Calum Hunter calum-github

## firewall_bonus.tf
## Allow incoming access to our instance via
## port 22, from the IAP servers
resource "google_compute_firewall" "inbound-ip-ssh" {
    name        = "allow-incoming-access-from-iap"
    project     = var.project_id
    network     = "default"

    direction = "INGRESS"
    allow {
        protocol = "tcp"

## iam_compute.tf
# Define the required roles to access the VM
locals {
    compute_roles = [
        "roles/compute.viewer",
        "roles/compute.osLogin",
    ]
}

# Apply the roles to a user account
resource "google_project_iam_member" "assign-roles" {

## iam.tf
# Create a conditional IAM rule that grants access to establish an IAP tunnel
# IF the user is connecting from an authorised network defined in the access
# list
resource "google_iap_tunnel_iam_member" "allow-remote-access-to-iap" {
    project = "<your-project-id>"
    role    = "roles/iap.tunnelResourceAccessor"
    member  = "user:calum.hunter@the.cloud"

    condition {
      title = "allow_remote_access_to_iap"

## access_level.tf
# Creates an Access Level
# This access level will be used in
# a conditional IAM policy to restrict access
# to authorised users coming from authorised networks

resource "google_access_context_manager_access_level" "access-level" {
    parent  = "accessPolicies/<access-policy-id>"
    name    = "accessPolicies/<access-policy-id>/accessLevels/<my_access_level_name>"
    title   = "secure-iap-access-level"
    description = "This access level lists the authorised network addresses"

## firewall.tf
## Allow incoming access to our instance via
## port 22, from the IAP servers
resource "google_compute_firewall" "inbound-ip-ssh" {
    name        = "allow-incoming-ssh-from-iap"
    project     = var.project_id
    network     = "default"

    direction = "INGRESS"
    allow {
        protocol = "tcp"

## vm.tf
# Create an instance
resource "google_compute_instance" "my-instance" {
    project         = var.project_id
    name            = "my-instance-01"
    machine_type    = "e2-standard-2"
    zone            = var.zone

    boot_disk {
        initialize_params {
            image = "debian-cloud/debian-9"

## gist:6ea1c80d31568dcd114367e864c3f3f1
// Manage DNS
// Create a private route53 zone
resource "aws_route53_zone" "this" {
  name   = "${var.dns_zone_name}"
  vpc_id = "${var.vpc_id}"
}

// Create a dns record for the jenkins master private ip
resource "aws_route53_record" "master" {
  zone_id = "${aws_route53_zone.this.id}"

## k8s_notes.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                calum-github
                / k8s_notes.md
            
            
              Last active
              February 11, 2019 04:46
            
          
    K8s notes

Cluster basics

Master

provides an API, Scheduler, UI, controller and a KV store, all information and state is stored in -> etcd
control plane
Worker Nodes


## gist:866487f370bed4e6e0bf1bc2157b8a14
# define the network interfaces in a count block for the vm's you want to assign them to

resource "azurerm_network_interface" "network-interface" {
  name = "interface-number-${count.index}"
  count = 3
  # ...
}

# The above resource will generate three network interfaces

## get_ami_codes.sh
#!/bin/bash

# Get latest AMI codes for CentOS 7 from AWS

region="ap-southeast-2"
product_code="aw0evgkw8e5c1q413zgy5pjce"

aws ec2 describe-images \
--region "$region" \
--owners aws-marketplace \
	## Allow incoming access to our instance via
	## port 22, from the IAP servers
	resource "google_compute_firewall" "inbound-ip-ssh" {
	name = "allow-incoming-access-from-iap"
	project = var.project_id
	network = "default"

	direction = "INGRESS"
	allow {
	protocol = "tcp"
	# Define the required roles to access the VM
	locals {
	compute_roles = [
	"roles/compute.viewer",
	"roles/compute.osLogin",
	]
	}

	# Apply the roles to a user account
	resource "google_project_iam_member" "assign-roles" {
	# Create a conditional IAM rule that grants access to establish an IAP tunnel
	# IF the user is connecting from an authorised network defined in the access
	# list
	resource "google_iap_tunnel_iam_member" "allow-remote-access-to-iap" {
	project = "<your-project-id>"
	role = "roles/iap.tunnelResourceAccessor"
	member = "user:calum.hunter@the.cloud"

	condition {
	title = "allow_remote_access_to_iap"
	# Creates an Access Level
	# This access level will be used in
	# a conditional IAM policy to restrict access
	# to authorised users coming from authorised networks

	resource "google_access_context_manager_access_level" "access-level" {
	parent = "accessPolicies/<access-policy-id>"
	name = "accessPolicies/<access-policy-id>/accessLevels/<my_access_level_name>"
	title = "secure-iap-access-level"
	description = "This access level lists the authorised network addresses"
	# Create an instance
	resource "google_compute_instance" "my-instance" {
	project = var.project_id
	name = "my-instance-01"
	machine_type = "e2-standard-2"
	zone = var.zone

	boot_disk {
	initialize_params {
	image = "debian-cloud/debian-9"
	// Manage DNS
	// Create a private route53 zone
	resource "aws_route53_zone" "this" {
	name = "${var.dns_zone_name}"
	vpc_id = "${var.vpc_id}"
	}

	// Create a dns record for the jenkins master private ip
	resource "aws_route53_record" "master" {
	zone_id = "${aws_route53_zone.this.id}"
	# define the network interfaces in a count block for the vm's you want to assign them to

	resource "azurerm_network_interface" "network-interface" {
	name = "interface-number-${count.index}"
	count = 3
	# ...
	}

	# The above resource will generate three network interfaces
	#!/bin/bash

	# Get latest AMI codes for CentOS 7 from AWS

	region="ap-southeast-2"
	product_code="aw0evgkw8e5c1q413zgy5pjce"

	aws ec2 describe-images \
	--region "$region" \
	--owners aws-marketplace \