Securely connect to a Google Kubernetes Engine (GKE) Cluster using Terraform, SSH, and Identity-Aware Proxy.
This configuration provides ready-to-use resources for production:
- VPC with Private Google Access enabled.
- Google Kubernetes Engine (GKE) Cluster.
- Managed Instance Group (MIG) hosting a single instance running SSH.
- Preconfigured Kubernetes Terraform Provider.
To create a secure tunnel using Identity-Aware Proxy (IAP) and SSH:
CLOUDSDK_PYTHON_SITEPACKAGES=1 gcloud compute ssh <instance-name> \
--project=<project-name> \
--zone=<instance-zone> \
--tunnel-through-iap \
--ssh-flag="-N -f -D 8888" \To kill the tunnel:
kill -9 $(shell lsof 8888 > /dev/null 2> /dev/null || :To test the connection:
HTTPS_PROXY=socks5://127.0.0.1:8888 kubectl cluster-infoWhen using GitHub Actions:
# Use Workload Identity to authenticate with Google Cloud
- name: Google Cloud Auth
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ inputs.gcp_workload_identity_provider }}
service_account: ${{ inputs.gcp_service_account }}
- name: Set up gcloud
uses: google-github-actions/setup-gcloud@v2
- name: Create a secure tunnel using IAP and SSH
run: |
gcloud components install gke-gcloud-auth-plugin --quiet
gcloud compute ssh ${{ inputs.gcp_bastion_host }} --tunnel-through-iap --project=${{ inputs.gcp_bastion_project }} --zone=${{ inputs.gcp_bastion_zone }} --ssh-flag="-N -f -D 8888"
- name: Set up Terraform
uses: hashicorp/setup-terraform@v3
- name: Terraform
run: |
terraform init
terraform plan