fix infra private cloud (GoogleCloudPlatform#443)

annapendleton · Mar 26, 2024 · 9c6b97b · 9c6b97b
1 parent 06ed198
commit 9c6b97b
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 33 deletions.
diff --git a/applications/rag/workloads.tfvars b/applications/rag/workloads.tfvars
@@ -17,7 +17,8 @@ project_id = "<your project ID>"
 ## this is required for terraform to connect to GKE master and deploy workloads
 create_cluster    = true # Create a GKE cluster in the specified network.
 autopilot_cluster = true
-cluster_name      = "<cluster_name>"
+private_cluster   = false
+cluster_name      = "<cluster-name>"
 cluster_location  = "us-central1"
 create_network    = true
 network_name      = "ml-network"

diff --git a/infrastructure/main.tf b/infrastructure/main.tf
@@ -42,6 +42,13 @@ data "google_compute_network" "existing-network" {
   project = var.project_id
 }
 
+data "google_compute_subnetwork" "subnetwork" {
+  count   = var.create_network ? 0 : 1
+  name    = var.subnetwork_name
+  region  = var.subnetwork_region
+  project = var.project_id
+}
+
 module "custom-network" {
   source       = "terraform-google-modules/network/google"
   version      = "8.0.0"
@@ -60,7 +67,7 @@ module "custom-network" {
   ]
 }
 
-// TODO: Migrate to terraform-google-modules/sql-db/google//modules/private_service_access (below)
+// TODO: Migrate to terraform-google-modules/sql-db/google//modules/private_service_access 
 // once https://github.com/terraform-google-modules/terraform-google-sql-db/issues/585 is resolved.
 // We define a VPC peering subnet that will be peered with the
 // Cloud SQL instance network. The Cloud SQL instance will
@@ -87,23 +94,10 @@ resource "google_service_networking_connection" "private_service_access" {
   deletion_policy = "ABANDON"
 }
 
-// TODO: Migrate to using the below module block instead of
-// the above "google_compute_global_address" and "google_service_networking_connection" resources
-// once https://github.com/terraform-google-modules/terraform-google-sql-db/issues/585 is resolved.
-// module "private-service-access" {
-//  source  = "terraform-google-modules/sql-db/google//modules/private_service_access"
-//  version = "~> 18.0"
-//  count   = var.create_network ? 1 : 0
-//
-//  project_id      = var.project_id
-//  vpc_network     = var.network_name
-//  # This will enable a successful terraform destroy when destroying CloudSQL instances
-//  deletion_policy = "ABANDON"
-// }
-
 locals {
   network_name      = var.create_network ? module.custom-network[0].network_name : var.network_name
   subnetwork_name   = var.create_network ? module.custom-network[0].subnets_names[0] : var.subnetwork_name
+  subnetwork_cidr   = var.create_network ? module.custom-network[0].subnets_ips[0] : data.google_compute_subnetwork.subnetwork[0].ip_cidr_range
   network_self_link = var.create_network ? module.custom-network[0].network_self_link : data.google_compute_network.existing-network[0].self_link
   region            = length(split("-", var.cluster_location)) == 2 ? var.cluster_location : ""
   regional          = local.region != "" ? true : false
@@ -200,7 +194,7 @@ module "private-gke-standard-cluster" {
   monitoring_enable_managed_prometheus = var.monitoring_enable_managed_prometheus
   gcs_fuse_csi_driver                  = var.gcs_fuse_csi_driver
   deletion_protection                  = var.deletion_protection
-  master_authorized_networks           = var.master_authorized_networks
+  master_authorized_networks           = length(var.master_authorized_networks) == 0 ? [{ cidr_block = "${local.subnetwork_cidr}", display_name = "${local.subnetwork_name}" }] : var.master_authorized_networks
   master_ipv4_cidr_block               = var.master_ipv4_cidr_block
 
   ## pools config variables
@@ -235,7 +229,7 @@ module "private-gke-autopilot-cluster" {
   release_channel            = var.release_channel
   ip_range_pods              = var.ip_range_pods
   ip_range_services          = var.ip_range_services
-  master_authorized_networks = var.master_authorized_networks
+  master_authorized_networks = length(var.master_authorized_networks) == 0 ? [{ cidr_block = "${local.subnetwork_cidr}", display_name = "${local.subnetwork_name}" }] : var.master_authorized_networks
   master_ipv4_cidr_block     = var.master_ipv4_cidr_block
   deletion_protection        = var.deletion_protection
 

diff --git a/infrastructure/platform.tfvars b/infrastructure/platform.tfvars
@@ -21,13 +21,13 @@ project_id = "ai-on-gke-jss-sandbox"
 create_network    = true
 network_name      = "ml-network"
 subnetwork_name   = "ml-network"
-subnetwork_cidr   = "10.100.0.0/16"
 subnetwork_region = "us-central1"
+subnetwork_cidr   = "10.100.0.0/16"
 
 ## gke variables
 private_cluster   = false ## true = private cluster, false = public cluster
-autopilot_cluster = false ## true = autopilot cluster, false = standard cluster
-cluster_name      = "ml-cluster99"
+autopilot_cluster = true  ## true = autopilot cluster, false = standard cluster
+cluster_name      = "ml-cluster"
 cluster_location  = "us-central1"
 
 cpu_pools = [{

diff --git a/modules/gke-autopilot-private-cluster/main.tf b/modules/gke-autopilot-private-cluster/main.tf
@@ -12,11 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-data "google_compute_subnetwork" "subnetwork" {
-  name    = var.subnetwork_name
-  project = var.project_id
-}
-
 module "gke" {
   source                  = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-private-cluster"
   version                 = "29.0.0"
@@ -37,7 +32,7 @@ module "gke" {
   horizontal_pod_autoscaling = true
   enable_private_endpoint    = true
   enable_private_nodes       = true
-  master_authorized_networks = length(var.master_authorized_networks) == 0 ? [{ cidr_block = "${data.google_compute_subnetwork.subnetwork.ip_cidr_range}", display_name = "${data.google_compute_subnetwork.subnetwork.name}" }] : var.master_authorized_networks
+  master_authorized_networks = var.master_authorized_networks
   master_ipv4_cidr_block     = var.master_ipv4_cidr_block
   deletion_protection        = var.deletion_protection
 

diff --git a/modules/gke-standard-private-cluster/main.tf b/modules/gke-standard-private-cluster/main.tf
@@ -16,11 +16,6 @@ locals {
   node_pools = concat((var.enable_gpu ? var.gpu_pools : []), (var.enable_tpu ? var.tpu_pools : []), var.cpu_pools)
 }
 
-data "google_compute_subnetwork" "subnetwork" {
-  name    = var.subnetwork_name
-  project = var.project_id
-}
-
 module "gke" {
   source                               = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster"
   version                              = "29.0.0"
@@ -47,7 +42,7 @@ module "gke" {
 
   enable_private_endpoint    = true
   enable_private_nodes       = true
-  master_authorized_networks = length(var.master_authorized_networks) == 0 ? [{ cidr_block = "${data.google_compute_subnetwork.subnetwork.ip_cidr_range}", display_name = "${data.google_compute_subnetwork.subnetwork.name}" }] : var.master_authorized_networks
+  master_authorized_networks = var.master_authorized_networks
   master_ipv4_cidr_block     = var.master_ipv4_cidr_block
 
   node_pools = local.node_pools