Tanzu Application Service – Part 3: deploying resources in GCP using terraform

Eknath - 14 November 202114 November 2021

Reading Time: 3 mins

Before proceeding with ops manager installation, the following cloud infrastructure resources are to be created:

- - - - network
        
        subnets
        
        load balancers
        
        external IP addresses
        
        firewall rules
        
        dns entries

Terraform is used to automate the provisioning of these resources. In GCP, we obtain permission to perform these actions by creating a service account with appropriate roles.

Connect to jumpbox using cloud shell or by taking ssh to jumpbox directly from local workstation. I have used ssh from my local desktop and ran below commands, if you have any Q connecting through cloud shell, please put in comment section below:

Add three new environment variables to your environment file, ~/.env, as follows:

export ENV_NAME=captainv # replace this with name of your choice

export DOMAIN_NAME=captainvirtualization.com # replace this with your own domain name

export PROJECT_ID=$(gcloud config get-value core/project)

#check the env file 

root@jumpbox:~# cat ~/.env
PIVNET_TOKEN=70fd180d6b424204af752a2644-r
ENV_NAME=captainv
DOMAIN_NAME=captainvirtualization.com
PROJECT_ID=captainv-tas-332315

# source your environment file using
source ~/.env

Run the command: gcloud services list to list the currently enabled APIs, if it is not listing any output or incase failing with authorization errors, then try below:

#You will observe that the account is a default service account which is automatically created.
gcloud config list

#execute the following command to authorize
gcloud auth login

#validate the account has been altered
gcloud config list

The required APIs, which are not enabled by default in new projects, can be activated by running the following:

gcloud services enable compute.googleapis.com && gcloud services enable iam.googleapis.com && gcloud services enable cloudresourcemanager.googleapis.com && gcloud services enable dns.googleapis.com && gcloud services enable sqladmin.googleapis.com

A service account with authorization to create resources in your GCP project is necessary to allow Terraform to pave your infrastructure

ACCOUNT_NAME=terraform-sa

# where terraform-sa is the service account name

#Command to create service account: 

gcloud iam service-accounts create ${ACCOUNT_NAME} 

# Generate a service account key file named terraform.key.json

gcloud iam service-accounts keys create "terraform.key.json" --iam-account "${ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"

# Give the service account with owner role authorization:

gcloud projects add-iam-policy-binding ${PROJECT_ID} \ --member "serviceAccount:${ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \ --role 'roles/owner'

Generate a wildcard SSL certificate:

Create an OpenSSL configuration file.

cat > ./${ENV_NAME}.${DOMAIN_NAME}.cnf <<-EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256 
req_extensions = req_ext 
distinguished_name = dn

[ dn ]
C=<Country name eg: IN>
ST=<provide state name ex: KA>
L=<provide Location ex: Bengaluru>
O=<Organization ex: captainvirtualization.>
OU=<optional ex: com>
CN = ${ENV_NAME}.${DOMAIN_NAME}

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = *.sys.${ENV_NAME}.${DOMAIN_NAME} 
DNS.2 = *.login.sys.${ENV_NAME}.${DOMAIN_NAME} 
DNS.3 = *.uaa.sys.${ENV_NAME}.${DOMAIN_NAME} 
DNS.4 = *.apps.${ENV_NAME}.${DOMAIN_NAME} 
EOF

Use the OpenSSL utility to generate a key and a certificate signed with that key:

openssl req -x509 \
-newkey rsa:2048 \
-nodes \
-keyout ${ENV_NAME}.${DOMAIN_NAME}.key \ -out ${ENV_NAME}.${DOMAIN_NAME}.cert \ -config ./${ENV_NAME}.${DOMAIN_NAME}.cnf

Install terraform:

Note: Ensure to install terraform version < “0.12.0”, I have used 0.11.14

wget -O terraform.zip https://releases.hashicorp.com/terraform/0.11.14/terraform_0.11.14_linux_amd64.zip && \
unzip terraform.zip && \
sudo mv terraform /usr/local/bin

Unzip the terraform templates zip file (terraforming-gcp-0.98.0.zip) you downloaded from the Tanzu Network in earlier post
Navigate to directory terraforming-pas

Create a file named terraform.tfvars by resolving it from the following template:

cat > ./terraform.tfvars <<-EOF
env_name="$ENV_NAME"
project="$PROJECT_ID"
region="asia-south1"
zones=["asia-south1-a","asia-south1-b","asia-south1-c"]
dns_suffix="$DOMAIN_NAME"
opsman_image_url="https://storage.googleapis.com/ops-manager-us/pcf-gcp-2.10.21-build.330.tar.gz"
create_gcs_buckets = "false" 
external_database = 0
ssl_cert = <<SSL_CERT 
-----BEGIN CERTIFICATE-----
<copy the remaining content from .crt>
-----END CERTIFICATE-----
ssl_private_key = <<SSL_KEY 
-----BEGIN PRIVATE KEY-----
<copy the remaining content from .key>
-----END PRIVATE KEY-----
service_account_key = <<SERVICE_ACCOUNT_KEY $(cat ~/terraform.key.json) SERVICE_ACCOUNT_KEY
EOF

Navigate to terraforming-pas directory and execute the following:

terraform init

terraform plan

terraform apply

Note: Above commands will take few minutes to complete and post that a terraform.tfstate file will be created into your current working directory which will be used later.

Review the resources from cloud console:

Login into Cloud console UI > VPC Network – which shows 3 newly created subnets each for management vm’s, platform components and services vm’s. Also, take a look at external IP addresses, firewall rules, routes, load balancing and Cloud DNS.