Tanzu Application Service – Part 3: deploying resources in GCP using terraform

Before proceeding with ops manager installation, the following cloud infrastructure resources are to be created:

              • network
              • subnets
              • load balancers
              • external IP addresses
              • firewall rules
              • dns entries

Terraform is used to automate the provisioning of these resources. In GCP, we obtain permission to perform these actions by creating a service account with appropriate roles.

Connect to jumpbox using cloud shell or by taking ssh to jumpbox directly from local workstation. I have used ssh from my local desktop and ran below commands, if you have any Q connecting through cloud shell, please put in comment section below:

Add three new environment variables to your environment file, ~/.env, as follows:

export ENV_NAME=captainv # replace this with name of your choice

export DOMAIN_NAME=captainvirtualization.com # replace this with your own domain name

export PROJECT_ID=$(gcloud config get-value core/project)

#check the env file 

root@jumpbox:~# cat ~/.env
PIVNET_TOKEN=70fd180d6b424204af752a2644-r
ENV_NAME=captainv
DOMAIN_NAME=captainvirtualization.com
PROJECT_ID=captainv-tas-332315

# source your environment file using
source ~/.env

Run the command: gcloud services list to list the currently enabled APIs, if it is not listing any output or incase failing with authorization errors, then try below:

#You will observe that the account is a default service account which is automatically created.
gcloud config list

#execute the following command to authorize
gcloud auth login

#validate the account has been altered
gcloud config list

The required APIs, which are not enabled by default in new projects, can be activated by running the following:

gcloud services enable compute.googleapis.com && gcloud services enable iam.googleapis.com && gcloud services enable cloudresourcemanager.googleapis.com && gcloud services enable dns.googleapis.com && gcloud services enable sqladmin.googleapis.com

A service account with authorization to create resources in your GCP project is necessary to allow Terraform to pave your infrastructure

ACCOUNT_NAME=terraform-sa

# where terraform-sa is the service account name

#Command to create service account: 

gcloud iam service-accounts create ${ACCOUNT_NAME} 

# Generate a service account key file named terraform.key.json

gcloud iam service-accounts keys create "terraform.key.json" --iam-account "${ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"

# Give the service account with owner role authorization:

gcloud projects add-iam-policy-binding ${PROJECT_ID} \ --member "serviceAccount:${ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \ --role 'roles/owner'

Generate a wildcard SSL certificate: 

Create an OpenSSL configuration file.

cat > ./${ENV_NAME}.${DOMAIN_NAME}.cnf <<-EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256 
req_extensions = req_ext 
distinguished_name = dn

[ dn ]
C=<Country name eg: IN>
ST=<provide state name ex: KA>
L=<provide Location ex: Bengaluru>
O=<Organization ex: captainvirtualization.>
OU=<optional ex: com>
CN = ${ENV_NAME}.${DOMAIN_NAME}

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = *.sys.${ENV_NAME}.${DOMAIN_NAME} 
DNS.2 = *.login.sys.${ENV_NAME}.${DOMAIN_NAME} 
DNS.3 = *.uaa.sys.${ENV_NAME}.${DOMAIN_NAME} 
DNS.4 = *.apps.${ENV_NAME}.${DOMAIN_NAME} 
EOF

Use the OpenSSL utility to generate a key and a certificate signed with that key:

openssl req -x509 \
-newkey rsa:2048 \
-nodes \
-keyout ${ENV_NAME}.${DOMAIN_NAME}.key \ -out ${ENV_NAME}.${DOMAIN_NAME}.cert \ -config ./${ENV_NAME}.${DOMAIN_NAME}.cnf

Install terraform:

Note: Ensure to install terraform version < “0.12.0”, I have used 0.11.14

wget -O terraform.zip https://releases.hashicorp.com/terraform/0.11.14/terraform_0.11.14_linux_amd64.zip && \
unzip terraform.zip && \
sudo mv terraform /usr/local/bin
  • Unzip the terraform templates zip file (terraforming-gcp-0.98.0.zip) you downloaded from the Tanzu Network in earlier post
  • Navigate to directory terraforming-pas

Create a file named terraform.tfvars by resolving it from the following template:

cat > ./terraform.tfvars <<-EOF
env_name="$ENV_NAME"
project="$PROJECT_ID"
region="asia-south1"
zones=["asia-south1-a","asia-south1-b","asia-south1-c"]
dns_suffix="$DOMAIN_NAME"
opsman_image_url="https://storage.googleapis.com/ops-manager-us/pcf-gcp-2.10.21-build.330.tar.gz"
create_gcs_buckets = "false" 
external_database = 0
ssl_cert = <<SSL_CERT 
-----BEGIN CERTIFICATE-----
<copy the remaining content from .crt>
-----END CERTIFICATE-----
ssl_private_key = <<SSL_KEY 
-----BEGIN PRIVATE KEY-----
<copy the remaining content from .key>
-----END PRIVATE KEY-----
service_account_key = <<SERVICE_ACCOUNT_KEY $(cat ~/terraform.key.json) SERVICE_ACCOUNT_KEY
EOF

Navigate to terraforming-pas directory and execute the following:

terraform init

terraform plan

terraform apply

Note: Above commands will take few minutes to complete and post that a terraform.tfstate file will be created into your current working directory which will be used later.

Review the resources from cloud console: 

Login into Cloud console UI > VPC Network – which shows 3 newly created subnets each for management vm’s, platform components and services vm’s. Also, take a look at external IP addresses, firewall rules, routes, load balancing and Cloud DNS.

Leave a Reply