Terraform module for configuring Google Kubernetes Engine (GKE) to integrate with Expel Workbench.
- Integration Deployment: Facilitates GCP GKE and Expel integration for a specific project.
- Resource Creation: Establishes a Pub/Sub topic, a log sink, and IAM bindings necessary for the integration.
- Log Management: Implements a filter to selectively collect logs for Expel.
- Message Handling: Configures the Pub/Sub system to wait for 600 seconds before resending unacknowledged messages.
- Resource Identification: Applies the prefix "expel-integration" to all resources created by this module for easy identification.
❗ Terraform state may contain sensitive information. Please follow best security practices when securing your state.
When the org_id variable is set, this module will create the resources required to onboard all GKE clusters in a GCP organization to Expel Workbench.
module "expel_gcp_gke" {
source = "expel-io/gke/gcp"
version = "1.0.1"
# The GCP Organization ID to onboard
org_id = "my-gcp-project-id"
}When the project_id variable is set, this module will create the resources required to onboard all GKE clusters in a specific project to Expel Workbench.
module "expel_gcp_gke" {
source = "expel-io/gke/gcp"
version = "1.0.1"
# The GCP Project ID to onboard
project_id = "my-gcp-project-id"
}Once you have configured your GCP environment, go to Expel Workbench and create a GKE security device to enable Expel to begin monitoring your GCP environment.
The permissions allocated by this module allow Expel Workbench to perform investigations and discover GKE clusters in the environment.
You can find examples of how to use this module in the examples directory.
- Will always create a new log sink
- Will always create a new pub/sub queue
See Expel's Getting Started Guide for GKE for more onboarding information.
Found a bug or have an idea for a new feature? Please create an issue. We'll respond as soon as possible!
We welcome contributions! Here's how you can help:
- Fork the Project.
- Create your Feature Branch (
git checkout -b feature/AmazingFeature). - Commit your Changes (
git commit -m 'Add some AmazingFeature'). - Push to the Branch (
git push origin feature/AmazingFeature). - Open a Pull Request.
Please read our Contributing Code of Conduct to get started.
| Name | Version |
|---|---|
| terraform | >= 1.1.0 |
| ~> 4.10.0 |
| Name | Version |
|---|---|
| 4.10.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| expel_project_id | When onboarding at the organization level, a new project will be created with this ID. | string |
"expel-gke-integration" |
no |
| iam_role_name | The name of the IAM role to be created for Expel | string |
"ExpelIntegrationKubernetesReader" |
no |
| log_sink_filter | The log sink filter that determines what logs are delivered to pub/sub and consumed by Expel. | string |
"(resource.type=gke_cluster OR resource.type=k8s_cluster)\n-proto_payload.method_name=\"io.k8s.core.v1.nodes.proxy.get\"\n-proto_payload.method_name=\"io.k8s.coordination.v1.leases.update\"\n-proto_payload.method_name=\"io.k8s.core.v1.limitranges.update\"\n-proto_payload.method_name=\"io.k8s.autoscaling\"\n" |
no |
| org_id | The organization ID to onboard with Expel Workbench. | string |
null |
no |
| prefix | A prefix to group all Expel integration resources. | string |
"expel-integration" |
no |
| project_id | The project ID to onboard with Expel Workbench. | string |
null |
no |
| pubsub_ack_deadline_seconds | The number of seconds pub/sub will wait for a subscriber to acknowledge receiving a message before re-attempting delivery. | number |
600 |
no |
| service_account_name | The name of the service account to be created for Expel. | string |
"gke-account" |
no |
| Name | Description |
|---|---|
| pubsub_subscription_name | Name of the Kinesis data stream Expel will consume from |
| service_account_key | The service account credentials required by Expel for onboarding |