clusters improvement #1 and #2

fast/stages/03-gke-multitenant/prod/gke-clusters.tf

@@ -26,8 +26,8 @@ locals {
 module "gke-cluster" {
   source                   = "../../../../modules/gke-cluster"
   for_each                 = local.clusters
-  project_id               = module.gke-project-0.project_id
   name                     = each.key
+  project_id               = each.value.project_id
   description              = each.value.description
   location                 = each.value.location
   network                  = each.value.net.vpc
@@ -115,6 +115,7 @@ module "gke-cluster" {
   # }
 
   depends_on = [
-    google_project_iam_member.host_project_bindings
+    google_project_iam_member.host_project_cloud_services_bindings,
+    google_project_iam_member.host_project_gke_robot_bindings
   ]
 }

fast/stages/03-gke-multitenant/prod/gke-nodepools.tf

@@ -34,7 +34,7 @@ module "gke_1_nodepool" {
   project_id         = module.gke-project-0.project_id
   cluster_name       = module.gke-cluster[each.value.cluster].name
   location           = module.gke-cluster[each.value.cluster].location
-  initial_node_count = each.value.node_count
+  initial_node_count = each.value.initial_node_count 
   node_machine_type  = each.value.node_type
   # TODO(jccb): can we use spot instances here?
   node_preemptible = each.value.preemptible

fast/stages/03-gke-multitenant/prod/main.tf

@@ -16,13 +16,21 @@
 
 locals {
   labels = merge(var.labels, { environment = var.environment })
-
-  _gke_robot_sa      = "serviceAccount:${module.gke-project-0.service_accounts.robots.container-engine}"
-  _cloud_services_sa = "serviceAccount:${module.gke-project-0.service_accounts.cloud_services}"
-  host_project_bindings = [
-    { role = "roles/container.hostServiceAgentUser", member = local._gke_robot_sa },
-    { role = "roles/compute.networkUser", member = local._gke_robot_sa },
-    { role = "roles/compute.networkUser", member = local._cloud_services_sa }
+
+  _gke_robot_sas      = [
+    "serviceAccount:${module.gke-project-0.service_accounts.robots.container-engine}",
+    "serviceAccount:${module.gke-project-1.service_accounts.robots.container-engine}"
+  ]
+  _cloud_services_sas = [
+    "serviceAccount:${module.gke-project-0.service_accounts.cloud_services}",
+    "serviceAccount:${module.gke-project-1.service_accounts.cloud_services}"
+  ]
+  host_project_cloud_services_bindings = [ for member in local._cloud_services_sas :
+    {role = "roles/compute.networkUser", member = member }
+  ]
+  host_project_gke_robot_bindings = [ for member in local._gke_robot_sas : 
+    [{role = "roles/container.hostServiceAgentUser", member = member },
+    {role = "roles/compute.networkUser", member = member }]
   ]
 }
 
@@ -66,15 +74,62 @@ module "gke-project-0" {
   # }
 }
 
+module "gke-project-1" {
+  source          = "../../../../modules/project"
+  billing_account = var.billing_account_id
+  name            = "${var.environment}-gke-clusters-1"
+  parent          = var.folder_id
+  prefix          = var.prefix
+  labels          = local.labels
+  services = [
+    "container.googleapis.com",
+    "dns.googleapis.com",
+    "stackdriver.googleapis.com",
+    # uncomment if you need Multi-cluster Ingress / Gateway API
+    # "gkehub.googleapis.com",
+    # "multiclusterservicediscovery.googleapis.com",
+    # "multiclusteringress.googleapis.com",
+    # "trafficdirector.googleapis.com"
+  ]
+  # add here any other service ids and keys for robot accounts which are needed
+  # service_encryption_key_ids = {
+  #   container = var.project_config.service_encryption_key_ids
+  # }
+  shared_vpc_service_config = {
+    attach       = true
+    host_project = var.vpc_host_project
+  }
+  # specify project-level org policies here if you need them
+
+  # policy_boolean = {
+  #   "constraints/compute.disableGuestAttributesAccess" = true
+  # }
+  # policy_list = {
+  #   "constraints/compute.trustedImageProjects" = {
+  #     inherit_from_parent = null
+  #     suggested_value     = null
+  #     status              = true
+  #     values              = ["projects/fl01-prod-iac-core-0"]
+  #   }
+  # }
+}
+
+
 module "gke-dataset-resource-usage" {
   source        = "../../../../modules/bigquery-dataset"
   project_id    = module.gke-project-0.project_id
   id            = "resource_usage"
   friendly_name = "GKE resource usage."
 }
 
-resource "google_project_iam_member" "host_project_bindings" {
-  for_each = { for i, v in local.host_project_bindings : i => v }
+resource "google_project_iam_member" "host_project_gke_robot_bindings" {
+  for_each = { for i, v in flatten(local.host_project_gke_robot_bindings) : i => v }
+  project  = var.vpc_host_project
+  role     = each.value.role
+  member   = each.value.member
+}
+resource "google_project_iam_member" "host_project_cloud_services_bindings" {
+  for_each = { for i, v in local.host_project_cloud_services_bindings : i => v }
   project  = var.vpc_host_project
   role     = each.value.role
   member   = each.value.member

fast/stages/03-gke-multitenant/prod/variables.tf

@@ -68,6 +68,7 @@ variable "clusters" {
       memory_min = number
       memory_max = number
     })
+    project_id = string
     description = string
     dns_domain  = string
     labels      = map(string)
@@ -139,6 +140,7 @@ variable "nodepools" {
   type = map(map(object({
     node_count = number
     node_type  = string
+    initial_node_count = number
     overrides = object({
       image_type        = string
       max_pods_per_node = number
@@ -159,4 +161,4 @@ variable "vpc_host_project" {
   # tfdoc:variable:source 02-networking
   description = "Host project for the shared VPC."
   type        = string
-}
+}