DEPRECATION
This repo is going to be archived. The terraform templates that should be used for deploying an Ops Manager, PAS and/or PKS, can be found at https://github.com/pivotal/paving No PRs or Issues will be responded to here.
Terraforming GCP
How Does One Use This?
Please note that the master branch is generally unstable. If you are looking for something "tested", please consume one of our releases.
What Does This Do?
You will get a booted ops-manager VM plus some networking, just the bare bones basically.
Looking to setup a different IAAS
We have have other terraform templates to help you!
This list will be updated when more infrastructures come along.
Prerequisites
Your system needs the gcloud cli, as well as terraform:
brew update
brew install Caskroom/cask/google-cloud-sdk
brew install terraformAre you using Platform Automation?
Be sure to skip the creation of the Ops Manager VM. Do not include the vars listed here. If you create your Ops Manager using terraform, you will not be able to manage it with Platform Automation.
Deployment of the infrastructure is still required.
Deploying Infrastructure
Depending if you're deploying PAS, PKS or Control Plane you need to perform the following steps:
cdinto the proper directory:- Create
terraform.tfvarsfile - Run terraform apply:
terraform init
terraform plan -out=plan
terraform apply planNotes
You will need a key file for your service account to allow terraform to deploy resources. If you don't have one, you can create a service account and a key for it:
gcloud iam service-accounts create ACCOUNT_NAME --display-name "Some Account Name"
gcloud iam service-accounts keys create "terraform.key.json" --iam-account "ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com"
gcloud projects add-iam-policy-binding PROJECT_ID --member 'serviceAccount:ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com' --role 'roles/owner'You will need to enable the following Google Cloud APIs:
Var File
Copy the stub content below into a file called terraform.tfvars and put it in the root of this project.
These vars will be used when you run terraform apply.
You should fill in the stub values with the correct content.
env_name = "some-environment-name"
project = "your-gcp-project"
region = "us-central1"
zones = ["us-central1-a", "us-central1-b", "us-central1-c"]
dns_suffix = "gcp.some-project.cf-app.com"
opsman_image = "ops-manager-2-10-build-48"
buckets_location = "US"
ssl_cert = <<SSL_CERT
-----BEGIN CERTIFICATE-----
some cert
-----END CERTIFICATE-----
SSL_CERT
ssl_private_key = <<SSL_KEY
-----BEGIN RSA PRIVATE KEY-----
some cert private key
-----END RSA PRIVATE KEY-----
SSL_KEY
service_account_key = <<SERVICE_ACCOUNT_KEY
{
"type": "service_account",
"project_id": "your-gcp-project",
"private_key_id": "another-gcp-private-key",
"private_key": "-----BEGIN PRIVATE KEY-----another gcp private key-----END PRIVATE KEY-----\n",
"client_email": "[email protected]",
"client_id": "11111111111111",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/"
}
SERVICE_ACCOUNT_KEYVar Details
- env_name: (required) An arbitrary unique name for namespacing resources. Max 23 characters.
- project: (required) ID for your GCP project.
- region: (required) Region in which to create resources (e.g. us-central1)
- zones: (required) Zones in which to create resources. Must be within the given region. Currently you must specify exactly 3 unique Zones for this terraform configuration to work. (e.g. [us-central1-a, us-central1-b, us-central1-c])
- opsman_image_url (optional) Source URL of the Ops Manager image you want to boot.
- service_account_key: (required) Contents of your service account key file generated using the
gcloud iam service-accounts keys createcommand. - dns_suffix: (required) Domain to add environment subdomain to (e.g. foo.example.com). Trailing dots are not supported.
- buckets_location: (optional) Loction in which to create buckets. Defaults to US.
- ssl_cert: (conditionally required) SSL certificate for HTTP load balancer configuration. Required unless
ssl_ca_certis specified. - ssl_private_key: (conditionally required) Private key for above SSL certificate. Required unless
ssl_ca_certis specified. - ssl_ca_cert: (conditionally required) SSL CA certificate used to generate self-signed HTTP load balancer certificate. Required unless
ssl_certis specified. - ssl_ca_private_key: (conditionally required) Private key for above SSL CA certificate. Required unless
ssl_certis specified. - opsman_storage_bucket_count: (optional) Google Storage Bucket for BOSH's Blobstore.
- create_iam_service_account_members: (optional) Create IAM Service Account project roles. Default to
true.
DNS Records
- pcf.$env_name.$dns_suffix: Points at the Ops Manager VM's public IP address.
- *.sys.$env_name.$dns_suffix: Points at the HTTP/S load balancer in front of the Router.
- doppler.sys.$env_name.$dns_suffix: Points at the TCP load balancer in front of the Router. This address is used to send websocket traffic to the Doppler server.
- loggregator.sys.$env_name.$dns_suffix: Points at the TCP load balancer in front of the Router. This address is used to send websocket traffic to the Loggregator Trafficcontroller.
- *.apps.$env_name.$dns_suffix: Points at the HTTP/S load balancer in front of the Router.
- *.ws.$env_name.$dns_suffix: Points at the TCP load balancer in front of the Router. This address can be used for application websocket traffic.
- ssh.sys.$env_name.$dns_suffix: Points at the TCP load balancer in front of the Diego brain.
- tcp.$env_name.$dns_suffix: Points at the TCP load balancer in front of the TCP router.
Isolation Segments (optional)
- isolation_segment: (optional) When set to
truecreates HTTP load-balancer across 3 zones for isolation segments. - iso_seg_with_firewalls: (optional) When set to
truecreates firewall rules to lock down ports on the isolation segment. - iso_seg_ssl_cert: (optional) SSL certificate for Iso Seg HTTP load balancer configuration. Required unless
iso_seg_ssl_ca_certis specified. - iso_seg_ssl_private_key: (optional) Private key for above SSL certificate. Required unless
iso_seg_ssl_ca_certis specified. - iso_seg_ssl_ca_cert: (optional) SSL CA certificate used to generate self-signed Iso Seg HTTP load balancer certificate. Required unless
iso_seg_ssl_certis specified. - iso_seg_ssl_ca_private_key: (optional) Private key for above SSL CA certificate. Required unless
iso_seg_ssl_certis specified.
Cloud SQL Configuration (optional)
- external_database: (optional) When set to
true, a cloud SQL instance will be deployed for the Ops Manager and PAS.
Ops Manager (optional)
- opsman_sql_db_host: (optional) The host the user can connect from. Can be an IP address. Changing this forces a new resource to be created.
- opsman_image_url (optional) Source URL of the Ops Manager image you want to boot (if not provided you get no Ops Manager).
PAS (optional)
- pas_sql_db_host: (optional) The host the user can connect from. Can be an IP address. Changing this forces a new resource to be created.
PAS Cloud Controller's Google Cloud Storage Buckets (optional)
- create_gcs_buckets: (optional) When set to
false, buckets will not be created for PAS Cloud Controller. Defaults totrue.
Internetless (optional)
- internetless: (optional) When set to
true, all traffic going outside the 10.* network is denied. DNS records like '*.apps.DOMAIN' will be pointed to the HAProxy static IP rather than the LB address.
Running
Note: please make sure you have created the terraform.tfvars file above as mentioned.
Tearing down environment
Note: This will only destroy resources deployed by Terraform. You will need to clean up anything deployed on top of that infrastructure yourself (e.g. by running om delete-installation)
terraform destroy