chroe: add gcp standalone infra example

Author: adityachoudhari26

examples/standalone-infra/iam.tf

@@ -0,0 +1,23 @@
+resource "google_service_account" "ctrlplane" {
+  account_id   = "${var.name}-ctrlplane"
+  display_name = "Ctrlplane ${var.name}"
+  project      = var.project_id
+}
+
+resource "google_project_iam_member" "kafka_client" {
+  project = var.project_id
+  role    = "roles/managedkafka.client"
+  member  = "serviceAccount:${google_service_account.ctrlplane.email}"
+}
+
+resource "google_project_iam_member" "cloudsql_client" {
+  project = var.project_id
+  role    = "roles/cloudsql.client"
+  member  = "serviceAccount:${google_service_account.ctrlplane.email}"
+}
+
+resource "google_service_account_iam_member" "workload_identity" {
+  service_account_id = google_service_account.ctrlplane.name
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "serviceAccount:${var.project_id}.svc.id.goog[ctrlplane/ctrlplane]"
+}

examples/standalone-infra/network.tf

@@ -43,6 +43,8 @@ resource "google_service_networking_connection" "private_vpc" {
   service                 = "servicenetworking.googleapis.com"
   reserved_peering_ranges = [google_compute_global_address.private_ip_range.name]
 
+  deletion_policy = "ABANDON"
+
   depends_on = [google_project_service.apis]
 }
 
@@ -55,3 +57,19 @@ resource "google_compute_global_address" "ingress" {
 
   depends_on = [google_project_service.apis]
 }
+
+# -----------------------------------------------------------------------------
+# Google-Managed SSL Certificate
+# -----------------------------------------------------------------------------
+
+resource "google_compute_managed_ssl_certificate" "ingress" {
+  name = "${var.name}-ssl-cert"
+
+  managed {
+    domains = [var.domain]
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}

examples/standalone-infra/outputs.tf

@@ -71,16 +71,30 @@ output "ingress_static_ip_name" {
   value       = google_compute_global_address.ingress.name
 }
 
+output "ssl_certificate_name" {
+  description = "Google-managed SSL certificate name (use in ingress annotations)"
+  value       = google_compute_managed_ssl_certificate.ingress.name
+}
+
+# -----------------------------------------------------------------------------
+# IAM
+# -----------------------------------------------------------------------------
+
+output "service_account_email" {
+  description = "GCP service account email for Workload Identity"
+  value       = google_service_account.ctrlplane.email
+}
+
 # -----------------------------------------------------------------------------
 # Helm Values
 # -----------------------------------------------------------------------------
 
 output "helm_values" {
-  description = "Paste this into your values.yaml override (fill in fqdn + ingress class)"
+  description = "Helm values.yaml override for the ctrlplane chart"
   sensitive   = true
   value       = yamlencode({
     global = {
-      fqdn = "REPLACE_WITH_YOUR_DOMAIN"
+      fqdn = "https://${var.domain}"
       postgresql = {
         user     = google_sql_user.ctrlplane.name
         password = random_password.postgres.result
@@ -99,6 +113,7 @@ output "helm_values" {
       class  = "gce"
       annotations = {
         "kubernetes.io/ingress.global-static-ip-name" = google_compute_global_address.ingress.name
+        "networking.gke.io/managed-certificates"      = google_compute_managed_ssl_certificate.ingress.name
       }
     }
   })

examples/standalone-infra/variables.tf

@@ -44,3 +44,8 @@ variable "kafka_memory_bytes" {
   type        = number
   default     = 3221225472 # 3 GiB
 }
+
+variable "domain" {
+  description = "Domain name for the ingress (used for managed SSL cert)"
+  type        = string
+}

examples/standalone-infra/versions.tf

@@ -1,8 +1,6 @@
 terraform {
   required_version = ">= 1.5"
 
-  backend "gcs" {}
-
   required_providers {
     google = {
       source  = "hashicorp/google"
@@ -14,8 +12,3 @@ terraform {
     }
   }
 }
-
-provider "google" {
-  project = var.project_id
-  region  = var.region
-}