chore: Adding examples to accompany GCP blog that highlights GKE ACM features (#973)

* Adding examples to accompany GCP blog that highlights GKE ACM features

* Addressing comments

* Addressing comments

* Addressing comments

* Addressing comments

* Addressing comments

* Addressing comments

* Addressing comments

* Addressing comments

* Addressing comments

Author: AlexBulankou

examples/acm-terraform-blog-part1/README.md

@@ -0,0 +1,76 @@
+# Enable ACM features with Terraform - Part 1
+
+This is Part1 of the tutorial to accompany a short series of  blog articles explaining how to enable [Anthos Config Management (ACM)](https://cloud.google.com/anthos/config-management) with Terraform.
+
+In this tutorial, we'll explain how to use Teraform to create a cluster and manage its config from git via [Config Sync](https://cloud.google.com/anthos-config-management/docs/config-sync-overview).
+
+[Next part](../acm-terraform-blog-part2) will build on that to add guard rails for the cluster via [Policy Controller](https://cloud.google.com/anthos-config-management/docs/concepts/policy-controller). We will focus on enabling an ongoing audit of cluster resources using the Policy Controller's built in [Policy Library](http://cloud/anthos-config-management/docs/reference/constraint-template-library) and a bundle of constraints enforcings [CIS Kubernetes Benchmark v.1.5.1](https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks).
+
+Subsequent articles will discuss other aspects of ACM to manage your GCP infrastrcuture.
+
+## Enable Config Sync on the cluster with Terraform
+
+1. Clone this repo
+1. Set variables that will be used in multiple commands:
+
+    ```bash
+    FOLDER_ID = [FOLDER]
+    BILLING_ACCOUNT = [BILLING_ACCOUNT]
+    PROJECT_ID = [PROJECT_ID]
+    ```
+
+1. Create project:
+
+    ```bash
+    gcloud auth login
+    gcloud projects create $PROJECT_ID --name=$PROJECT_ID --folder=$FOLDER_ID
+    gcloud alpha billing projects link $PROJECT_ID --billing-account $BILLING_ACCOUNT
+    gcloud config set project $PROJECT_ID
+    ```
+
+1. Create cluster using terraform using defaults other than the project:
+
+    ```bash
+    # obtain user access credentials to use for Terraform commands
+    gcloud auth application-default login
+
+    # continue in /terraform directory
+    cd terraform
+
+    terraform init
+    terraform plan -var=project=$PROJECT_ID
+    terraform apply -var=project=$PROJECT_ID
+    ```
+   NOTE: if you get an error due to default network not being present, run `gcloud compute networks create default --subnet-mode=auto` and retry the commands.
+
+1. To verify things have sync'ed, you can use `gcloud` to check status:
+
+    ```bash
+    gcloud alpha container hub config-management status --project $PROJECT_ID
+    ```
+
+    In the output, notice that the `Status` will eventually show as `SYNCED` and the `Last_Synced_Token` will match the repo hash.
+
+1. To see wordpress itself, you can use the kubectl proxy to connect to the service:
+
+    ```bash
+    # get values from cluster that was created
+    export CLUSTER_ZONE=$(terraform output -raw cluster_location)
+    export CLUSTER_NAME=$(terraform output -raw cluster_name)
+
+    # then get creditials for it and proxy to the wordpress service to see it running
+    gcloud container clusters get-credentials $CLUSTER_NAME --zone $CLUSTER_ZONE --project $PROJECT_ID
+    kubectl proxy --port 8888 &
+
+    # curl or use the browser
+    curl http://127.0.0.1:8888/api/v1/namespaces/default/services/wordpress/proxy/wp-admin/install.php
+
+    ```
+
+1. Finally, let's clean up. First, don't forget to foreground the proxy again to kill it. Also, apply `terraform destroy` to remove the GCP resources that were deployed to the project.
+
+   ```bash
+    fg # ctrl-c
+
+    terraform destroy -var=project=$PROJECT_ID
+    ```

examples/acm-terraform-blog-part1/config-root/wordpress-bundle.yaml

@@ -0,0 +1,155 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: wp-config
+data:
+  ### We're using a ConfigMap for simplicity, but in real life one should
+  ### use a secret manager or other best practice for this database password.
+  MYSQL_ROOT_PASSWORD: "wp_user"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: wordpress-mysql
+  labels:
+    app: wordpress
+spec:
+  ports:
+    - port: 3306
+  selector:
+    app: wordpress
+    tier: mysql
+  clusterIP: None
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mysql-pvc
+  labels:
+    app: wordpress
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: wordpress-mysql
+  labels:
+    app: wordpress
+spec:
+  selector:
+    matchLabels:
+      app: wordpress
+      tier: mysql
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: wordpress
+        tier: mysql
+    spec:
+      containers:
+      - image: mariadb:latest
+        name: mysql
+        env:
+        - name: MYSQL_ROOT_PASSWORD
+          valueFrom:
+            configMapKeyRef:
+              name: wp-config
+              key: MYSQL_ROOT_PASSWORD
+        ports:
+        - containerPort: 3306
+          name: mysql
+        volumeMounts:
+        - name: mysql-persistent-storage
+          mountPath: /var/lib/mysql
+      volumes:
+      - name: mysql-persistent-storage
+        persistentVolumeClaim:
+          claimName: mysql-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: wordpress
+  labels:
+    app: wordpress
+spec:
+  ports:
+    - port: 80
+  selector:
+    app: wordpress
+    tier: frontend
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: wp-pvc
+  labels:
+    app: wordpress
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: wordpress
+  labels:
+    app: wordpress
+spec:
+  selector:
+    matchLabels:
+      app: wordpress
+      tier: frontend
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: wordpress
+        tier: frontend
+    spec:
+      containers:
+      - image: wordpress:4.8-apache
+        name: wordpress
+        env:
+        - name: WORDPRESS_DB_HOST
+          value: wordpress-mysql
+        - name: WORDPRESS_DB_PASSWORD
+          valueFrom:
+            configMapKeyRef:
+              name: wp-config
+              key: MYSQL_ROOT_PASSWORD
+        ports:
+        - containerPort: 80
+          name: wordpress
+        volumeMounts:
+        - name: wordpress-persistent-storage
+          mountPath: /var/www/html
+      volumes:
+      - name: wordpress-persistent-storage
+        persistentVolumeClaim:
+          claimName: wp-pvc

examples/acm-terraform-blog-part1/terraform/gke.tf

@@ -0,0 +1,44 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "enabled_google_apis" {
+  source  = "terraform-google-modules/project-factory/google//modules/project_services"
+  version = "~> 10.0"
+
+  project_id                  = var.project
+  disable_services_on_destroy = false
+
+  activate_apis = [
+    "compute.googleapis.com",
+    "container.googleapis.com",
+    "gkehub.googleapis.com",
+    "anthosconfigmanagement.googleapis.com"
+  ]
+}
+
+module "gke" {
+  source             = "terraform-google-modules/kubernetes-engine/google"
+  version            = "~> 16.0"
+  project_id         = module.enabled_google_apis.project_id
+  name               = "sfl-acm-part1"
+  region             = var.region
+  zones              = [var.zone]
+  initial_node_count = 4
+  network            = "default"
+  subnetwork         = "default"
+  ip_range_pods      = ""
+  ip_range_services  = ""
+}

examples/acm-terraform-blog-part1/terraform/main.tf

@@ -0,0 +1,53 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "google_gke_hub_membership" "membership" {
+  provider      = google-beta
+  membership_id = "membership-hub"
+  endpoint {
+    gke_cluster {
+      resource_link = "//container.googleapis.com/${module.gke.cluster_id}"
+    }
+  }
+}
+
+resource "google_gke_hub_feature" "configmanagement_acm_feature" {
+  name     = "configmanagement"
+  location = "global"
+  provider = google-beta
+}
+
+resource "google_gke_hub_feature_membership" "feature_member" {
+  provider   = google-beta
+  location   = "global"
+  feature    = "configmanagement"
+  membership = google_gke_hub_membership.membership.membership_id
+  configmanagement {
+    version = "1.8.0"
+    config_sync {
+      source_format = "unstructured"
+      git {
+        sync_repo   = var.sync_repo
+        sync_branch = var.sync_branch
+        policy_dir  = var.policy_dir
+        secret_type = "none"
+      }
+    }
+  }
+  depends_on = [
+    google_gke_hub_feature.configmanagement_acm_feature
+  ]
+}

examples/acm-terraform-blog-part1/terraform/outputs.tf

@@ -0,0 +1,23 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "cluster_location" {
+  value = module.gke.location
+}
+
+output "cluster_name" {
+  value = module.gke.name
+}

examples/acm-terraform-blog-part1/terraform/providers.tf

@@ -0,0 +1,29 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_providers {
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = "3.73.0"
+    }
+  }
+}
+provider "google-beta" {
+  project = var.project
+  region  = var.region
+  zone    = var.zone
+}