DEPRECATION

This repo is going to be archived. The terraform templates that should be used for deploying an Ops Manager, PAS and/or PKS, can be found at https://github.com/pivotal/paving No PRs or Issues will be responded to here.

Terraforming GCP

How Does One Use This?

Please note that the master branch is generally unstable. If you are looking for something "tested", please consume one of our releases.

What Does This Do?

You will get a booted ops-manager VM plus some networking, just the bare bones basically.

Looking to setup a different IAAS

We have have other terraform templates to help you!

aws
azure

This list will be updated when more infrastructures come along.

Prerequisites

Your system needs the gcloud cli, as well as terraform:

brew update
brew install Caskroom/cask/google-cloud-sdk
brew install terraform

Are you using Platform Automation?

Be sure to skip the creation of the Ops Manager VM. Do not include the vars listed here. If you create your Ops Manager using terraform, you will not be able to manage it with Platform Automation.

Deployment of the infrastructure is still required.

Deploying Infrastructure

Depending if you're deploying PAS, PKS or Control Plane you need to perform the following steps:

cd into the proper directory:
Create terraform.tfvars file

Run terraform apply:

terraform init
terraform plan -out=plan
terraform apply plan

Notes

You will need a key file for your service account to allow terraform to deploy resources. If you don't have one, you can create a service account and a key for it:

gcloud iam service-accounts create ACCOUNT_NAME --display-name "Some Account Name"
gcloud iam service-accounts keys create "terraform.key.json" --iam-account "ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com"
gcloud projects add-iam-policy-binding PROJECT_ID --member 'serviceAccount:ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com' --role 'roles/owner'

You will need to enable the following Google Cloud APIs:

Var File

Copy the stub content below into a file called terraform.tfvars and put it in the root of this project. These vars will be used when you run terraform apply. You should fill in the stub values with the correct content.

env_name         = "some-environment-name"
project          = "your-gcp-project"
region           = "us-central1"
zones            = ["us-central1-a", "us-central1-b", "us-central1-c"]
dns_suffix       = "gcp.some-project.cf-app.com"
opsman_image     = "ops-manager-2-10-build-48"

buckets_location = "US"

ssl_cert = <<SSL_CERT
-----BEGIN CERTIFICATE-----
some cert
-----END CERTIFICATE-----
SSL_CERT

ssl_private_key = <<SSL_KEY
-----BEGIN RSA PRIVATE KEY-----
some cert private key
-----END RSA PRIVATE KEY-----
SSL_KEY

service_account_key = <<SERVICE_ACCOUNT_KEY
{
  "type": "service_account",
  "project_id": "your-gcp-project",
  "private_key_id": "another-gcp-private-key",
  "private_key": "-----BEGIN PRIVATE KEY-----another gcp private key-----END PRIVATE KEY-----\n",
  "client_email": "something@example.com",
  "client_id": "11111111111111",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/"
}
SERVICE_ACCOUNT_KEY

Var Details

env_name: (required) An arbitrary unique name for namespacing resources. Max 23 characters.
project: (required) ID for your GCP project.
region: (required) Region in which to create resources (e.g. us-central1)
zones: (required) Zones in which to create resources. Must be within the given region. Currently you must specify exactly 3 unique Zones for this terraform configuration to work. (e.g. [us-central1-a, us-central1-b, us-central1-c])
opsman_image_url (optional) Source URL of the Ops Manager image you want to boot.
service_account_key: (required) Contents of your service account key file generated using the gcloud iam service-accounts keys create command.
dns_suffix: (required) Domain to add environment subdomain to (e.g. foo.example.com). Trailing dots are not supported.
buckets_location: (optional) Loction in which to create buckets. Defaults to US.
ssl_cert: (conditionally required) SSL certificate for HTTP load balancer configuration. Required unless ssl_ca_cert is specified.
ssl_private_key: (conditionally required) Private key for above SSL certificate. Required unless ssl_ca_cert is specified.
ssl_ca_cert: (conditionally required) SSL CA certificate used to generate self-signed HTTP load balancer certificate. Required unless ssl_cert is specified.
ssl_ca_private_key: (conditionally required) Private key for above SSL CA certificate. Required unless ssl_cert is specified.
opsman_storage_bucket_count: (optional) Google Storage Bucket for BOSH's Blobstore.
create_iam_service_account_members: (optional) Create IAM Service Account project roles. Default to true.

DNS Records

pcf.$env_name.$dns_suffix: Points at the Ops Manager VM's public IP address.
*.sys.$env_name.$dns_suffix: Points at the HTTP/S load balancer in front of the Router.
doppler.sys.$env_name.$dns_suffix: Points at the TCP load balancer in front of the Router. This address is used to send websocket traffic to the Doppler server.
loggregator.sys.$env_name.$dns_suffix: Points at the TCP load balancer in front of the Router. This address is used to send websocket traffic to the Loggregator Trafficcontroller.
*.apps.$env_name.$dns_suffix: Points at the HTTP/S load balancer in front of the Router.
*.ws.$env_name.$dns_suffix: Points at the TCP load balancer in front of the Router. This address can be used for application websocket traffic.
ssh.sys.$env_name.$dns_suffix: Points at the TCP load balancer in front of the Diego brain.
tcp.$env_name.$dns_suffix: Points at the TCP load balancer in front of the TCP router.

Isolation Segments (optional)

isolation_segment: (optional) When set to true creates HTTP load-balancer across 3 zones for isolation segments.
iso_seg_with_firewalls: (optional) When set to true creates firewall rules to lock down ports on the isolation segment.
iso_seg_ssl_cert: (optional) SSL certificate for Iso Seg HTTP load balancer configuration. Required unless iso_seg_ssl_ca_cert is specified.
iso_seg_ssl_private_key: (optional) Private key for above SSL certificate. Required unless iso_seg_ssl_ca_cert is specified.
iso_seg_ssl_ca_cert: (optional) SSL CA certificate used to generate self-signed Iso Seg HTTP load balancer certificate. Required unless iso_seg_ssl_cert is specified.
iso_seg_ssl_ca_private_key: (optional) Private key for above SSL CA certificate. Required unless iso_seg_ssl_cert is specified.

Cloud SQL Configuration (optional)

external_database: (optional) When set to true, a cloud SQL instance will be deployed for the Ops Manager and PAS.

Ops Manager (optional)

opsman_sql_db_host: (optional) The host the user can connect from. Can be an IP address. Changing this forces a new resource to be created.
opsman_image_url (optional) Source URL of the Ops Manager image you want to boot (if not provided you get no Ops Manager).

PAS (optional)

pas_sql_db_host: (optional) The host the user can connect from. Can be an IP address. Changing this forces a new resource to be created.

PAS Cloud Controller's Google Cloud Storage Buckets (optional)

create_gcs_buckets: (optional) When set to false, buckets will not be created for PAS Cloud Controller. Defaults to true.

Internetless (optional)

internetless: (optional) When set to true, all traffic going outside the 10. network is denied. DNS records like '.apps.DOMAIN' will be pointed to the HAProxy static IP rather than the LB address.

Running

Note: please make sure you have created the terraform.tfvars file above as mentioned.

Tearing down environment

Note: This will only destroy resources deployed by Terraform. You will need to clean up anything deployed on top of that infrastructure yourself (e.g. by running om delete-installation)

terraform destroy

vmware-archive / terraforming-gcp

readme