GOOGLE.md

Google Cloud Provisioning Automation for Tanzu Application Platform

Table of Contents

• Benefits
• What does it do?
• Prerequisites
  • Fork this repository
  • Increase Google Cloud Quotas
  • Setup an Google Cloud service principal
  • Enable the Secret Manager API
  • Setup a Github SSH key-pair
  • Setup a Personal Access Token in Github
  • Configure Github Secrets
  • Create KMS Key
  • Create Remote Backend Support
  • Create Toolset Image
• How do I use this?
  • Fast path
  • Slow path
    • Modules
  • Vending credentials
  • Cleaning up everything

Benefits

This repository provides provisioning automation targeting Google Cloud.

What does it do?

It provisions the minimum set of cloud resources needed to begin installing Tanzu Application Platform on Google Cloud.

Prerequisites

Fork this repository

You will want to fork this GitHub repository and enable the GitHub Actions it contains.

Increase Google Cloud Quotas

There are a few Google Cloud default quotas that may need to be adjusted.

1. VM instances
2. Networks

Choose the region and set the limit to >= 30 in your request.

Note: The above quotas will be enough to deploy the infrastructure needed for installing TAP. Individual mileage may vary depending on existing resources.

Setup an Google Cloud service principal

First, authenticate to Google Cloud.

Do this only if you are planning on running Terraform scripts locally with an IAM user

gcloud auth login

Or set the necessary environment variables.

export GOOGLE_APPLICATION_CREDENTIALS=<path_to_your_principal_account_key>

Then visit the following Terraform module found here and follow the instructions in the README

This will create the service account (with appropriate roles) that will be used by all other Terraform modules.

Enable the Secret Manager API

Follow these instructions.

Setup a Github SSH key-pair

You will need to create a new public/private SSH key-pair in order to work with (i.e., pull from/push to) private git repositories (e.g., Github, Gitlab, Azure Devops).

Here's how to set up such a key-pair for named repo providers:

• Github
• Gitlab
• Azure Devops

We're interested mainly in setting up a key-pair for your Github repo hosting this project.

Also see Git Authentication.

Setup a Personal Access Token in Github

A PAT is required so that workflows can add secrets to the repository in order to be used in downstream jobs. Documentation can be found here.

We are using this personal access token to create secrets for the google backend for Terraform

Configure Github Secrets

Setup some Github secrets with the SP credentials. Documentation can be found here. You might also consider using gh secret set command to set these individually. Or, after exporting all environment variables below, execute gh-secrets-setup.sh at the command-line passing google as an execution argument.

# This is a personal access token that was created in an above step that allows for the workflows to write secrets
export PA_TOKEN= 
# The Google Cloud project that will host all resources created
export GOOGLE_PROJECT_ID= 
# The base64-encoded contents of the Google Cloud project's service account key that has the authority to create cloud resources
export GOOGLE_SERVICE_ACCOUNT_KEY= 

Create KMS Key

Under Github Actions, manually trigger google-dispatch-key-management-service.

Create Remote Backend Support

Under Github Actions, manually trigger google-dispatch-remote-backend-for-terraform-state.

Create Toolset Image

Under Github Actions, manually trigger google-build-toolset-image.

Alternatively, you could create the AMI by executing the aws CLI and Packer script by following these guides:

• Build
• Test

How do I use this?

Fast path

Take this path when you want to get up-and-running as quickly as possible with the least amount of fuss.

Under Github Actions, manually trigger one of:

• google-create-autopilot-workshop-environment

  Warning This is a sentry workflow. It fails to complete provisioning all resources.

• google-create-workshop-environment

The DNS Zone name must be a domain you control and can configure nameservers for

Slow path

Administer resources one at a time. Take this path when you want to take a closer look at the GitHub Actions and Terraform modules.

There are two types of actions defined, those that can be manually triggered (i.e., dispatched), and those that can only be called by another action. All actions are located here and can be run by providing the required parameters. Go here to inspect the source for each action.

Note that for most dispatch actions, you have the option to either create or destroy the resources.

Modules

Module	Github Action	Terraform
KMS	✅	✅
Remote backend	✅	✅
VPC	✅	✅
DNS Zone for base domain	✅	✅
DNS Zone for sub domain	✅	✅
GKE Cluster	✅	✅
GKE Autopilot Cluster	✅	✅
Container registry	✅	✅
Harbor	✅	✅
Bastion	✅	✅
Secrets Manager	✅	✅
Secrets	✅	✅

Vending credentials

All Credentials are stored in Google Cloud Secrets Manager.

First, configure Google Cloud using the service account credentials you created earlier

Go visit the Secret Manager Secrets Terraform module's README for how to retrieve secrets.

Cleaning up everything

In order to destroy all of the resources created you can use the Github action google-destroy-workshop-environment. This action should be run with the same inputs used to create an environment.

You'll want also want to destroy the remote backend support and KMS key by executing the following jobs:

• google-dispatch-remote-backend-for-terraform-state
• google-dispatch-key-management-service

Don't forget to choose destroy before clicking on the Run workflow button.