Create initial homelab kubernetes cluster #2

celia-vytrac · 2023-09-04T01:52:40Z

No description provided.

github-actions · 2023-09-04T01:54:50Z

Terraform Format and Style 🖌`success`

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Validation Output


Success! The configuration is valid.

Terraform Plan 📖`success`

Show Plan


terraform
random_string.random[2]: Refreshing state... [id=991123]
random_string.random[1]: Refreshing state... [id=735905]
random_string.random[0]: Refreshing state... [id=920455]
google_kms_crypto_key.tfstate_key: Refreshing state... [id=projects/admin-920455/locations/us-central1/keyRings/homelab-keyring/cryptoKeys/tfstate-key]
google_project.homelab_prod: Refreshing state... [id=projects/homelab-prod-991123]
google_project.homelab_dev: Refreshing state... [id=projects/homelab-dev-735905]
google_kms_crypto_key.secrets_key: Refreshing state... [id=projects/admin-920455/locations/us-central1/keyRings/homelab-keyring/cryptoKeys/secrets-key]
data.google_billing_account.billing: Reading...
data.google_organization.vytrac_me: Reading...
data.google_organization.vytrac_me: Read complete after 0s [id=organizations/222061260236]
data.google_billing_account.billing: Read complete after 1s [id=012AF6-DBCAAF-ADA2BC]
google_project.admin: Refreshing state... [id=projects/admin-920455]
data.google_secret_manager_secret_version.github_domain_verifications: Reading...
data.google_secret_manager_secret_version.gcloud_domain_verifications: Reading...
data.google_secret_manager_secret_version.cloudflare_api_token: Reading...
google_project_service.admin_services["iam.googleapis.com"]: Refreshing state... [id=325329770668/iam.googleapis.com]
google_kms_key_ring.keyring: Refreshing state... [id=projects/admin-920455/locations/us-central1/keyRings/homelab-keyring]
google_project_service.admin_services["secretmanager.googleapis.com"]: Refreshing state... [id=325329770668/secretmanager.googleapis.com]
google_project_service.admin_services["cloudresourcemanager.googleapis.com"]: Refreshing state... [id=325329770668/cloudresourcemanager.googleapis.com]
google_project_service.admin_services["cloudkms.googleapis.com"]: Refreshing state... [id=325329770668/cloudkms.googleapis.com]
google_service_account.tf_sa: Refreshing state... [id=projects/admin-920455/serviceAccounts/[email protected]]
google_project_service.admin_services["serviceusage.googleapis.com"]: Refreshing state... [id=325329770668/serviceusage.googleapis.com]
google_project_service.admin_services["cloudbilling.googleapis.com"]: Refreshing state... [id=325329770668/cloudbilling.googleapis.com]
google_project_service.admin_services["storage.googleapis.com"]: Refreshing state... [id=325329770668/storage.googleapis.com]
data.google_secret_manager_secret_version.github_domain_verifications: Read complete after 0s [id=projects/325329770668/secrets/github-domain-verifications/versions/1]
data.google_secret_manager_secret_version.gcloud_domain_verifications: Read complete after 0s [id=projects/325329770668/secrets/gcloud-domain-verifications/versions/1]
google_service_account_key.tf_sa_key: Refreshing state... [id=projects/admin-920455/serviceAccounts/[email protected]/keys/25d95a9f9a8373f6213c1daada502f1c1f0f57fb]
google_organization_iam_binding.tf_sa_binding["roles/resourcemanager.projectIamAdmin"]: Refreshing state... [id=222061260236/roles/resourcemanager.projectIamAdmin]
data.google_secret_manager_secret_version.cloudflare_api_token: Read complete after 0s [id=projects/325329770668/secrets/cloudflare-api-token/versions/1]
google_organization_iam_binding.tf_sa_binding["roles/billing.viewer"]: Refreshing state... [id=222061260236/roles/billing.viewer]
google_organization_iam_binding.tf_sa_binding["roles/serviceusage.serviceUsageAdmin"]: Refreshing state... [id=222061260236/roles/serviceusage.serviceUsageAdmin]
google_organization_iam_binding.tf_sa_binding["roles/iam.serviceAccountKeyAdmin"]: Refreshing state... [id=222061260236/roles/iam.serviceAccountKeyAdmin]
google_organization_iam_binding.tf_sa_binding["roles/iam.serviceAccountAdmin"]: Refreshing state... [id=222061260236/roles/iam.serviceAccountAdmin]
google_organization_iam_binding.tf_sa_binding["roles/resourcemanager.organizationAdmin"]: Refreshing state... [id=222061260236/roles/resourcemanager.organizationAdmin]
google_organization_iam_binding.tf_sa_binding["roles/resourcemanager.projectCreator"]: Refreshing state... [id=222061260236/roles/resourcemanager.projectCreator]
google_project_iam_binding.tf_sa_binding["roles/storage.admin"]: Refreshing state... [id=325329770668/roles/storage.admin]
google_project_iam_binding.tf_sa_binding["roles/cloudkms.admin"]: Refreshing state... [id=325329770668/roles/cloudkms.admin]
google_project_iam_binding.tf_sa_binding["roles/secretmanager.secretAccessor"]: Refreshing state... [id=325329770668/roles/secretmanager.secretAccessor]
google_project_iam_binding.tf_sa_binding["roles/secretmanager.viewer"]: Refreshing state... [id=325329770668/roles/secretmanager.viewer]
google_kms_crypto_key_iam_binding.tfstate_sa_binding: Refreshing state... [id=projects/admin-920455/locations/us-central1/keyRings/homelab-keyring/cryptoKeys/tfstate-key/roles/cloudkms.cryptoKeyEncrypterDecrypter]
google_kms_crypto_key_iam_binding.secrets_sa_binding: Refreshing state... [id=projects/admin-920455/locations/us-central1/keyRings/homelab-keyring/cryptoKeys/secrets-key/roles/cloudkms.cryptoKeyEncrypterDecrypter]
google_storage_bucket.gcs_bucket: Refreshing state... [id=tfstate.vytrac.me]
data.cloudflare_zone.zone: Reading...
cloudflare_email_routing_address.email: Refreshing state... [id=232419e353df4c66962536ac35c6b31c]
data.cloudflare_zone.zone: Read complete after 1s [id=a53af84a2f59d2dcf19713b7a04c616c]
cloudflare_record.spf: Refreshing state... [id=14751139d6392c51051de019a32fdee6]
cloudflare_email_routing_rule.email: Refreshing state... [id=13666d9008a944c98b0b306dd09418b5]
cloudflare_record.gcloud_verifications[0]: Refreshing state... [id=b5930144dccfca4af1a6f23136a43193]
cloudflare_record.gcloud_verifications[1]: Refreshing state... [id=8161e4e15a36bc464f8bd68cead33d13]
cloudflare_record.tilde: Refreshing state... [id=64ff826f2a3e121810813d1fdb8bce2c]
cloudflare_record.root: Refreshing state... [id=b96b0a0dcd2527470dcb9a7460f6e9e3]
cloudflare_page_rule.www: Refreshing state... [id=499701397f31774c253cb6cd37d9e615]
cloudflare_record.github_verifications[0]: Refreshing state... [id=6b5034d1f035f22152db272b3e5554d1]
cloudflare_record.mail["0"]: Refreshing state... [id=e6502757e33c4330484806c39466dc0c]
cloudflare_record.mail["1"]: Refreshing state... [id=8cf323c167727bb8d64853dc313f42e1]
cloudflare_record.mail["2"]: Refreshing state... [id=c0366e4f58c493a1b29158ba19dadbff]
cloudflare_record.gh_pages: Refreshing state... [id=36a5a4a53f42738f79918372aa1a06d4]
cloudflare_record.notes: Refreshing state... [id=2d9ab04912f7aa67c8d979e3fd40601d]
cloudflare_record.www: Refreshing state... [id=a73a91c2e993a2e7cc2917a6d9111078]
cloudflare_record.dmarc: Refreshing state... [id=6aabe3e9dc6e384483381754ea508057]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy
-/+ destroy and then create replacement
 <= read (data resources)

Terraform will perform the following actions:

  # data.talos_client_configuration.config will be read during apply
  # (config refers to values not yet known)
 <= data "talos_client_configuration" "config" {
      + client_configuration = (known after apply)
      + cluster_name         = "homelab"
      + id                   = (known after apply)
      + nodes                = [
          + "172.16.1.0/24",
          + "172.16.2.0/24",
        ]
      + talos_config         = (sensitive value)
    }

  # data.talos_cluster_kubeconfig.kubeconfig["172.16.1.0/24"] will be read during apply
  # (config refers to values not yet known)
 <= data "talos_cluster_kubeconfig" "kubeconfig" {
      + client_configuration            = (known after apply)
      + endpoint                        = (known after apply)
      + id                              = (known after apply)
      + kubeconfig_raw                  = (sensitive value)
      + kubernetes_client_configuration = (known after apply)
      + node                            = "172.16.1.0/24"
    }

  # data.talos_cluster_kubeconfig.kubeconfig["172.16.2.0/24"] will be read during apply
  # (config refers to values not yet known)
 <= data "talos_cluster_kubeconfig" "kubeconfig" {
      + client_configuration            = (known after apply)
      + endpoint                        = (known after apply)
      + id                              = (known after apply)
      + kubeconfig_raw                  = (sensitive value)
      + kubernetes_client_configuration = (known after apply)
      + node                            = "172.16.2.0/24"
    }

  # data.talos_machine_configuration.config will be read during apply
  # (config refers to values not yet known)
 <= data "talos_machine_configuration" "config" {
      + cluster_endpoint      = "https://cluster.local:6443"
      + cluster_name          = "homelab"
      + id                    = (known after apply)
      + machine_configuration = (sensitive value)
      + machine_secrets       = (known after apply)
      + machine_type          = "controlplane"
    }

  # google_compute_address.controlplane_external will be created
  + resource "google_compute_address" "controlplane_external" {
      + address            = (known after apply)
      + address_type       = "EXTERNAL"
      + creation_timestamp = (known after apply)
      + effective_labels   = (known after apply)
      + id                 = (known after apply)
      + label_fingerprint  = (known after apply)
      + name               = "controlplane-external"
      + network_tier       = (known after apply)
      + prefix_length      = (known after apply)
      + project            = "admin-920455"
      + purpose            = (known after apply)
      + region             = "us-central1"
      + self_link          = (known after apply)
      + subnetwork         = (known after apply)
      + terraform_labels   = (known after apply)
      + users              = (known after apply)
    }

  # google_compute_address.controlplane_internal will be created
  + resource "google_compute_address" "controlplane_internal" {
      + address            = (known after apply)
      + address_type       = "INTERNAL"
      + creation_timestamp = (known after apply)
      + effective_labels   = (known after apply)
      + id                 = (known after apply)
      + label_fingerprint  = (known after apply)
      + name               = "controlplane-internal"
      + network_tier       = (known after apply)
      + prefix_length      = (known after apply)
      + project            = "admin-920455"
      + purpose            = "GCE_ENDPOINT"
      + region             = "us-central1"
      + self_link          = (known after apply)
      + subnetwork         = (known after apply)
      + terraform_labels   = (known after apply)
      + users              = (known after apply)
    }

  # google_compute_firewall.controlplane_api_allow_hc will be created
  + resource "google_compute_firewall" "controlplane_api_allow_hc" {
      + creation_timestamp = (known after apply)
      + destination_ranges = (known after apply)
      + direction          = "INGRESS"
      + enable_logging     = (known after apply)
      + id                 = (known after apply)
      + name               = "controlplane-api-allow-hc"
      + network            = (known after apply)
      + priority           = 1000
      + project            = "admin-920455"
      + self_link          = (known after apply)
      + source_ranges      = [
          + "130.211.0.0/22",
          + "209.85.152.0/22",
          + "209.85.204.0/22",
          + "35.191.0.0/16",
        ]
      + target_tags        = [
          + "controlplane",
        ]

      + allow {
          + ports    = [
              + "6443",
            ]
          + protocol = "tcp"
        }
    }

  # google_compute_firewall.controlplane_api_authorized_networks will be created
  + resource "google_compute_firewall" "controlplane_api_authorized_networks" {
      + creation_timestamp = (known after apply)
      + destination_ranges = (known after apply)
      + direction          = "INGRESS"
      + enable_logging     = (known after apply)
      + id                 = (known after apply)
      + name               = "controlplane-api-authorized-networks"
      + network            = (known after apply)
      + priority           = 1000
      + project            = "admin-920455"
      + self_link          = (known after apply)
      + source_ranges      = [
          + "198.54.133.104/32",
        ]
      + target_tags        = [
          + "controlplane",
        ]

      + allow {
          + ports    = [
              + "6443",
            ]
          + protocol = "tcp"
        }
    }

  # google_compute_firewall.homelab will be created
  + resource "google_compute_firewall" "homelab" {
      + creation_timestamp = (known after apply)
      + destination_ranges = (known after apply)
      + direction          = (known after apply)
      + enable_logging     = (known after apply)
      + id                 = (known after apply)
      + name               = "homelab-allow-internal"
      + network            = (known after apply)
      + priority           = 1000
      + project            = "admin-920455"
      + self_link          = (known after apply)
      + source_tags        = [
          + "k8s",
        ]
      + target_tags        = [
          + "k8s",
        ]

      + allow {
          + ports    = []
          + protocol = "all"
        }
    }

  # google_compute_forwarding_rule.api_server_external will be created
  + resource "google_compute_forwarding_rule" "api_server_external" {
      + backend_service       = (known after apply)
      + base_forwarding_rule  = (known after apply)
      + creation_timestamp    = (known after apply)
      + effective_labels      = (known after apply)
      + id                    = (known after apply)
      + ip_address            = (known after apply)
      + ip_protocol           = (known after apply)
      + ip_version            = (known after apply)
      + label_fingerprint     = (known after apply)
      + load_balancing_scheme = "EXTERNAL"
      + name                  = "api-server-external"
      + network               = (known after apply)
      + network_tier          = (known after apply)
      + port_range            = "6443-6443"
      + project               = "admin-920455"
      + psc_connection_id     = (known after apply)
      + psc_connection_status = (known after apply)
      + recreate_closed_psc   = false
      + region                = "us-central1"
      + self_link             = (known after apply)
      + service_name          = (known after apply)
      + subnetwork            = (known after apply)
      + terraform_labels      = (known after apply)
    }

  # google_compute_forwarding_rule.api_server_internal will be created
  + resource "google_compute_forwarding_rule" "api_server_internal" {
      + allow_global_access   = true
      + backend_service       = (known after apply)
      + base_forwarding_rule  = (known after apply)
      + creation_timestamp    = (known after apply)
      + effective_labels      = (known after apply)
      + id                    = (known after apply)
      + ip_address            = (known after apply)
      + ip_protocol           = (known after apply)
      + ip_version            = (known after apply)
      + label_fingerprint     = (known after apply)
      + load_balancing_scheme = "INTERNAL"
      + name                  = "api-server-internal"
      + network               = (known after apply)
      + network_tier          = (known after apply)
      + port_range            = (known after apply)
      + ports                 = [
          + "6443",
        ]
      + project               = "admin-920455"
      + psc_connection_id     = (known after apply)
      + psc_connection_status = (known after apply)
      + recreate_closed_psc   = false
      + region                = "us-central1"
      + self_link             = (known after apply)
      + service_name          = (known after apply)
      + subnetwork            = (known after apply)
      + terraform_labels      = (known after apply)
    }

  # google_compute_health_check.controlplane_internal will be created
  + resource "google_compute_health_check" "controlplane_internal" {
      + check_interval_sec  = 5
      + creation_timestamp  = (known after apply)
      + healthy_threshold   = 2
      + id                  = (known after apply)
      + name                = "controlplane-internal"
      + project             = "admin-920455"
      + self_link           = (known after apply)
      + timeout_sec         = 1
      + type                = (known after apply)
      + unhealthy_threshold = 2

      + tcp_health_check {
          + port         = 6443
          + proxy_header = "NONE"
        }
    }

  # google_compute_image.talos will be created
  + resource "google_compute_image" "talos" {
      + archive_size_bytes = (known after apply)
      + creation_timestamp = (known after apply)
      + disk_size_gb       = (known after apply)
      + effective_labels   = (known after apply)
      + id                 = (known after apply)
      + label_fingerprint  = (known after apply)
      + licenses           = (known after apply)
      + name               = "talos-image"
      + project            = (known after apply)
      + self_link          = (known after apply)
      + storage_locations  = (known after apply)
      + terraform_labels   = (known after apply)

      + raw_disk {
          + container_type = "TAR"
          + source         = "https://github.com/siderolabs/talos/releases/download/v1.6.0-alpha.0/gcp-amd64.raw.tar.gz"
        }
    }

  # google_compute_network.homelab will be created
  + resource "google_compute_network" "homelab" {
      + auto_create_subnetworks                   = false
      + delete_default_routes_on_create           = false
      + gateway_ipv4                              = (known after apply)
      + id                                        = (known after apply)
      + internal_ipv6_range                       = (known after apply)
      + mtu                                       = (known after apply)
      + name                                      = "homelab"
      + network_firewall_policy_enforcement_order = "AFTER_CLASSIC_FIREWALL"
      + project                                   = "admin-920455"
      + routing_mode                              = (known after apply)
      + self_link                                 = (known after apply)
    }

  # google_compute_region_backend_service.api_server_external will be created
  + resource "google_compute_region_backend_service" "api_server_external" {
      + connection_draining_timeout_sec = 0
      + creation_timestamp              = (known after apply)
      + fingerprint                     = (known after apply)
      + health_checks                   = (known after apply)
      + id                              = (known after apply)
      + load_balancing_scheme           = "EXTERNAL"
      + name                            = "api-server-external"
      + port_name                       = (known after apply)
      + project                         = "admin-920455"
      + protocol                        = (known after apply)
      + region                          = "us-central1"
      + self_link                       = (known after apply)
      + session_affinity                = (known after apply)
      + timeout_sec                     = (known after apply)

      + backend {
          + balancing_mode = "CONNECTION"
          + failover       = (known after apply)
          + group          = (known after apply)
        }
    }

  # google_compute_region_backend_service.api_server_internal will be created
  + resource "google_compute_region_backend_service" "api_server_internal" {
      + connection_draining_timeout_sec = 0
      + creation_timestamp              = (known after apply)
      + fingerprint                     = (known after apply)
      + health_checks                   = (known after apply)
      + id                              = (known after apply)
      + load_balancing_scheme           = "INTERNAL"
      + name                            = "api-server-internal"
      + port_name                       = (known after apply)
      + project                         = "admin-920455"
      + protocol                        = (known after apply)
      + region                          = "us-central1"
      + self_link                       = (known after apply)
      + session_affinity                = (known after apply)
      + timeout_sec                     = (known after apply)

      + backend {
          + balancing_mode = "CONNECTION"
          + failover       = (known after apply)
          + group          = (known after apply)
        }
    }

  # google_compute_region_health_check.controlplane_external will be created
  + resource "google_compute_region_health_check" "controlplane_external" {
      + check_interval_sec  = 5
      + creation_timestamp  = (known after apply)
      + healthy_threshold   = 2
      + id                  = (known after apply)
      + name                = "controlplane-external"
      + project             = "admin-920455"
      + region              = "us-central1"
      + self_link           = (known after apply)
      + timeout_sec         = 1
      + type                = (known after apply)
      + unhealthy_threshold = 2

      + tcp_health_check {
          + port         = 6443
          + proxy_header = "NONE"
        }
    }

  # google_compute_region_instance_group_manager.agents will be created
  + resource "google_compute_region_instance_group_manager" "agents" {
      + base_instance_name               = "agent"
      + distribution_policy_target_shape = (known after apply)
      + distribution_policy_zones        = (known after apply)
      + fingerprint                      = (known after apply)
      + id                               = (known after apply)
      + instance_group                   = (known after apply)
      + list_managed_instances_results   = "PAGELESS"
      + name                             = "cluster-agents"
      + project                          = (known after apply)
      + region                           = "us-central1"
      + self_link                        = (known after apply)
      + status                           = (known after apply)
      + target_size                      = 3
      + wait_for_instances               = false
      + wait_for_instances_status        = "STABLE"

      + named_port {
          + name = "http"
          + port = 80
        }
      + named_port {
          + name = "https"
          + port = 443
        }

      + update_policy {
          + max_surge_fixed       = 3
          + max_unavailable_fixed = (known after apply)
          + minimal_action        = "REPLACE"
          + type                  = "PROACTIVE"
        }

      + version {
          + instance_template = (known after apply)
        }
    }

  # google_compute_region_instance_group_manager.controlplane will be created
  + resource "google_compute_region_instance_group_manager" "controlplane" {
      + base_instance_name               = "ctrl"
      + distribution_policy_target_shape = (known after apply)
      + distribution_policy_zones        = (known after apply)
      + fingerprint                      = (known after apply)
      + id                               = (known after apply)
      + instance_group                   = (known after apply)
      + list_managed_instances_results   = "PAGELESS"
      + name                             = "controlplane"
      + project                          = (known after apply)
      + region                           = "us-central1"
      + self_link                        = (known after apply)
      + status                           = (known after apply)
      + target_size                      = 3
      + wait_for_instances               = false
      + wait_for_instances_status        = "STABLE"

      + named_port {
          + name = "k8s"
          + port = 6443
        }

      + version {
          + instance_template = (known after apply)
        }
    }

  # google_compute_region_instance_template.agents will be created
  + resource "google_compute_region_instance_template" "agents" {
      + can_ip_forward       = false
      + effective_labels     = (known after apply)
      + id                   = (known after apply)
      + instance_description = "agent node"
      + machine_type         = "e2-medium"
      + metadata_fingerprint = (known after apply)
      + name                 = (known after apply)
      + name_prefix          = "agent-instance-template-"
      + project              = (known after apply)
      + region               = "us-central1"
      + self_link            = (known after apply)
      + tags                 = [
          + "k8s",
        ]
      + tags_fingerprint     = (known after apply)
      + terraform_labels     = (known after apply)

      + disk {
          + auto_delete       = true
          + boot              = true
          + device_name       = (known after apply)
          + disk_size_gb      = (known after apply)
          + disk_type         = (known after apply)
          + interface         = (known after apply)
          + mode              = (known after apply)
          + provisioned_iops  = (known after apply)
          + resource_policies = (known after apply)
          + source_image      = (known after apply)
          + type              = (known after apply)

          + disk_encryption_key {
              + kms_key_self_link = (known after apply)
            }
        }

      + network_interface {
          + internal_ipv6_prefix_length = (known after apply)
          + ipv6_access_type            = (known after apply)
          + ipv6_address                = (known after apply)
          + name                        = (known after apply)
          + network                     = (known after apply)
          + stack_type                  = (known after apply)
          + subnetwork                  = (known after apply)
          + subnetwork_project          = (known after apply)
        }

      + service_account {
          + email  = (known after apply)
          + scopes = [
              + "https://www.googleapis.com/auth/cloud-platform",
            ]
        }
    }

  # google_compute_region_instance_template.controlplane will be created
  + resource "google_compute_region_instance_template" "controlplane" {
      + can_ip_forward       = false
      + effective_labels     = (known after apply)
      + id                   = (known after apply)
      + instance_description = "controlplane node"
      + machine_type         = "e2-medium"
      + metadata_fingerprint = (known after apply)
      + name                 = (known after apply)
      + name_prefix          = "controlplane-instance-template-"
      + project              = (known after apply)
      + region               = "us-central1"
      + self_link            = (known after apply)
      + tags                 = [
          + "controlplane",
          + "k8s",
        ]
      + tags_fingerprint     = (known after apply)
      + terraform_labels     = (known after apply)

      + disk {
          + auto_delete       = true
          + boot              = true
          + device_name       = (known after apply)
          + disk_size_gb      = (known after apply)
          + disk_type         = (known after apply)
          + interface         = (known after apply)
          + mode              = (known after apply)
          + provisioned_iops  = (known after apply)
          + resource_policies = (known after apply)
          + source_image      = (known after apply)
          + type              = (known after apply)

          + disk_encryption_key {
              + kms_key_self_link = (known after apply)
            }
        }

      + network_interface {
          + internal_ipv6_prefix_length = (known after apply)
          + ipv6_access_type            = (known after apply)
          + ipv6_address                = (known after apply)
          + name                        = (known after apply)
          + network                     = (known after apply)
          + stack_type                  = (known after apply)
          + subnetwork                  = (known after apply)
          + subnetwork_project          = (known after apply)
        }

      + service_account {
          + email  = (known after apply)
          + scopes = [
              + "https://www.googleapis.com/auth/cloud-platform",
            ]
        }
    }

  # google_compute_resource_policy.daily will be created
  + resource "google_compute_resource_policy" "daily" {
      + id        = (known after apply)
      + name      = "daily-backup"
      + project   = (known after apply)
      + region    = "us-central1"
      + self_link = (known after apply)

      + snapshot_schedule_policy {
          + schedule {
              + daily_schedule {
                  + days_in_cycle = 1
                  + start_time    = "04:00"
                }
            }
        }
    }

  # google_compute_router.agents will be created
  + resource "google_compute_router" "agents" {
      + creation_timestamp = (known after apply)
      + id                 = (known after apply)
      + name               = "cluster-agents"
      + network            = (known after apply)
      + project            = "admin-920455"
      + region             = "us-central1"
      + self_link          = (known after apply)
    }

  # google_compute_router.controlplane will be created
  + resource "google_compute_router" "controlplane" {
      + creation_timestamp = (known after apply)
      + id                 = (known after apply)
      + name               = "controlplane"
      + network            = (known after apply)
      + project            = "admin-920455"
      + region             = "us-central1"
      + self_link          = (known after apply)
    }

  # google_compute_router_nat.agents will be created
  + resource "google_compute_router_nat" "agents" {
      + enable_dynamic_port_allocation      = (known after apply)
      + enable_endpoint_independent_mapping = (known after apply)
      + icmp_idle_timeout_sec               = 30
      + id                                  = (known after apply)
      + name                                = "cluster-agents"
      + nat_ip_allocate_option              = "AUTO_ONLY"
      + project                             = "admin-920455"
      + region                              = "us-central1"
      + router                              = "cluster-agents"
      + source_subnetwork_ip_ranges_to_nat  = "LIST_OF_SUBNETWORKS"
      + tcp_established_idle_timeout_sec    = 1200
      + tcp_time_wait_timeout_sec           = 120
      + tcp_transitory_idle_timeout_sec     = 30
      + udp_idle_timeout_sec                = 30

      + subnetwork {
          + name                     = (known after apply)
          + secondary_ip_range_names = []
          + source_ip_ranges_to_nat  = [
              + "ALL_IP_RANGES",
            ]
        }
    }

  # google_compute_router_nat.controlplane will be created
  + resource "google_compute_router_nat" "controlplane" {
      + enable_dynamic_port_allocation      = (known after apply)
      + enable_endpoint_independent_mapping = (known after apply)
      + icmp_idle_timeout_sec               = 30
      + id                                  = (known after apply)
      + name                                = "controlplane"
      + nat_ip_allocate_option              = "AUTO_ONLY"
      + project                             = "admin-920455"
      + region                              = "us-central1"
      + router                              = "controlplane"
      + source_subnetwork_ip_ranges_to_nat  = "LIST_OF_SUBNETWORKS"
      + tcp_established_idle_timeout_sec    = 1200
      + tcp_time_wait_timeout_sec           = 120
      + tcp_transitory_idle_timeout_sec     = 30
      + udp_idle_timeout_sec                = 30

      + subnetwork {
          + name                     = (known after apply)
          + secondary_ip_range_names = []
          + source_ip_ranges_to_nat  = [
              + "ALL_IP_RANGES",
            ]
        }
    }

  # google_compute_subnetwork.agents will be created
  + resource "google_compute_subnetwork" "agents" {
      + creation_timestamp         = (known after apply)
      + external_ipv6_prefix       = (known after apply)
      + fingerprint                = (known after apply)
      + gateway_address            = (known after apply)
      + id                         = (known after apply)
      + internal_ipv6_prefix       = (known after apply)
      + ip_cidr_range              = "172.16.2.0/24"
      + ipv6_cidr_range            = (known after apply)
      + name                       = "cluster-agents"
      + network                    = (known after apply)
      + private_ip_google_access   = true
      + private_ipv6_google_access = (known after apply)
      + project                    = "admin-920455"
      + purpose                    = (known after apply)
      + region                     = "us-central1"
      + secondary_ip_range         = (known after apply)
      + self_link                  = (known after apply)
      + stack_type                 = (known after apply)
    }

  # google_compute_subnetwork.controlplane will be created
  + resource "google_compute_subnetwork" "controlplane" {
      + creation_timestamp         = (known after apply)
      + external_ipv6_prefix       = (known after apply)
      + fingerprint                = (known after apply)
      + gateway_address            = (known after apply)
      + id                         = (known after apply)
      + internal_ipv6_prefix       = (known after apply)
      + ip_cidr_range              = "172.16.1.0/24"
      + ipv6_cidr_range            = (known after apply)
      + name                       = "controlplane"
      + network                    = (known after apply)
      + private_ip_google_access   = true
      + private_ipv6_google_access = (known after apply)
      + project                    = "admin-920455"
      + purpose                    = (known after apply)
      + region                     = "us-central1"
      + secondary_ip_range         = (known after apply)
      + self_link                  = (known after apply)
      + stack_type                 = (known after apply)
    }

  # google_kms_crypto_key.keys["secrets-key"] will be created
  + resource "google_kms_crypto_key" "keys" {
      + destroy_scheduled_duration = (known after apply)
      + effective_labels           = (known after apply)
      + id                         = (known after apply)
      + import_only                = (known after apply)
      + key_ring                   = "projects/admin-920455/locations/us-central1/keyRings/homelab-keyring"
      + name                       = "secrets-key"
      + purpose                    = "ENCRYPT_DECRYPT"
      + rotation_period            = "2592000s"
      + terraform_labels           = (known after apply)
    }

  # google_kms_crypto_key.keys["talos-disk-key"] will be created
  + resource "google_kms_crypto_key" "keys" {
      + destroy_scheduled_duration = (known after apply)
      + effective_labels           = (known after apply)
      + id                         = (known after apply)
      + import_only                = (known after apply)
      + key_ring                   = "projects/admin-920455/locations/us-central1/keyRings/homelab-keyring"
      + name                       = "talos-disk-key"
      + purpose                    = "ENCRYPT_DECRYPT"
      + rotation_period            = "2592000s"
      + terraform_labels           = (known after apply)
    }

  # google_kms_crypto_key.keys["tfstate-key"] will be created
  + resource "google_kms_crypto_key" "keys" {
      + destroy_scheduled_duration = (known after apply)
      + effective_labels           = (known after apply)
      + id                         = (known after apply)
      + import_only                = (known after apply)
      + key_ring                   = "projects/admin-920455/locations/us-central1/keyRings/homelab-keyring"
      + name                       = "tfstate-key"
      + purpose                    = "ENCRYPT_DECRYPT"
      + rotation_period            = "2592000s"
      + terraform_labels           = (known after apply)
    }

  # google_kms_crypto_key.secrets_key will be destroyed
  # (because google_kms_crypto_key.secrets_key is not in configuration)
  - resource "google_kms_crypto_key" "secrets_key" {
      - destroy_scheduled_duration    = "86400s" -> null
      - effective_labels              = {} -> null
      - id                            = "projects/admin-920455/locations/us-central1/keyRings/homelab-keyring/cryptoKeys/secrets-key" -> null
      - import_only                   = false -> null
      - key_ring                      = "projects/admin-920455/locations/us-central1/keyRings/homelab-keyring" -> null
      - labels                        = {} -> null
      - name                          = "secrets-key" -> null
      - purpose                       = "ENCRYPT_DECRYPT" -> null
      - rotation_period               = "2592000s" -> null
      - skip_initial_version_creation = false -> null
      - terraform_labels              = {} -> null

      - version_template {
          - algorithm        = "GOOGLE_SYMMETRIC_ENCRYPTION" -> null
          - protection_level = "SOFTWARE" -> null
        }
    }

  # google_kms_crypto_key.tfstate_key will be destroyed
  # (because google_kms_crypto_key.tfstate_key is not in configuration)
  - resource "google_kms_crypto_key" "tfstate_key" {
      - destroy_scheduled_duration    = "86400s" -> null
      - effective_labels              = {} -> null
      - id                            = "projects/admin-920455/locations/us-central1/keyRings/homelab-keyring/cryptoKeys/tfstate-key" -> null
      - import_only                   = false -> null
      - key_ring                      = "projects/admin-920455/locations/us-central1/keyRings/homelab-keyring" -> null
      - labels                        = {} -> null
      - name                          = "tfstate-key" -> null
      - purpose                       = "ENCRYPT_DECRYPT" -> null
      - rotation_period               = "2592000s" -> null
      - skip_initial_version_creation = false -> null
      - terraform_labels              = {} -> null

      - version_template {
          - algorithm        = "GOOGLE_SYMMETRIC_ENCRYPTION" -> null
          - protection_level = "SOFTWARE" -> null
        }
    }

  # google_kms_crypto_key_iam_binding.secrets_sa_binding must be replaced
-/+ resource "google_kms_crypto_key_iam_binding" "secrets_sa_binding" {
      ~ crypto_key_id = "projects/admin-920455/locations/us-central1/keyRings/homelab-keyring/cryptoKeys/secrets-key" # forces replacement -> (known after apply) # forces replacement
      ~ etag          = "BwYEbE6qhMs=" -> (known after apply)
      ~ id            = "projects/admin-920455/locations/us-central1/keyRings/homelab-keyring/cryptoKeys/secrets-key/roles/cloudkms.cryptoKeyEncrypterDecrypter" -> (known after apply)
        # (2 unchanged attributes hidden)
    }

  # google_kms_crypto_key_iam_binding.tfstate_sa_binding must be replaced
-/+ resource "google_kms_crypto_key_iam_binding" "tfstate_sa_binding" {
      ~ crypto_key_id = "projects/admin-920455/locations/us-central1/keyRings/homelab-keyring/cryptoKeys/tfstate-key" # forces replacement -> (known after apply) # forces replacement
      ~ etag          = "BwYEbE6o+sc=" -> (known after apply)
      ~ id            = "projects/admin-920455/locations/us-central1/keyRings/homelab-keyring/cryptoKeys/tfstate-key/roles/cloudkms.cryptoKeyEncrypterDecrypter" -> (known after apply)
        # (2 unchanged attributes hidden)
    }

  # google_project.homelab will be created
  + resource "google_project" "homelab" {
      + auto_create_network = true
      + billing_account     = "012AF6-DBCAAF-ADA2BC"
      + effective_labels    = (known after apply)
      + id                  = (known after apply)
      + name                = "Homelab"
      + number              = (known after apply)
      + org_id              = "222061260236"
      + project_id          = "homelab-735905"
      + skip_delete         = (known after apply)
      + terraform_labels    = (known after apply)
    }

  # google_project_iam_binding.tf_sa_binding["roles/cloudkms.admin"] must be replaced
-/+ resource "google_project_iam_binding" "tf_sa_binding" {
      ~ etag    = "BwYEtZUgdaM=" -> (known after apply)
      ~ id      = "325329770668/roles/cloudkms.admin" -> (known after apply)
      ~ project = "325329770668" # forces replacement -> (known after apply) # forces replacement
        # (2 unchanged attributes hidden)
    }

  # google_project_iam_binding.tf_sa_binding["roles/secretmanager.secretAccessor"] must be replaced
-/+ resource "google_project_iam_binding" "tf_sa_binding" {
      ~ etag    = "BwYEtZUgdaM=" -> (known after apply)
      ~ id      = "325329770668/roles/secretmanager.secretAccessor" -> (known after apply)
      ~ project = "325329770668" # forces replacement -> (known after apply) # forces replacement
        # (2 unchanged attributes hidden)
    }

  # google_project_iam_binding.tf_sa_binding["roles/secretmanager.viewer"] must be replaced
-/+ resource "google_project_iam_binding" "tf_sa_binding" {
      ~ etag    = "BwYEtZUgdaM=" -> (known after apply)
      ~ id      = "325329770668/roles/secretmanager.viewer" -> (known after apply)
      ~ project = "325329770668" # forces replacement -> (known after apply) # forces replacement
        # (2 unchanged attributes hidden)
    }

  # google_project_iam_binding.tf_sa_binding["roles/storage.admin"] must be replaced
-/+ resource "google_project_iam_binding" "tf_sa_binding" {
      ~ etag    = "BwYEtZUgdaM=" -> (known after apply)
      ~ id      = "325329770668/roles/storage.admin" -> (known after apply)
      ~ project = "325329770668" # forces replacement -> (known after apply) # forces replacement
        # (2 unchanged attributes hidden)
    }

  # google_project_service.homelab_services["cloudbilling.googleapis.com"] will be created
  + resource "google_project_service" "homelab_services" {
      + disable_on_destroy = true
      + id                 = (known after apply)
      + project            = (known after apply)
      + service            = "cloudbilling.googleapis.com"
    }

  # google_project_service.homelab_services["cloudresourcemanager.googleapis.com"] will be created
  + resource "google_project_service" "homelab_services" {
      + disable_on_destroy = true
      + id                 = (known after apply)
      + project            = (known after apply)
      + service            = "cloudresourcemanager.googleapis.com"
    }

  # google_project_service.homelab_services["serviceusage.googleapis.com"] will be created
  + resource "google_project_service" "homelab_services" {
      + disable_on_destroy = true
      + id                 = (known after apply)
      + project            = (known after apply)
      + service            = "serviceusage.googleapis.com"
    }

  # google_service_account.agents will be created
  + resource "google_service_account" "agents" {
      + account_id = "cluster-agent"
      + disabled   = false
      + email      = (known after apply)
      + id         = (known after apply)
      + member     = (known after apply)
      + name       = (known after apply)
      + project    = (known after apply)
      + unique_id  = (known after apply)
    }

  # google_service_account.controlplane will be created
  + resource "google_service_account" "controlplane" {
      + account_id = "controlplane"
      + disabled   = false
      + email      = (known after apply)
      + id         = (known after apply)
      + member     = (known after apply)
      + name       = (known after apply)
      + project    = (known after apply)
      + unique_id  = (known after apply)
    }

  # google_storage_bucket.gcs_bucket will be updated in-place
  ~ resource "google_storage_bucket" "gcs_bucket" {
        id                          = "tfstate.vytrac.me"
        name                        = "tfstate.vytrac.me"
        # (14 unchanged attributes hidden)

      ~ encryption {
          ~ default_kms_key_name = "projects/admin-920455/locations/us-central1/keyRings/homelab-keyring/cryptoKeys/tfstate-key" -> (known after apply)
        }

        # (1 unchanged block hidden)
    }

  # random_string.random[2] will be destroyed
  # (because index [2] is out of range for count)
  - resource "random_string" "random" {
      - id          = "991123" -> null
      - length      = 6 -> null
      - lower       = true -> null
      - min_lower   = 0 -> null
      - min_numeric = 6 -> null
      - min_special = 0 -> null
      - min_upper   = 0 -> null
      - number      = true -> null
      - numeric     = true -> null
      - result      = "991123" -> null
      - special     = true -> null
      - upper       = true -> null
    }

  # talos_machine_bootstrap.bootstrap["172.16.1.0/24"] will be created
  + resource "talos_machine_bootstrap" "bootstrap" {
      + client_configuration = (known after apply)
      + endpoint             = "172.16.1.0/24"
      + id                   = (known after apply)
      + node                 = "172.16.1.0/24"
    }

  # talos_machine_bootstrap.bootstrap["172.16.2.0/24"] will be created
  + resource "talos_machine_bootstrap" "bootstrap" {
      + client_configuration = (known after apply)
      + endpoint             = "172.16.2.0/24"
      + id                   = (known after apply)
      + node                 = "172.16.2.0/24"
    }

  # talos_machine_configuration_apply.config["172.16.1.0/24"] will be created
  + resource "talos_machine_configuration_apply" "config" {
      + apply_mode                  = "auto"
      + client_configuration        = (known after apply)
      + config_patches              = [
          + <<-EOT
                "machine":
                  "install":
                    "disk": "/dev/sdd"
            EOT,
        ]
      + endpoint                    = "172.16.1.0/24"
      + id                          = (known after apply)
      + machine_configuration       = (sensitive value)
      + machine_configuration_input = (sensitive value)
      + node                        = "172.16.1.0/24"
    }

  # talos_machine_configuration_apply.config["172.16.2.0/24"] will be created
  + resource "talos_machine_configuration_apply" "config" {
      + apply_mode                  = "auto"
      + client_configuration        = (known after apply)
      + config_patches              = [
          + <<-EOT
                "machine":
                  "install":
                    "disk": "/dev/sdd"
            EOT,
        ]
      + endpoint                    = "172.16.2.0/24"
      + id                          = (known after apply)
      + machine_configuration       = (sensitive value)
      + machine_configuration_input = (sensitive value)
      + node                        = "172.16.2.0/24"
    }

  # talos_machine_secrets.secrets will be created
  + resource "talos_machine_secrets" "secrets" {
      + client_configuration = (known after apply)
      + id                   = (known after apply)
      + machine_secrets      = (known after apply)
      + talos_version        = "v1.6.0-alpha.0"
    }

Plan: 44 to add, 1 to change, 9 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.


terraform

Pusher: @celia-vytrac, Action: pull_request, Working Directory: iac, Workflow: Terraform CI/CD

celia-vytrac added 2 commits September 3, 2023 21:08

only run terraform if files in iac change

e13730d

Add service apis to homelab project

5171f6f

celia-vytrac and others added 15 commits September 4, 2023 09:22

format

ad0d0ff

Merge branch 'main' into dev-env

7990648

add initial talos config

d79cdd8

add basics of cluster

ecaf646

add networking

9c07ed4

add talos as provider

5c50df4

fix it again

28c33f0

fix validate errors

e26c6cd

allow upgrade

2c80e6b

remove plural

25ef96f

format

a49c2e5

encrypt key in block

7bcaa69

apparently it's a block

50ac4c3

remove auto healing for now

1422d72

fix name mixup

ecf6936

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Create initial homelab kubernetes cluster #2

Create initial homelab kubernetes cluster #2

celia-vytrac commented Sep 4, 2023

github-actions bot commented Sep 4, 2023 •

edited

Loading

Create initial homelab kubernetes cluster #2

Are you sure you want to change the base?

Create initial homelab kubernetes cluster #2

Conversation

celia-vytrac commented Sep 4, 2023

github-actions bot commented Sep 4, 2023 • edited Loading

Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Terraform Plan 📖success

github-actions bot commented Sep 4, 2023 •

edited

Loading

Terraform Format and Style 🖌`success`

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Terraform Plan 📖`success`