how to enable Anthos Service Mesh to a GKE cluster via terraform

Question

I have 2 k8s clusters both in GKE, both provisioned via terraform but one of them is on autopilot mode.

But I can't find any resource online of how to enable anthos service mesh in them via terraform.

When I click any of the clusters details page I see:

Both clusters are already registered to my Anthos fleet, example:

resource "google_gke_hub_membership" "anthos_registration" {
  provider      = google-beta
  project = var.project_id
  membership_id = google_container_cluster.cluster.name
  endpoint {
    gke_cluster {
      resource_link = "//container.googleapis.com/${google_container_cluster.foobar.id}"
    }
  }
}

Answer 1

The above mentioned submodule has lot of authentication issues. To install anthos service mesh on GKE private cluster make use of the terraform resource.

#servicemesh installation estimated to wait 5-6 mins after creation
resource "google_gke_hub_feature_membership" "feature_member" {
  location = "global"
  feature = "servicemesh"
  membership = google_gke_hub_membership.membership.membership_id
  mesh {
    management = "MANAGEMENT_AUTOMATIC"
  }
}

Answer 2

got a simple example of a gke cluster working with anthos service mesh via terraform posting it here in case someone needs it in the future:

data "google_client_config" "default" {}

provider "kubernetes" {
  host                   = "https://${module.gke.endpoint}"
  token                  = data.google_client_config.default.access_token
  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
}

data "google_project" "project" {
  project_id = var.project_id
}

module "gke" {
  source            = "terraform-google-modules/kubernetes-engine/google//"
  project_id              = var.project_id
  name                    = "test-prefix-cluster"
  regional                = false
  region                  = var.region
  zones                   = var.zones
  release_channel         = "REGULAR"
  network                 = "default"
  subnetwork              = "default"
  ip_range_pods           = ""
  ip_range_services       = ""
  network_policy          = false
  cluster_resource_labels = { "mesh_id" : "proj-${data.google_project.project.number}" }
  identity_namespace      = "${var.project_id}.svc.id.goog"
  deletion_protection     = false
  node_pools = [
    {
        service_account = google_service_account.iam_sa.email
      name         = "asm-node-pool"
      autoscaling  = false
      auto_upgrade = true
      node_count   = 2
      machine_type = "e2-standard-4"
    },
  ]
}

module "asm" {
  source            = "terraform-google-modules/kubernetes-engine/google//modules/asm"
  project_id                = var.project_id
  cluster_name              = module.gke.name
  cluster_location          = module.gke.location
  multicluster_mode         = "connected"
  enable_cni                = true
  enable_fleet_registration = true
  enable_mesh_feature       = true
}

Answer 3

There is a dedicated module for that https://registry.terraform.io/modules/terraform-google-modules/kubernetes-engine/google/latest/submodules/asm