/gcp/main/variables.tf b/infrastructure-provisioning/terraform/gcp/computational_resources/main/variables.tf
similarity index 100%
rename from infrastructure-provisioning/terraform/gcp/main/variables.tf
rename to infrastructure-provisioning/terraform/gcp/computational_resources/main/variables.tf
diff --git a/infrastructure-provisioning/terraform/gcp/modules/common/iam.tf b/infrastructure-provisioning/terraform/gcp/computational_resources/modules/common/iam.tf
similarity index 100%
rename from infrastructure-provisioning/terraform/gcp/modules/common/iam.tf
rename to infrastructure-provisioning/terraform/gcp/computational_resources/modules/common/iam.tf
diff --git a/infrastructure-provisioning/terraform/gcp/modules/common/network.tf b/infrastructure-provisioning/terraform/gcp/computational_resources/modules/common/network.tf
similarity index 100%
rename from infrastructure-provisioning/terraform/gcp/modules/common/network.tf
rename to infrastructure-provisioning/terraform/gcp/computational_resources/modules/common/network.tf
diff --git a/infrastructure-provisioning/terraform/gcp/modules/common/variables.tf b/infrastructure-provisioning/terraform/gcp/computational_resources/modules/common/variables.tf
similarity index 100%
rename from infrastructure-provisioning/terraform/gcp/modules/common/variables.tf
rename to infrastructure-provisioning/terraform/gcp/computational_resources/modules/common/variables.tf
diff --git a/infrastructure-provisioning/terraform/gcp/modules/data_engine/instance.tf b/infrastructure-provisioning/terraform/gcp/computational_resources/modules/data_engine/instance.tf
similarity index 100%
rename from infrastructure-provisioning/terraform/gcp/modules/data_engine/instance.tf
rename to infrastructure-provisioning/terraform/gcp/computational_resources/modules/data_engine/instance.tf
diff --git a/infrastructure-provisioning/terraform/gcp/modules/data_engine/variables.tf b/infrastructure-provisioning/terraform/gcp/computational_resources/modules/data_engine/variables.tf
similarity index 100%
rename from infrastructure-provisioning/terraform/gcp/modules/data_engine/variables.tf
rename to infrastructure-provisioning/terraform/gcp/computational_resources/modules/data_engine/variables.tf
diff --git a/infrastructure-provisioning/terraform/gcp/modules/dataproc/instance.tf b/infrastructure-provisioning/terraform/gcp/computational_resources/modules/dataproc/instance.tf
similarity index 100%
rename from infrastructure-provisioning/terraform/gcp/modules/dataproc/instance.tf
rename to infrastructure-provisioning/terraform/gcp/computational_resources/modules/dataproc/instance.tf
diff --git a/infrastructure-provisioning/terraform/gcp/modules/dataproc/variables.tf b/infrastructure-provisioning/terraform/gcp/computational_resources/modules/dataproc/variables.tf
similarity index 100%
rename from infrastructure-provisioning/terraform/gcp/modules/dataproc/variables.tf
rename to infrastructure-provisioning/terraform/gcp/computational_resources/modules/dataproc/variables.tf
diff --git a/infrastructure-provisioning/terraform/gcp/modules/notebook/instance.tf b/infrastructure-provisioning/terraform/gcp/computational_resources/modules/notebook/instance.tf
similarity index 100%
rename from infrastructure-provisioning/terraform/gcp/modules/notebook/instance.tf
rename to infrastructure-provisioning/terraform/gcp/computational_resources/modules/notebook/instance.tf
diff --git a/infrastructure-provisioning/terraform/gcp/modules/notebook/variables.tf b/infrastructure-provisioning/terraform/gcp/computational_resources/modules/notebook/variables.tf
similarity index 100%
rename from infrastructure-provisioning/terraform/gcp/modules/notebook/variables.tf
rename to infrastructure-provisioning/terraform/gcp/computational_resources/modules/notebook/variables.tf
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/README.md b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/README.md
new file mode 100644
index 0000000..d91e5e0
--- /dev/null
+++ b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/README.md
@@ -0,0 +1,25 @@
+# Terraform module for deploying DLab SSN K8S cluster
+
+List of variables which should be provided:
+
+| Variable | Type | Description/Value |
+|--------------------------|--------|-----------------------------------------------------------------------------------------------------------|
+| access\_key\_id | string | **Required.** AWS Access Key ID. |
+| secret\_access\_key | string | **Required.** AWS Secret Access Key. |
+| service\_base\_name | string | Any infrastructure value (should be unique if multiple SSN’s have been deployed before). Default: dlab-k8s|
+| vpc\_id | string | ID of AWS VPC if you already have VPC created. |
+| vpc\_cidr | string | CIDR for VPC creation. Conflicts with _vpc\_id_. Default: 172.31.0.0/16 |
+| subnet\_id | string | ID of AWS Subnet if you already have subnet created. |
+| subnet\_cidr | string | CIDR for Subnet creation. Conflicts with _subnet\_id_. Default: 172.31.0.0/24 |
+| env\_os | string | OS type. Available options: debian, redhat. Default: debian |
+| ami | string | **Required.** ID of EC2 AMI. |
+| key\_name | string | **Required.** Name of EC2 Key pair. |
+| region | string | Name of AWS region. Default: us-west-2 |
+| zone | string | Name of AWS zone. Default: a |
+| ssn\_k8s\_masters\_count | int | Count of K8S masters. Default: 3 |
+| ssn\_k8s\_workers\_count | int | Count of K8S workers. Default: 2 |
+| ssn\_root\_volume\_size | int | Size of root volume in GB. Default: 30 |
+| allowed\_cidrs | list | CIDR to allow acces to SSN K8S cluster. Default: 0.0.0.0/0 |
+| ssn\_k8s\_masters\_shape | string | Shape for SSN K8S masters. Default: t2.medium |
+| ssn\_k8s\_workers\_shape | string | Shape for SSN K8S workers. Default: t2.medium |
+| os\_user | string | Name of DLab service user. Default: dlab-user |
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/auto_scaling_groups.tf b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/auto_scaling_groups.tf
new file mode 100644
index 0000000..863e9fb
--- /dev/null
+++ b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/auto_scaling_groups.tf
@@ -0,0 +1,141 @@
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+# ******************************************************************************
+
+locals {
+ subnet_c_id = data.google_compute_subnetwork.k8s-subnet-c-data == [] ? "" : data.google_compute_subnetwork.k8s-subnet-c-data.0.name
+ ssn_k8s_launch_conf_masters_name = "${var.service_base_name}-ssn-launch-conf-masters"
+ ssn_k8s_launch_conf_workers_name = "${var.service_base_name}-ssn-launch-conf-workers"
+ ssn_k8s_ag_masters_name = "${var.service_base_name}-ssn-masters"
+ ssn_k8s_ag_workers_name = "${var.service_base_name}-ssn-workers"
+ ssn_k8s_masters_igm = "${var.service_base_name}-ssn-igm-masters"
+ ssn_k8s_slaves_igm = "${var.service_base_name}-ssn-igm-slves"
+}
+
+resource "random_string" "ssn_keystore_password" {
+ length = 16
+ special = false
+}
+
+resource "random_string" "endpoint_keystore_password" {
+ length = 16
+ special = false
+}
+
+data "template_file" "ssn_k8s_masters_user_data" {
+ template = file("./files/masters-user-data.sh")
+ vars = {
+ k8s-asg = local.ssn_k8s_ag_masters_name
+ k8s-region = var.region
+ k8s-bucket-name = google_storage_bucket.ssn_k8s_bucket.id
+ k8s-nlb-dns-name = aws_lb.ssn_k8s_nlb.dns_name
+ k8s-tg-arn = aws_lb_target_group.ssn_k8s_nlb_api_target_group.arn
+ k8s_os_user = var.os_user
+ ssn_keystore_password = random_string.ssn_keystore_password.result
+ endpoint_keystore_password = random_string.endpoint_keystore_password.result
+ endpoint_elastic_ip = google_compute_address.k8s-endpoint-eip.address
+ }
+}
+
+resource "google_compute_autoscaler" "master_group" {
+ name = local.ssn_k8s_ag_masters_name
+ target = ""
+ autoscaling_policy {
+ max_replicas = var.ssn_k8s_masters_count
+ min_replicas = var.ssn_k8s_masters_count
+ }
+}
+
+resource "google_compute_instance_template" "masters_template" {
+ name = local.ssn_k8s_launch_conf_masters_name
+ machine_type = var.ssn_k8s_masters_shape
+ disk {
+ source_image = var.ami
+ }
+ network_interface {
+ network = var.vpc_id
+ subnetwork = compact([data.google_compute_subnetwork.k8s-subnet-a-data.name, data.google_compute_subnetwork.k8s-subnet-b-data.name, local.subnet_c_id])
+ }
+
+ service_account {
+ email = google_service_account.ssn_k8s_sa.email
+ scopes = ["https://www.googleapis.com/auth/cloud-platform", "https://www.googleapis.com/auth/compute"]
+ }
+}
+
+resource "google_compute_target_pool" "ssn_target_pool" {
+ provider = "google-beta"
+ name = "${var.service_base_name}-target-pool"
+}
+
+resource "google_compute_instance_group_manager" "masters_igm" {
+ provider = "google-beta"
+
+ name = local.ssn_k8s_masters_igm
+ zone = var.zone
+
+ instance_template = google_compute_instance_template.masters_template.self_link
+
+ target_pools = ["${google_compute_target_pool.ssn_target_pool.self_link}"]
+ base_instance_name = "autoscaler-sample"
+}
+
+resource "google_compute_autoscaler" "master_group" {
+ name = local.ssn_k8s_ag_masters_name
+ target = ""
+ autoscaling_policy {
+ max_replicas = var.ssn_k8s_masters_count
+ min_replicas = var.ssn_k8s_masters_count
+ }
+}
+
+resource "google_compute_instance_template" "slaves_template" {
+ name = local.ssn_k8s_launch_conf_masters_name
+ machine_type = var.ssn_k8s_masters_shape
+ disk {
+ source_image = var.ami
+ }
+ network_interface {
+ network = var.vpc_id
+ subnetwork = compact([data.google_compute_subnetwork.k8s-subnet-a-data.name, data.google_compute_subnetwork.k8s-subnet-b-data.name, local.subnet_c_id])
+ }
+
+ service_account {
+ email = google_service_account.ssn_k8s_sa.email
+ scopes = ["https://www.googleapis.com/auth/cloud-platform", "https://www.googleapis.com/auth/compute"]
+ }
+}
+
+resource "google_compute_instance_group_manager" "slaves_igm" {
+ provider = "google-beta"
+
+ name = local.ssn_k8s_slaves_igm
+ zone = var.zone
+
+ instance_template = google_compute_instance_template.slaves_template.self_link
+
+ target_pools = ["${google_compute_target_pool.ssn_target_pool.self_link}"]
+ base_instance_name = "autoscaler-sample"
+}
+
+provider "google-beta"{
+ region = var.region
+ zone = var.zone
+}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/files/assume-policy.json b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/files/assume-policy.json
new file mode 100644
index 0000000..680b6f8
--- /dev/null
+++ b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/files/assume-policy.json
@@ -0,0 +1,13 @@
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Action": "sts:AssumeRole",
+ "Principal": {
+ "Service": "ec2.amazonaws.com"
+ },
+ "Effect": "Allow",
+ "Sid": ""
+ }
+ ]
+}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/files/masters-user-data.sh b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/files/masters-user-data.sh
new file mode 100644
index 0000000..db2227c
--- /dev/null
+++ b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/files/masters-user-data.sh
@@ -0,0 +1,209 @@
+#!/bin/bash
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+# ******************************************************************************
+
+set -ex
+
+check_tokens () {
+RUN=$(aws s3 ls s3://${k8s-bucket-name}/k8s/masters/ > /dev/null && echo "true" || echo "false")
+sleep 5
+}
+
+check_elb_status () {
+RUN=$(aws elbv2 describe-target-health --target-group-arn ${k8s-tg-arn} --region ${k8s-region} | \
+ jq -r '.TargetHealthDescriptions[].TargetHealth.State' | \
+ grep "^healthy" > /dev/null && echo "true" || echo "false")
+sleep 5
+}
+
+# Creating DLab user
+sudo useradd -m -G sudo -s /bin/bash ${k8s_os_user}
+sudo bash -c 'echo "${k8s_os_user} ALL = NOPASSWD:ALL" >> /etc/sudoers'
+sudo mkdir /home/${k8s_os_user}/.ssh
+sudo bash -c 'cat /home/ubuntu/.ssh/authorized_keys > /home/${k8s_os_user}/.ssh/authorized_keys'
+sudo chown -R ${k8s_os_user}:${k8s_os_user} /home/${k8s_os_user}/
+sudo chmod 700 /home/${k8s_os_user}/.ssh
+sudo chmod 600 /home/${k8s_os_user}/.ssh/authorized_keys
+
+sudo apt-get update
+sudo apt-get install -y python-pip jq unzip
+sudo apt-get install -y default-jre
+sudo apt-get install -y default-jdk
+sudo pip install -U pip
+sudo pip install awscli
+
+local_ip=$(curl http://169.254.169.254/latest/meta-data/local-ipv4)
+first_master_ip=$(aws autoscaling describe-auto-scaling-instances --region ${k8s-region} --output text --query \
+ "AutoScalingInstances[?AutoScalingGroupName=='${k8s-asg}'].InstanceId" | xargs -n1 aws ec2 \
+ describe-instances --instance-ids $ID --region ${k8s-region} --query \
+ "Reservations[].Instances[].PrivateIpAddress" --output text | sort | head -n1)
+
+# installing Docker
+sudo bash -c 'curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -'
+sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
+sudo apt-get update
+sudo apt-get install -y docker-ce
+sudo systemctl enable docker
+# installing kubeadm, kubelet and kubectl
+sudo apt-get install -y apt-transport-https curl
+sudo bash -c 'curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -'
+sudo bash -c 'echo "deb http://apt.kubernetes.io/ kubernetes-xenial main" > /etc/apt/sources.list.d/kubernetes.list'
+sudo apt-get update
+sudo apt-get install -y kubelet kubeadm kubectl
+
+check_tokens
+if [[ $local_ip == "$first_master_ip" ]] && [[ $RUN == "false" ]];then
+cat <<EOF > /tmp/kubeadm-config.yaml
+apiVersion: kubeadm.k8s.io/v1beta2
+kind: ClusterConfiguration
+kubernetesVersion: stable
+apiServerCertSANs:
+ - ${k8s-nlb-dns-name}
+controlPlaneEndpoint: "${k8s-nlb-dns-name}:6443"
+EOF
+sudo kubeadm init --config=/tmp/kubeadm-config.yaml --upload-certs
+while check_elb_status
+do
+ if [[ $RUN == "false" ]];
+ then
+ echo "Waiting for NLB healthy status..."
+ else
+ echo "LB status is healthy!"
+ break
+ fi
+done
+sudo mkdir -p /home/${k8s_os_user}/.kube
+sudo cp -i /etc/kubernetes/admin.conf /home/${k8s_os_user}/.kube/config
+sudo chown -R ${k8s_os_user}:${k8s_os_user} /home/${k8s_os_user}/.kube
+sudo kubeadm token create --print-join-command > /tmp/join_command
+sudo kubeadm init phase upload-certs --upload-certs | grep -v "upload-certs" > /tmp/cert_key
+sudo -i -u ${k8s_os_user} kubectl apply -f \
+ "https://cloud.weave.works/k8s/net?k8s-version=$(sudo -i -u ${k8s_os_user} kubectl version | base64 | tr -d '\n')"
+sudo -i -u ${k8s_os_user} bash -c 'curl -L https://git.io/get_helm.sh | bash'
+cat <<EOF > /tmp/rbac-config.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: tiller
+ namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: tiller
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cluster-admin
+subjects:
+ - kind: ServiceAccount
+ name: tiller
+ namespace: kube-system
+EOF
+sudo -i -u ${k8s_os_user} kubectl create -f /tmp/rbac-config.yaml
+sudo -i -u ${k8s_os_user} helm init --service-account tiller --history-max 200
+# Generating Java SSL certs
+sudo mkdir -p /home/${k8s_os_user}/keys
+sudo keytool -genkeypair -alias dlab -keyalg RSA -validity 730 -storepass ${ssn_keystore_password} \
+ -keypass ${ssn_keystore_password} -keystore /home/${k8s_os_user}/keys/ssn.keystore.jks \
+ -keysize 2048 -dname "CN=${k8s-nlb-dns-name}" -ext SAN=dns:localhost,dns:${k8s-nlb-dns-name}
+sudo keytool -exportcert -alias dlab -storepass ${ssn_keystore_password} -file /home/${k8s_os_user}/keys/ssn.crt \
+ -keystore /home/${k8s_os_user}/keys/ssn.keystore.jks
+
+aws s3 cp /home/${k8s_os_user}/keys/ssn.keystore.jks s3://${k8s-bucket-name}/dlab/certs/ssn/ssn.keystore.jks
+aws s3 cp /home/${k8s_os_user}/keys/ssn.crt s3://${k8s-bucket-name}/dlab/certs/ssn/ssn.crt
+
+sudo keytool -genkeypair -alias dlab -keyalg RSA -validity 730 -storepass ${endpoint_keystore_password} \
+ -keypass ${endpoint_keystore_password} -keystore /home/${k8s_os_user}/keys/endpoint.keystore.jks \
+ -keysize 2048 -dname "CN=${endpoint_elastic_ip}" -ext SAN=dns:localhost,dns:${endpoint_elastic_ip}
+sudo keytool -exportcert -alias dlab -storepass ${endpoint_keystore_password} -file /home/${k8s_os_user}/keys/endpoint.crt \
+ -keystore /home/${k8s_os_user}/keys/endpoint.keystore.jks
+
+aws s3 cp /home/${k8s_os_user}/keys/endpoint.keystore.jks s3://${k8s-bucket-name}/dlab/certs/endpoint/endpoint.keystore.jks
+aws s3 cp /home/${k8s_os_user}/keys/endpoint.crt s3://${k8s-bucket-name}/dlab/certs/endpoint/endpoint.crt
+sleep 60
+aws s3 cp /tmp/join_command s3://${k8s-bucket-name}/k8s/masters/join_command
+aws s3 cp /tmp/cert_key s3://${k8s-bucket-name}/k8s/masters/cert_key
+sudo rm -f /tmp/join_command
+sudo rm -f /tmp/cert_key
+else
+while check_tokens
+do
+ if [[ $RUN == "false" ]];
+ then
+ echo "Waiting for initial cluster initialization..."
+ else
+ echo "Initial cluster initialized!"
+ break
+ fi
+done
+aws s3 cp s3://${k8s-bucket-name}/k8s/masters/join_command /tmp/join_command
+aws s3 cp s3://${k8s-bucket-name}/k8s/masters/cert_key /tmp/cert_key
+join_command=$(cat /tmp/join_command)
+cert_key=$(cat /tmp/cert_key)
+sudo $join_command --control-plane --certificate-key "$cert_key"
+sudo mkdir -p /home/${k8s_os_user}/.kube
+sudo cp -i /etc/kubernetes/admin.conf /home/${k8s_os_user}/.kube/config
+sudo chown -R ${k8s_os_user}:${k8s_os_user} /home/${k8s_os_user}/.kube
+sudo -i -u ${k8s_os_user} bash -c 'curl -L https://git.io/get_helm.sh | bash'
+sudo -i -u ${k8s_os_user} helm init --client-only --history-max 200
+fi
+cat <<EOF > /tmp/update_files.sh
+#!/bin/bash
+sudo kubeadm token create --print-join-command > /tmp/join_command
+sudo kubeadm init phase upload-certs --upload-certs | grep -v "upload-certs" > /tmp/cert_key
+aws s3 cp /tmp/join_command s3://${k8s-bucket-name}/k8s/masters/join_command
+aws s3 cp /tmp/cert_key s3://${k8s-bucket-name}/k8s/masters/cert_key
+sudo rm -f /tmp/join_command
+sudo rm -f /tmp/cert_key
+EOF
+sudo mv /tmp/update_files.sh /usr/local/bin/update_files.sh
+sudo chmod 755 /usr/local/bin/update_files.sh
+sudo bash -c 'echo "0 0 * * * root /usr/local/bin/update_files.sh" >> /etc/crontab'
+
+#cat <<EOF > /tmp/remove-etcd-member.sh
+##!/bin/bash
+#hostname=\$(/bin/hostname)
+#not_ready_node=\$(/usr/bin/sudo -i -u ${k8s_os_user} /usr/bin/kubectl get nodes | grep NotReady | grep master | awk '{print \$1}')
+#if [[ \$not_ready_node != "" ]]; then
+#etcd_pod_name=\$(/usr/bin/sudo -i -u ${k8s_os_user} /usr/bin/kubectl get pods -n kube-system | /bin/grep etcd \
+# | /bin/grep "\$hostname" | /usr/bin/awk '{print \$1}')
+#etcd_member_id=\$(/usr/bin/sudo -i -u ${k8s_os_user} /usr/bin/kubectl -n kube-system exec -it \$etcd_pod_name \
+# -- /bin/sh -c "ETCDCTL_API=3 etcdctl member list --endpoints=https://[127.0.0.1]:2379 \
+# --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt \
+# --key=/etc/kubernetes/pki/etcd/healthcheck-client.key" | /bin/grep ", \$not_ready_node" | /usr/bin/awk -F',' '{print \$1}')
+#/usr/bin/sudo -i -u ${k8s_os_user} /usr/bin/kubectl -n kube-system exec -it \$etcd_pod_name \
+# -- /bin/sh -c "ETCDCTL_API=3 etcdctl member remove \$etcd_member_id --endpoints=https://[127.0.0.1]:2379 \
+# --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt \
+# --key=/etc/kubernetes/pki/etcd/healthcheck-client.key"
+#/usr/bin/sudo -i -u ${k8s_os_user} /usr/bin/kubectl delete node \$not_ready_node
+#
+#fi
+#
+#EOF
+# sudo mv /tmp/remove-etcd-member.sh /usr/local/bin/remove-etcd-member.sh
+# sudo chmod 755 /usr/local/bin/remove-etcd-member.sh
+# sleep 300
+# sudo bash -c 'echo "* * * * * root /usr/local/bin/remove-etcd-member.sh >> /var/log/cron_k8s.log 2>&1" >> /etc/crontab'
+sudo -i -u ${k8s_os_user} helm repo update
+wget https://releases.hashicorp.com/terraform/0.12.3/terraform_0.12.3_linux_amd64.zip -O /tmp/terraform_0.12.3_linux_amd64.zip
+unzip /tmp/terraform_0.12.3_linux_amd64.zip -d /tmp/
+sudo mv /tmp/terraform /usr/local/bin/
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/files/ssn-policy.json.tpl b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/files/ssn-policy.json.tpl
new file mode 100644
index 0000000..d0d058a
--- /dev/null
+++ b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/files/ssn-policy.json.tpl
@@ -0,0 +1,40 @@
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Action": [
+ "s3:CreateBucket",
+ "s3:ListAllMyBuckets",
+ "s3:GetBucketLocation",
+ "s3:GetBucketTagging",
+ "s3:PutBucketTagging",
+ "s3:PutBucketPolicy",
+ "s3:GetBucketPolicy",
+ "s3:DeleteBucket",
+ "s3:DeleteObject",
+ "s3:GetObject",
+ "s3:ListBucket",
+ "s3:PutObject",
+ "s3:PutEncryptionConfiguration"
+ ],
+ "Effect": "Allow",
+ "Resource": "*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "autoscaling:DescribeAutoScalingInstances",
+ "ec2:DescribeInstances",
+ "elasticloadbalancing:DescribeTargetHealth"
+ ],
+ "Resource": "*"
+ },
+ {
+ "Action": [
+ "pricing:GetProducts"
+ ],
+ "Effect": "Allow",
+ "Resource": "*"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/files/workers-user-data.sh b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/files/workers-user-data.sh
new file mode 100644
index 0000000..889bf98
--- /dev/null
+++ b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/files/workers-user-data.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+# ******************************************************************************
+
+set -e
+
+check_tokens () {
+RUN=$(aws s3 ls s3://${k8s-bucket-name}/k8s/masters/ > /dev/null && echo "true" || echo "false")
+sleep 5
+}
+
+# Creating DLab user
+sudo useradd -m -G sudo -s /bin/bash ${k8s_os_user}
+sudo bash -c 'echo "${k8s_os_user} ALL = NOPASSWD:ALL" >> /etc/sudoers'
+sudo mkdir /home/${k8s_os_user}/.ssh
+sudo bash -c 'cat /home/ubuntu/.ssh/authorized_keys > /home/${k8s_os_user}/.ssh/authorized_keys'
+sudo chown -R ${k8s_os_user}:${k8s_os_user} /home/${k8s_os_user}/
+sudo chmod 700 /home/${k8s_os_user}/.ssh
+sudo chmod 600 /home/${k8s_os_user}/.ssh/authorized_keys
+
+sudo apt-get update
+sudo apt-get install -y python-pip
+sudo pip install -U pip
+sudo pip install awscli
+
+# installing Docker
+sudo bash -c 'curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -'
+sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
+sudo apt-get update
+sudo apt-get install -y docker-ce
+sudo systemctl enable docker
+# installing kubeadm, kubelet and kubectl
+sudo apt-get install -y apt-transport-https curl
+sudo bash -c 'curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -'
+sudo bash -c 'echo "deb http://apt.kubernetes.io/ kubernetes-xenial main" > /etc/apt/sources.list.d/kubernetes.list'
+sudo apt-get update
+sudo apt-get install -y kubelet kubeadm kubectl
+while check_tokens
+do
+ if [[ $RUN == "false" ]];
+ then
+ echo "Waiting for initial cluster initialization..."
+ else
+ echo "Initial cluster initialized!"
+ break
+ fi
+done
+aws s3 cp s3://${k8s-bucket-name}/k8s/masters/join_command /tmp/join_command
+join_command=$(cat /tmp/join_command)
+sudo $join_command
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/lb.tf b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/lb.tf
new file mode 100644
index 0000000..efff90e
--- /dev/null
+++ b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/lb.tf
@@ -0,0 +1,106 @@
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+# ******************************************************************************
+
+locals {
+ ssn_nlb_name = "${var.service_base_name}-ssn-nlb"
+ ssn_alb_name = "${var.service_base_name}-ssn-alb"
+ ssn_k8s_nlb_api_tg_name = "${var.service_base_name}-ssn-nlb-api-tg"
+ ssn_k8s_nlb_ss_tg_name = "${var.service_base_name}-ssn-nlb-ss-tg"
+ ssn_k8s_alb_tg_name = "${var.service_base_name}-ssn-alb-tg"
+}
+
+
+resource "google_compute_forwarding_rule" "ssn_k8s_nlb" {
+ name = local.ssn_nlb_name
+ backend_service = google_compute_backend_service
+ target = google_compute_target_pool.ssn_target_pool.self_link
+ ports = ["8443", "6443"]
+ load_balancing_scheme = "INTERNAL"
+ network = google_compute_network.ssn_k8s_vpc.name
+ subnetwork = compact([data.google_compute_subnetwork.k8s-subnet-a-data.name, data.google_compute_subnetwork.k8s-subnet-b-data.name, local.subnet_c_id])
+}
+
+resource "google_compute_backend_service" "nlb_service" {
+ health_checks = [google_compute_health_check.ssn_health_check.self_link]
+ name = "nlb_backend"
+}
+
+resource "google_compute_health_check" "ssn_health_check" {
+ name = "${var.service_base_name}-hc"
+ check_interval_sec = 1
+ timeout_sec = 1
+
+ tcp_health_check {
+ port = "6443"
+ }
+}
+
+######################################################################
+
+resource "google_compute_global_address" "default" {
+ name = "${local.ssn_alb_name}-ip"
+ ip_version = "IPV4"
+ address_type = "EXTERNAL"
+}
+
+resource "google_compute_global_forwarding_rule" "ssn_k8s_alb" {
+ name = "global-rule"
+ target = google_compute_target_http_proxy.ssn_target_http.self_link
+ port_range = "80"
+ depends_on = [google_compute_global_address.default]
+}
+
+
+resource "google_compute_target_http_proxy" "ssn_target_http" {
+ name = "target_proxy"
+ url_map = google_compute_url_map.url_map.self_link
+}
+
+resource "google_compute_url_map" "url_map" {
+ default_service = google_compute_backend_service.ssn_http_back.self_link
+ name = "url-map"
+}
+
+resource "google_compute_backend_service" "ssn_http_back" {
+ name = "backend"
+ port_name = "http"
+ protocol = "HTTP"
+ timeout_sec = 10
+
+ health_checks = [google_compute_http_health_check.ssn_http_hc.self_link]
+}
+
+resource "google_compute_http_health_check" "ssn_http_hc" {
+ name = "check-backend"
+ request_path = "/"
+ check_interval_sec = 1
+ timeout_sec = 1
+}
+
+resource "google_compute_global_forwarding_rule" "ssn_k8s_alb" {
+ name = local.ssn_alb_name
+ target = google_compute_target_http_proxy.http[0].self_link
+ ip_address = google_compute_global_address.default.address
+ port_range = "80"
+
+
+}
+
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/main.tf b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/main.tf
new file mode 100644
index 0000000..6feb9f9
--- /dev/null
+++ b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/main.tf
@@ -0,0 +1,99 @@
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+# ******************************************************************************
+
+provider "google" {
+ credentials = var.credentials
+ project = var.gcp_project_id
+ region = var.region
+ zone = var.zone
+}
+/*
+output "ssn_k8s_alb_dns_name" {
+ value = aws_lb.ssn_k8s_alb.dns_name
+}
+
+output "ssn_k8s_nlb_dns_name" {
+ value = aws_lb.ssn_k8s_nlb.dns_name
+}
+
+output "ssn_k8s_masters_ip_addresses" {
+ value = data.aws_instances.ssn_k8s_masters_instances.public_ips
+ depends_on = [data.aws_instances.ssn_k8s_masters_instances]
+}
+
+output "ssn_bucket_name" {
+ value = aws_s3_bucket.ssn_k8s_bucket.id
+}
+
+output "ssn_vpc_id" {
+ value = data.aws_vpc.ssn_k8s_vpc_data.id
+}
+
+output "ssn_subnet" {
+ # value = compact([data.aws_subnet.k8s-subnet-a-data.id, data.aws_subnet.k8s-subnet-b-data.id, local.subnet_c_id])
+ value = data.aws_subnet.k8s-subnet-a-data.id
+}
+
+output "ssn_k8s_sg_id" {
+ value = aws_security_group.ssn_k8s_sg.id
+}
+
+output "endpoint_eip_allocation_id" {
+ value = aws_eip.k8s-endpoint-eip.id
+}
+
+output "endpoint_eip_address" {
+ value = aws_eip.k8s-endpoint-eip.public_ip
+}
+
+output "ssn_keystore_password" {
+ value = random_string.ssn_keystore_password.result
+}
+
+output "endpoint_keystore_password" {
+ value = random_string.endpoint_keystore_password.result
+}
+
+output "region" {
+ value = var.region
+}
+
+output "service_base_name" {
+ value = var.service_base_name
+}
+
+output "env_os" {
+ value = var.env_os
+}
+
+output "ssn_k8s_masters_shape" {
+ value = var.ssn_k8s_masters_shape
+}
+
+output "zone" {
+ value = var.zone
+}
+
+output "tag_resource_id" {
+ value = var.tag_resource_id
+}
+
+*/
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/role_policy.tf b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/role_policy.tf
new file mode 100644
index 0000000..0d06c62
--- /dev/null
+++ b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/role_policy.tf
@@ -0,0 +1,50 @@
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+# ******************************************************************************
+
+locals {
+ ssn_policy_name = "${var.service_base_name}-ssn-policy"
+ ssn_role_name = "${var.service_base_name}-ssn-role"
+ service_account_name = "${var.service_base_name}-storage-sa"
+}
+
+resource "google_service_account" "ssn_k8s_sa" {
+ account_id = local.service_account_name
+ display_name = local.service_account_name
+}
+
+resource "google_project_iam_custom_role" "ssn_k8s_role" {
+ permissions = var.ssn_policies
+ role_id = local.ssn_role_name
+ title = local.ssn_role_name
+}
+
+resource "google_project_iam_member" "role_for_member" {
+ #Grant the custom role for the ps_sa
+ member = "serviceAccount:${google_service_account.ssn_k8s_sa.email}"
+ role = "${google_project_iam_custom_role.ssn_k8s_role.id}"
+}
+
+resource "google_project_iam_member" "iam" {
+ #Grant other roles for the ps_sa
+ count = "${length(var.ssn_roles)}"
+ member = "serviceAccount:${google_service_account.ssn_k8s_sa.email}"
+ role = "${element(var.ssn_roles, count.index)}"
+}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/security_groups.tf b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/security_groups.tf
new file mode 100644
index 0000000..b2d9243
--- /dev/null
+++ b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/security_groups.tf
@@ -0,0 +1,66 @@
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+# ******************************************************************************
+
+locals {
+ ssn_ingress_name = "${var.service_base_name}-ssn-ingress"
+ ssn_egress_name = "${var.service_base_name}-ssn-egress"
+
+}
+
+resource "google_compute_firewall" "ssn_k8s_ingress" {
+ name = local.ssn_ingress_name
+ network = data.google_compute_network.ssn_k8s_vpc_data.name
+ allow {
+ protocol = "all"
+ }
+ target_tags = ["${var.ssn_net_tag}"]
+ source_ranges = ["${var.vpc_cidr}"]
+}
+
+resource "google_compute_firewall" "ssn_k8s_ssh" {
+ name = "${local.ssn_ingress_name}-ssh"
+ network = data.google_compute_network.ssn_k8s_vpc_data.name
+ allow {
+ protocol = "tcp"
+ ports = ["22"]
+ }
+}
+
+resource "google_compute_firewall" "ssn_k8s_ingress_all" {
+ name = "${local.ssn_ingress_name}-all"
+ network = data.google_compute_network.ssn_k8s_vpc_data.name
+ allow {
+ protocol = "all"
+ }
+ target_tags = ["${var.ssn_net_tag}"]
+ destination_ranges = ["0.0.0.0/0"]
+}
+
+resource "google_compute_firewall" "ssn_k8s_egress" {
+ name = local.ssn_egress_name
+ network = data.google_compute_network.ssn_k8s_vpc_data.name
+ direction = "EGRESS"
+ allow {
+ protocol = "all"
+ }
+ target_tags = ["${var.ssn_net_tag}"]
+ destination_ranges = ["0.0.0.0/0"]
+}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/storage.tf b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/storage.tf
new file mode 100644
index 0000000..a311764
--- /dev/null
+++ b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/storage.tf
@@ -0,0 +1,37 @@
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+# ******************************************************************************
+
+locals {
+ ssn_bucket_name = "${var.service_base_name}-ssn-bucket"
+ ssn_shared_bucket_name = "${var.service_base_name}-shared-bucket"
+}
+
+resource "google_storage_bucket" "ssn_k8s_bucket" {
+ name = local.ssn_bucket_name
+ location = var.region
+ force_destroy = true
+}
+
+resource "google_storage_bucket" "ssn_k8s_shared_bucket" {
+ name = local.ssn_shared_bucket_name
+ location = var.region
+ force_destroy = true
+}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/variables.tf b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/variables.tf
new file mode 100644
index 0000000..2c7402b
--- /dev/null
+++ b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/variables.tf
@@ -0,0 +1,150 @@
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+# ******************************************************************************
+
+// GCP info
+variable "credentials" {
+ default = "C:\\Users\\Demyan_Mysakovets\\Documents\\keys\\service_account.json"
+}
+
+variable "gcp_project_id" {
+ default = "or2-msq-epmc-dlab-t1iylu"
+}
+
+variable "region" {
+ default = "us-east1"
+}
+variable "zone" {
+ default = "us-east1-c"
+}
+
+// Common
+variable "env_os" {
+ default = "debian"
+}
+variable "key_name" {
+ default = "BDCC-DSS-POC"
+}
+variable "allowed_cidrs" {
+ type = list
+ default = ["0.0.0.0/0"]
+}
+variable "os_user" {
+ default = "dlab-user"
+}
+
+variable "project_tag" {
+ default = ""
+}
+
+variable "additional_tag" {
+ default = "product:dlab"
+}
+
+variable "tag_resource_id" {
+ default = "user:tag"
+}
+
+// SSN
+variable "service_base_name" {
+ default = "dlab-k8s"
+}
+variable "vpc_id" {
+ default = ""
+}
+variable "vpc_cidr" {
+ default = "172.31.0.0/16"
+}
+variable "subnet_id_a" {
+ default = ""
+}
+variable "subnet_id_b" {
+ default = ""
+}
+variable "subnet_cidr_a" {
+ default = "172.31.0.0/24"
+}
+variable "subnet_cidr_b" {
+ default = "172.31.1.0/24"
+}
+variable "subnet_cidr_c" {
+ default = "172.31.2.0/24"
+}
+variable "ami" {
+ default = "ami-07b4f3c02c7f83d59"
+}
+variable "ssn_k8s_masters_count" {
+ default = 3
+}
+variable "ssn_k8s_workers_count" {
+ default = 2
+}
+variable "ssn_root_volume_size" {
+ default = 30
+}
+variable "ssn_k8s_masters_shape" {
+ default = "t2.medium"
+}
+
+variable "ssn_k8s_workers_shape" {
+ default = "t2.medium"
+}
+
+variable "ssn_net_tag" {
+ default = "ssn_k8s_tag"
+}
+
+variable "ssn_policies" {
+ type = "list"
+ default = [
+ "storage.buckets.create",
+ "storage.buckets.delete",
+ "storage.buckets.get",
+ "storage.buckets.getIamPolicy",
+ "storage.buckets.list",
+ "storage.buckets.setIamPolicy",
+ "storage.buckets.update",
+ "storage.objects.create",
+ "storage.objects.delete",
+ "storage.objects.get",
+ "storage.objects.getIamPolicy",
+ "storage.objects.list",
+ "storage.objects.setIamPolicy",
+ "storage.objects.update",
+ "compute.autoscalers.get",
+ "compute.instances.get",
+ "compute.healthChecks.get"
+ ]
+}
+
+variable "ssn_roles" {
+ type = "list"
+ default = [
+ "iam.serviceAccountUser",
+ "iam.serviceAccountAdmin",
+ "storage.admin",
+ "dataproc.editor",
+ "resourcemanager.projectIamAdmin",
+ "iam.roleAdmin",
+ "compute.instanceAdmin",
+ "bigquery.dataViewer",
+ "bigquery.jobUser"
+ ]
+}
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/vpc.tf b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/vpc.tf
new file mode 100644
index 0000000..fae19ec
--- /dev/null
+++ b/infrastructure-provisioning/terraform/gcp/ssn-k8s/main/vpc.tf
@@ -0,0 +1,95 @@
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+# ******************************************************************************
+
+locals {
+ additional_tag = split(":", var.additional_tag)
+ ssn_vpc_name = "${var.service_base_name}-ssn-vpc"
+ ssn_igw_name = "${var.service_base_name}-ssn-igw"
+ ssn_subnet_a_name = "${var.service_base_name}-ssn-subnet-az-a"
+ ssn_subnet_b_name = "${var.service_base_name}-ssn-subnet-az-b"
+ ssn_subnet_c_name = "${var.service_base_name}-ssn-subnet-az-c"
+ endpoint_ip_name = "${var.service_base_name}-endpoint-eip"
+ endpoint_rt_name = "${var.service_base_name}-endpoint-rt"
+ endpoint_bucket_name = "${var.service_base_name}-bucket-endpoint"
+}
+
+resource "google_compute_network" "ssn_k8s_vpc" {
+ count = var.vpc_id == "" ? 1 : 0
+ name = local.ssn_vpc_name
+ auto_create_subnetworks = false
+}
+
+resource "google_compute_route" "ssn_k8s_route" {
+ count = var.vpc_id == "" ? 1 : 0
+ name = "${var.service_base_name}-route"
+ dest_range = "0.0.0.0/0"
+ network = data.google_compute_network.ssn_k8s_vpc_data.id
+ priority = 100
+}
+
+data "google_compute_network" "ssn_k8s_vpc_data" {
+ name = google_compute_network.ssn_k8s_vpc.0.name
+}
+
+
+resource "google_compute_subnetwork" "ssn_k8s_subnet_a" {
+ count = var.subnet_id_a == "" ? 1 : 0
+ ip_cidr_range = var.subnet_cidr_a
+ name = local.ssn_subnet_a_name
+ network = data.google_compute_network.ssn_k8s_vpc_data.id
+}
+
+resource "google_compute_subnetwork" "ssn_k8s_subnet_b" {
+ count = var.subnet_id_b == "" ? 1 : 0
+ ip_cidr_range = var.subnet_cidr_b
+ name = local.ssn_subnet_b_name
+ network = data.google_compute_network.ssn_k8s_vpc_data.id
+}
+
+resource "google_compute_subnetwork" "ssn_k8s_subnet_c" {
+ count = var.ssn_k8s_masters_count > 2 ? 1 : 0
+ ip_cidr_range = var.subnet_cidr_c
+ name = local.ssn_subnet_c_name
+ network = data.google_compute_network.ssn_k8s_vpc_data.id
+}
+
+data "google_compute_subnetwork" "k8s-subnet-a-data" {
+ name = google_compute_subnetwork.ssn_k8s_subnet_a.0.name
+}
+
+data "google_compute_subnetwork" "k8s-subnet-b-data" {
+ name = google_compute_subnetwork.ssn_k8s_subnet_b.0.name
+}
+
+data "google_compute_subnetwork" "k8s-subnet-c-data" {
+ count = var.ssn_k8s_masters_count > 2 ? 1 : 0
+ name = google_compute_subnetwork.ssn_k8s_subnet_c.0.name
+}
+
+resource "google_compute_address" "k8s-endpoint-eip" {
+ name = local.endpoint_ip_name
+}
+
+
+resource "google_compute_network_endpoint_group" "ssn-k8s-users-bucket-endpoint" {
+ name = local.endpoint_bucket_name
+ network = data.google_compute_network.ssn_k8s_vpc_data.id
+}
