GCP GKE Cluster

# ─────────────────────────────────────────────────────────────────────────────
# GCP GKE Standard Cluster
# ─────────────────────────────────────────────────────────────────────────────

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "~> 5.0"
    }
  }
}

variable "project_id"    {}
variable "region"        { default = "us-central1" }
variable "cluster_name"  { default = "my-gke-cluster" }
variable "node_count"    { default = 3 }
variable "machine_type"  { default = "e2-standard-4" }

provider "google" {
  project = var.project_id
  region  = var.region
}

resource "google_container_cluster" "main" {
  name     = var.cluster_name
  location = var.region

  # Use separate node pool
  remove_default_node_pool = true
  initial_node_count       = 1

  # Workload Identity
  workload_identity_config {
    workload_pool = "${var.project_id}.svc.id.goog"
  }

  # VPC-native networking
  ip_allocation_policy {}

  # Disable legacy endpoints
  master_auth {
    client_certificate_config { issue_client_certificate = false }
  }
}

resource "google_container_node_pool" "main" {
  name       = "main-pool"
  location   = var.region
  cluster    = google_container_cluster.main.name
  node_count = var.node_count

  node_config {
    machine_type = var.machine_type
    disk_size_gb = 50
    disk_type    = "pd-ssd"

    # Required for Workload Identity
    workload_metadata_config { mode = "GKE_METADATA" }

    oauth_scopes = [
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring",
      "https://www.googleapis.com/auth/devstorage.read_only",
    ]
  }

  autoscaling {
    min_node_count = 1
    max_node_count = 10
  }

  management {
    auto_repair  = true
    auto_upgrade = true
  }
}

output "cluster_name"     { value = google_container_cluster.main.name }
output "cluster_endpoint" { value = google_container_cluster.main.endpoint sensitive = true }