feat: Add terraform samples for GKE Attached clusters. (#667)

* feat: Add Terraform samples for GKE Attached clusters.

Add samples demonstrating use of GKE attached clusters with both AKS and
EKS. The samples:
1. create a cluster
2. prepare the cluster for attach
3. attach the cluster
as a single Terraform apply step which has been problematic for users.

* Fix lint issues.

* Add the multicloud team as owners for attached clusters samples.

Author: hankfreund

.github/workflows/ci_any_pr.yaml

@@ -54,6 +54,7 @@ jobs:
         # list of directories in the repo that hosts Terraform samples
         # update this list as new terraform samples are added to the repo
         tf-sample: [
+          'anthos-attached-clusters',
           'anthos-bm-gcp-terraform',
           'anthos-bm-openstack-terraform',
           'anthos-multi-cloud/AWS',

.github/workflows/ci_main_branch.yaml

@@ -54,6 +54,7 @@ jobs:
         # list of directories in the repo that hosts Terraform samples
         # update this list as new terraform samples are added to the repo
         tf-sample: [
+          'anthos-attached-clusters',
           'anthos-bm-gcp-terraform',
           'anthos-bm-openstack-terraform',
           'anthos-multi-cloud/AWS',

CODEOWNERS

@@ -10,6 +10,7 @@
 /aws-logging-monitoring/          @GoogleCloudPlatform/onyx-gke-observability @yoshi-approver
 /attached-logging-monitoring/     @GoogleCloudPlatform/onyx-gke-observability @yoshi-approver
 /gmp-grafana-dashboards/          @GoogleCloudPlatform/onyx-gke-observability @yoshi-approver
+/anthos-attached-clusters/        @GoogleCloudPlatform/anthos-multicloud @yoshi-approver
 /anthos-multi-cloud/		  @GoogleCloudPlatform/anthos-multicloud @yoshi-approver
 /anthos-bm-utils/		  @GoogleCloudPlatform/anthos-baremetal-eng @yoshi-approver
 /anthos-bm-apigee/		  @GoogleCloudPlatform/app-mod-customer-engineers @yoshi-approver

anthos-attached-clusters/AAC-architecture.svg

@@ -0,0 +1,84 @@
+# Using Terraform with GKE Attached Clusters
+
+The scripts provided here demonstrate how you can use Terraform to automate the process of
+creating, bootstrapping, and attaching a Kubernetes cluster. For a complete reference of the
+GKE attached clusters Terraform resource, see the
+[google_container_attached_cluster](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_attached_cluster)
+and
+[google_container_attached_install_manifest](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/container_attached_install_manifest)
+documentation.
+
+With GKE attached clusters you can manage any standard, [CNCF-compliant](https://www.cncf.io/certification/software-conformance/)
+Kubernetes installation, including clusters already in production. You can then add
+[Google Kubernetes Engine (GKE) Enterprise edition](https://cloud.google.com/kubernetes-engine)
+features to standardize and secure your clusters across multiple cloud environments and Kubernetes
+vendors. To learn more, see the
+[GKE attached clusters documentation](https://cloud.google.com/anthos/clusters/docs/multi-cloud/attached).
+
+![GKE Attached Clusters](./AAC-architecture.svg)
+
+## High Level Process
+
+Attaching a cluster in GKE involves taking the steps below. The Terraform scripts provided in this
+github repository automatically perform steps 1-4, and are meant to provide a quick start to
+working with GKE attached clusters.
+1. Create a cluster.
+1. Invoke the [GenerateAttachedClustersInstallManifest](https://cloud.google.com/anthos/clusters/docs/multi-cloud/reference/rest/v1/projects.locations/generateAttachedClusterInstallManifest)
+  API to  retrieve a manifest of the bootstrapping deployment.
+1. Apply the manifest from step 1 to the cluster.
+1. Invoke the [Create](https://cloud.google.com/anthos/clusters/docs/multi-cloud/reference/rest/v1/projects.locations.attachedClusters/create)
+  API to attach the cluster.
+1. (Optional) Delete the resources applied in step 2.
+
+## What Is Provided
+
+* The **AKS** folder contains a sample script for creating an AKS cluster on Azure and attaching it.
+* The **EKS** folder contains a sample script for creating an EKS cluster on AWS and attaching it.
+* The **modules** folder contains the `attached-install-manifest` module which demonstrates how to
+retrieve the manifest and apply it to the cluster using Helm. Both the AKS and EKS examples use it.
+
+## Prerequisites
+
+All samples assume the availability of ambient credentials, which are the default credentials
+automatically provided in the environment where you run the Terraform scripts. These credentials
+are typically obtained by authenticating your account using the Google Cloud SDK (gcloud) with the
+command `gcloud auth application-default login`. See the
+[documentation](https://cloud.google.com/sdk/gcloud/reference/auth/application-default/login)
+for more information.
+
+The prerequisites for running the Terraform scripts are the following:
+1. Ensure the latest version of gcloud is [installed](https://cloud.google.com/sdk/docs/install).
+1. If you haven't already done so, [create](https://cloud.google.com/resource-manager/docs/creating-managing-projects#creating_a_project)
+  your Google Cloud project. This generates a Google Cloud project ID and a project number.
+1. Set your active Google Cloud project and authenticate your account with the following commands:
+    ```sh
+    export PROJECT_ID=<your project id>
+    gcloud auth login
+    gcloud config set project $PROJECT_ID
+    gcloud auth application-default login
+    ```
+1. Enable the GKE attached clusters API and its required services with the following commands:
+    ```sh
+    gcloud services enable gkemulticloud.googleapis.com
+    gcloud services enable gkeconnect.googleapis.com
+    gcloud services enable connectgateway.googleapis.com
+    gcloud services enable cloudresourcemanager.googleapis.com
+    gcloud services enable anthos.googleapis.com
+    gcloud services enable logging.googleapis.com
+    gcloud services enable monitoring.googleapis.com
+    gcloud services enable opsconfigmonitoring.googleapis.com
+    ```
+1. Clusters will be created at a specific Kubernetes version. Attached clusters have an additional
+  platform version that must be specified. The platform version’s _major.minor_ should match the
+  cluster’s Kubernetes version. Both versions must be specified when attaching.
+  You can list all supported platform versions using:
+    ```sh
+    gcloud container attached get-server-config --location=GOOGLE_CLOUD_REGION
+    ```
+	There is also a Terraform data source that provides the same information:
+    ```
+    data "google_container_attached_versions" "versions" {
+      location      = GCP_LOCATION
+      project       = GCP_PROJECT_ID
+    }
+    ```

anthos-attached-clusters/README.md

@@ -0,0 +1,35 @@
+# Attach an AKS cluster using Terraform
+
+## Prerequisites
+The sample assumes the availability of ambient credentials, which are the default credentials
+automatically provided in the environment where you run the Terraform scripts. For instructions
+on authenticating to Azure, see the
+[Terraform documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#authenticating-to-azure)
+on the topic.
+1. Ensure the latest version of the Azure CLI is [installed](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli)
+  and logged in
+
+## Usage
+
+1. Edit the values in the terraform.tfvars file to suit your needs. Descriptions for each variable
+  can be found in `variables.tf`. Additional optional features are also available and commented out
+  in the `google_container_attached_cluster` resource in `main.tf`.
+
+    If you modify the cluster creation, ensure it meets
+  [Cluster Prerequisites](https://cloud.google.com/anthos/clusters/docs/multi-cloud/attached/aks/reference/cluster-prerequisites).
+1. Initialize Terraform:
+    ```bash
+    terraform init
+    ```
+1. Create and apply the plan:
+    ```bash
+    terraform apply
+    ```
+1. The process should take about 10 minutes to complete.
+1. Login to the cluster:
+    ```bash
+    gcloud container attached clusters get-credentials CLUSTER_NAME
+    ```
+    This will allow you to access the cluster using kubectl, if appropriate RBAC permissions have
+  been applied. For more information, see [Connect to your AKS Cluster](https://cloud.google.com/anthos/clusters/docs/multi-cloud/attached/aks/how-to/connect-to-cluster).
+

anthos-attached-clusters/aks/README.md

@@ -0,0 +1,125 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  tags = {
+    "owner" = var.owner
+  }
+}
+
+data "azurerm_subscription" "current" {
+}
+
+resource "azurerm_resource_group" "aks" {
+  name     = "${var.name_prefix}-rg"
+  location = var.azure_region
+  tags     = merge(local.tags, var.tags)
+}
+
+resource "azurerm_kubernetes_cluster" "aks" {
+  name                = "${var.name_prefix}-cluster"
+  location            = azurerm_resource_group.aks.location
+  resource_group_name = azurerm_resource_group.aks.name
+  dns_prefix          = "${var.name_prefix}-dns"
+  kubernetes_version  = var.k8s_version
+
+  # If not enabling the OIDC issuer, extra steps need to be taken to manually retrieve JWKs from the cluster.
+  oidc_issuer_enabled = true
+
+  default_node_pool {
+    name       = "default"
+    node_count = var.node_count
+    vm_size    = "Standard_D2_v2"
+    tags       = merge(local.tags, var.tags)
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  tags = merge(local.tags, var.tags)
+}
+
+data "google_project" "project" {
+}
+
+provider "helm" {
+  alias = "bootstrap_installer"
+  kubernetes {
+    host                   = azurerm_kubernetes_cluster.aks.kube_config.0.host
+    username               = azurerm_kubernetes_cluster.aks.kube_config.0.username
+    password               = azurerm_kubernetes_cluster.aks.kube_config.0.password
+    client_certificate     = base64decode(azurerm_kubernetes_cluster.aks.kube_config.0.client_certificate)
+    client_key             = base64decode(azurerm_kubernetes_cluster.aks.kube_config.0.client_key)
+    cluster_ca_certificate = base64decode(azurerm_kubernetes_cluster.aks.kube_config.0.cluster_ca_certificate)
+  }
+}
+
+module "attached_install_manifest" {
+  source                         = "../modules/attached-install-manifest"
+  attached_cluster_name          = "${var.name_prefix}-cluster"
+  attached_cluster_fleet_project = data.google_project.project.project_id
+  gcp_location                   = var.gcp_location
+  platform_version               = var.platform_version
+  providers = {
+    helm = helm.bootstrap_installer
+  }
+  depends_on = [
+    azurerm_kubernetes_cluster.aks
+  ]
+}
+
+resource "google_container_attached_cluster" "primary" {
+  name             = "${var.name_prefix}-cluster"
+  project          = data.google_project.project.project_id
+  location         = var.gcp_location
+  description      = "AKS attached cluster example"
+  distribution     = "aks"
+  platform_version = var.platform_version
+  oidc_config {
+    issuer_url = azurerm_kubernetes_cluster.aks.oidc_issuer_url
+    # NOTE: If `oidc_issuer_enabled` is not set to true above, `jwks` needs to be set here.
+    # JWKs can be retrieved from the cluster using: `kubectl get --raw /openid/v1/jwks` and
+    # must be base64 encoded.
+  }
+  fleet {
+    project = "projects/${data.google_project.project.number}"
+  }
+
+  # Optional:
+  # logging_config {
+  #   component_config {
+  #     enable_components = ["SYSTEM_COMPONENTS", "WORKLOADS"]
+  #   }
+  # }
+
+  # Optional:
+  # monitoring_config {
+  #   managed_prometheus_config {
+  #     enabled = true
+  #   }
+  # }
+
+  # Optional:
+  # authorization {
+  #   admin_users = ["[email protected]", "[email protected]"]
+  #   admin_groups = ["[email protected]", "[email protected]"]
+  # }
+
+  depends_on = [
+    module.attached_install_manifest
+  ]
+}

anthos-attached-clusters/aks/main.tf

@@ -0,0 +1,40 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">=3.17.0"
+    }
+    google = {
+      source  = "hashicorp/google"
+      version = ">=5.0.0"
+    }
+    helm = {
+      source = "hashicorp/helm"
+    }
+  }
+  required_version = ">= 0.13"
+}
+
+provider "azurerm" {
+  features {}
+}
+
+provider "google" {
+  project = var.gcp_project_id
+}

anthos-attached-clusters/aks/provider.tf

@@ -0,0 +1,66 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "owner" {
+  description = "Owner of the resources"
+  type        = string
+}
+
+variable "name_prefix" {
+  description = "Common prefix to use for generating names"
+  type        = string
+}
+
+variable "azure_region" {
+  description = "Azure region to deploy to"
+  type        = string
+  default     = "East US"
+}
+
+variable "tags" {
+  description = "List of tags to apply to resources"
+  type        = map(string)
+  default     = {}
+}
+
+variable "k8s_version" {
+  description = "Kubernetes version of the AKS cluster"
+  type        = string
+  default     = "1.28"
+}
+
+variable "node_count" {
+  description = "The number of nodes in the default node pool"
+  type        = number
+  default     = 1
+}
+
+variable "gcp_project_id" {
+  description = "The GCP project id where the cluster will be registered"
+  type        = string
+}
+
+variable "gcp_location" {
+  description = "GCP location to create the attached resource in"
+  type        = string
+  default     = "us-west1"
+}
+
+variable "platform_version" {
+  description = "Platform version of the attached cluster resource"
+  type        = string
+  default     = "1.28.0-gke.3"
+}