/caravan-infra-gcp

Terraform project to setup infrastructure on GCP

Primary LanguageHCLMozilla Public License 2.0MPL-2.0

Caravan Infra GCP

Caravan 2021 GCP

Module description

The purpose of this module is deploying the Caravan infrastructure upon which the Caravan cluster will reside.

The code will deploy components formed by the following graph.

Prepare

The project-setup.sh script help you to create all the necessary requirements to deploy the infrastructure.

./project-setup.sh XXXXXX-YYYYYY-ZZZZZZ 12345678901 admin-project-example project-example-id project-example us-central1

Requirements

Name Version
terraform ~> 0.15.4
google ~> 3.0

Providers

Name Version
google 3.88.0
local 2.1.0
null 3.1.0
random 3.1.0
tls 3.1.0

Modules

Name Source Version
caravan-bootstrap git::https://github.com/bitrockteam/caravan-bootstrap refs/tags/v0.2.14
cloud_init_control_plane git::https://github.com/bitrockteam/caravan-cloudinit refs/tags/v0.1.14
cloud_init_worker_plane git::https://github.com/bitrockteam/caravan-cloudinit refs/tags/v0.1.14
terraform-acme-le git::https://github.com/bitrockteam/caravan-acme-le refs/tags/v0.0.11

Resources

Name Type
google_compute_attached_disk.consul_data resource
google_compute_attached_disk.nomad_data resource
google_compute_attached_disk.vault_data resource
google_compute_backend_service.backend_service_consul resource
google_compute_backend_service.backend_service_nomad resource
google_compute_backend_service.backend_service_vault resource
google_compute_backend_service.backend_service_workload resource
google_compute_disk.consul_data resource
google_compute_disk.nomad_data resource
google_compute_disk.vault_data resource
google_compute_firewall.hashicorp_allow_ssh resource
google_compute_firewall.hashicorp_cluster resource
google_compute_firewall.hashicorp_ingress resource
google_compute_firewall.hashicorp_internal_consul_ha resource
google_compute_firewall.hashicorp_internal_ha resource
google_compute_firewall.hashicorp_internal_nomad_ha resource
google_compute_global_forwarding_rule.global_forwarding_rule resource
google_compute_health_check.healthcheck_consul resource
google_compute_health_check.healthcheck_nomad resource
google_compute_health_check.healthcheck_tcp_ingress resource
google_compute_health_check.healthcheck_vault resource
google_compute_instance.hashicorp_cluster_nodes resource
google_compute_instance.monitoring_instance resource
google_compute_instance_group.hashicorp_cluster_nodes resource
google_compute_instance_template.worker-instance-template resource
google_compute_network.hashicorp resource
google_compute_region_disk.csi resource
google_compute_region_instance_group_manager.default_workers resource
google_compute_router.router resource
google_compute_router_nat.nat resource
google_compute_ssl_certificate.lb_certificate resource
google_compute_ssl_policy.modern_tls_1_2_ssl_policy resource
google_compute_subnetwork.hashicorp resource
google_compute_target_https_proxy.target_https_proxy resource
google_compute_url_map.url_map resource
google_dns_managed_zone.project-zone resource
google_dns_record_set.a-hc resource
google_dns_record_set.cname-consul resource
google_dns_record_set.cname-nomad resource
google_dns_record_set.cname-vault resource
google_dns_record_set.cname-wild resource
google_dns_record_set.projects-ns resource
google_kms_crypto_key.vault_key resource
google_kms_key_ring.vault_keyring resource
google_kms_key_ring_iam_binding.vault_iam_kms_binding resource
google_project_iam_binding.pd_csi_service_account_iam_binding resource
google_project_iam_binding.pd_csi_service_account_storage_admin_iam_binding resource
google_project_iam_binding.pd_csi_service_account_user_iam_binding resource
google_project_iam_custom_role.gcp_compute_persistent_disk_csi_driver resource
google_project_iam_member.project resource
google_project_service.cloudkms resource
google_project_service.cloudresourcemanager resource
google_project_service.compute resource
google_project_service.dns resource
google_project_service.iam resource
google_project_service.logging resource
google_project_service.monitoring resource
google_project_service.serviceusage resource
google_service_account.control_plane_service_account resource
google_service_account.pd_csi_service_account resource
google_service_account.worker_plane_service_account resource
google_service_account_iam_binding.key_account_iam resource
google_service_account_iam_binding.key_account_iam_control_plane resource
google_service_account_iam_binding.key_account_iam_workers resource
google_service_account_key.pd_csi_sa_key resource
google_storage_bucket.configs resource
google_storage_bucket_iam_binding.configs_binding resource
local_file.backend_tf_appsupport resource
local_file.backend_tf_platform resource
local_file.ssh_key resource
local_file.tfvars_appsupport resource
local_file.tfvars_platform resource
null_resource.ca_certs resource
null_resource.ca_certs_bundle resource
random_id.keyring resource
random_id.random resource
tls_private_key.cert_private_key resource
tls_private_key.ssh-key resource
google_client_openid_userinfo.myself data source
google_compute_zones.available data source
google_dns_managed_zone.parent-zone data source
google_project.project data source

Inputs

Name Description Type Default Required
google_account_file Path to Google account file string n/a yes
image Fully qualified image name string n/a yes
project_id GCP Project ID string n/a yes
zone GCP zone string n/a yes
admins List of admins to add to the project list(string) [] no
allowed_ip_list IP address list for SSH connection to the VMs list(string) 
[
  "0.0.0.0/0"
]
 no
base64 Cloud init decoding bool false no
ca_certs Fake certificates from staging Let's Encrypt 
map(object({
    filename = string
    pemurl   = string
  }))
 
{
  "fakeleintermediatex1": {
    "filename": "fakeleintermediatex1.pem",
    "pemurl": "https://letsencrypt.org/certs/fakeleintermediatex1.pem"
  },
  "fakelerootx1": {
    "filename": "fakelerootx1.pem",
    "pemurl": "https://letsencrypt.org/certs/fakelerootx1.pem"
  }
}
 no
consul_license_file Path to Consul Enterprise license string null no
control_plane_instance_count Control plane instances number string "3" no
control_plane_machine_type Control plane instance machine type string "e2-standard-2" no
control_plane_sa_name Control plane service account name, it will be used by Vault Auth method string "control-plane" no
csi_volumes Example:
{
"jenkins" : {
"type" : "pd-ssd"
"size" : "30"
"replica_zones" : ["us-central1-a", "us-central1-b"]
"tags" : { "application": "jenkins_master" }
}
}		 map(map(string)) {} no
dc_name Hashicorp cluster name string "gcp-dc" no
enable_monitoring Enables and setup monitoring node bool true no
enable_nomad Enables and setup Nomad cluster bool true no
external_domain Domain used for endpoints and certs string "" no
google_kms_crypto_key GCP KMS crypto key string "" no
google_kms_key_ring GCP KMS key ring string "" no
gzip Cloud init compressing bool false no
le_production_endpoint LE's endpoint when use_le_staging==false string "https://acme-v02.api.letsencrypt.org/directory" no
le_staging_endpoint LE's endpoint when use_le_staging==true string "https://acme-staging-v02.api.letsencrypt.org/directory" no
nomad_license_file Path to Nomad Enterprise license string null no
parent_dns_project_id GCP parent project ID string "" no
parent_dns_zone_name GCP parent project DNS zone name string "GCP" no
preemptible_instance_type Sets preemptible instance type bool false no
prefix The prefix of the objects' names string "" no
region GCP region where to deploy the cluster string "us-central1" no
ssh_timeout SSH timeout string "240s" no
ssh_user SSH user string "centos" no
subnet_prefix The address prefix to use for the subnet string "10.128.0.0/28" no
use_le_staging Use staging Let's Encrypt endpoint bool false no
vault_license_file Path to Vault Enterprise license string null no
volume_data_size Volume size of control plan data disk number 20 no
volume_data_type Volume type of data disks string "pd-balanced" no
volume_root_size Volume size of control plan root disk number 20 no
volume_root_type Volume type of root disks string "pd-standard" no
worker_plane_machine_type Worker plane instance machine type string "n2-standard-2" no
worker_plane_sa_name Worker plane service account name, it will be used by Vault Auth method string "worker-plane" no
workers_groups Worker instance group map map(any) 
{
  "workers-group": {
    "base_instance_name": "worker",
    "instance_template": "worker-template",
    "target_size": 3,
    "zone": "us-central1-a"
  }
}
 no
workers_instance_templates Worker instance template map map(any) 
{
  "worker-template": {
    "image_family_name": "centos-image",
    "machine_type": "n1-standard-2",
    "name_prefix": "worker-template-default-",
    "preemptible": false
  }
}
 no

Outputs

Name Description
PROJECT_APPSUPP_TFVAR Caravan Application Support tfvars
PROJECT_PLATFORM_TFVAR Caravan Platform tfvars
PROJECT_WORKLOAD_TFVAR Caravan Workload tfvars
ca_certs Let's Encrypt staging CA certificates
cluster-public-ips Control plane public IP addresses
control_plane_role_name Control plane role name
control_plane_service_accounts Control plane service accounts email list
csi_sa_key n/a
csi_volumes n/a
hashicorp_endpoints Hashicorp clusters endpoints
load-balancer-ip-address Load Balancer IP address
project_id GCP project ID
worker_plane_role_name Worker plane role name
worker_plane_service_account Worker plane service account
worker_plane_service_accounts Worker plane service accounts email list

Cleaning up

After terraform destroy -var-file=gcp.tfvars, for removing left resources and project, run the project-cleanup.sh script:

./project-cleanup.sh <PROJECT_ID> <PARENT_PROJECT_ID>