Caravan Infra GCP

Caravan 2021 GCP

Module description

The purpose of this module is deploying the Caravan infrastructure upon which the Caravan cluster will reside.

The code will deploy components formed by the following graph.

Prepare

The project-setup.sh script help you to create all the necessary requirements to deploy the infrastructure.

./project-setup.sh XXXXXX-YYYYYY-ZZZZZZ 12345678901 admin-project-example project-example-id project-example us-central1

Requirements

Name

Version

terraform

~> 1.0

google

~> 4.0

Providers

Name

Version

google

4.33.0

local

2.2.3

null

3.1.1

random

3.3.2

tls

4.0.1

Modules

Name

Source

Version

caravan-bootstrap

git::https://github.com/bitrockteam/caravan-bootstrap

refs/tags/v0.2.20

cloud_init_control_plane

git::https://github.com/bitrockteam/caravan-cloudinit

refs/tags/v0.1.20

cloud_init_worker_plane

git::https://github.com/bitrockteam/caravan-cloudinit

refs/tags/v0.1.18

terraform-acme-le

git::https://github.com/bitrockteam/caravan-acme-le

refs/tags/v0.0.16

Resources

Name

Type

google_compute_attached_disk.consul_data

resource

google_compute_attached_disk.nomad_data

resource

google_compute_attached_disk.vault_data

resource

google_compute_backend_service.backend_service_consul

resource

google_compute_backend_service.backend_service_nomad

resource

google_compute_backend_service.backend_service_vault

resource

google_compute_backend_service.backend_service_workload

resource

google_compute_disk.consul_data

resource

google_compute_disk.nomad_data

resource

google_compute_disk.vault_data

resource

google_compute_firewall.hashicorp_allow_ssh

resource

google_compute_firewall.hashicorp_cluster

resource

google_compute_firewall.hashicorp_ingress

resource

google_compute_firewall.hashicorp_internal_consul_ha

resource

google_compute_firewall.hashicorp_internal_ha

resource

google_compute_firewall.hashicorp_internal_nomad_ha

resource

google_compute_global_forwarding_rule.global_forwarding_rule

resource

google_compute_health_check.healthcheck_consul

resource

google_compute_health_check.healthcheck_nomad

resource

google_compute_health_check.healthcheck_tcp_ingress

resource

google_compute_health_check.healthcheck_vault

resource

google_compute_instance.hashicorp_cluster_nodes

resource

google_compute_instance.monitoring_instance

resource

google_compute_instance_group.hashicorp_cluster_nodes

resource

google_compute_instance_template.worker-instance-template

resource

google_compute_network.hashicorp

resource

google_compute_region_disk.csi

resource

google_compute_region_instance_group_manager.default_workers

resource

google_compute_router.router

resource

google_compute_router_nat.nat

resource

google_compute_ssl_certificate.lb_certificate

resource

google_compute_ssl_policy.modern_tls_1_2_ssl_policy

resource

google_compute_subnetwork.hashicorp

resource

google_compute_target_https_proxy.target_https_proxy

resource

google_compute_url_map.url_map

resource

google_dns_managed_zone.project-zone

resource

google_dns_record_set.a-hc

resource

google_dns_record_set.cname-consul

resource

google_dns_record_set.cname-nomad

resource

google_dns_record_set.cname-vault

resource

google_dns_record_set.cname-wild

resource

google_dns_record_set.projects-ns

resource

google_kms_crypto_key.vault_key

resource

google_kms_key_ring.vault_keyring

resource

google_kms_key_ring_iam_binding.vault_iam_kms_binding

resource

google_project_iam_binding.pd_csi_service_account_iam_binding

resource

google_project_iam_binding.pd_csi_service_account_storage_admin_iam_binding

resource

google_project_iam_binding.pd_csi_service_account_user_iam_binding

resource

google_project_iam_custom_role.gcp_compute_persistent_disk_csi_driver

resource

google_project_iam_member.project

resource

google_project_service.cloudkms

resource

google_project_service.cloudresourcemanager

resource

google_project_service.compute

resource

google_project_service.dns

resource

google_project_service.iam

resource

google_project_service.logging

resource

google_project_service.monitoring

resource

google_project_service.serviceusage

resource

google_service_account.control_plane_service_account

resource

google_service_account.pd_csi_service_account

resource

google_service_account.worker_plane_service_account

resource

google_service_account_iam_binding.key_account_iam

resource

google_service_account_iam_binding.key_account_iam_control_plane

resource

google_service_account_iam_binding.key_account_iam_workers

resource

google_service_account_key.pd_csi_sa_key

resource

google_storage_bucket.configs

resource

google_storage_bucket_iam_binding.configs_binding

resource

local_file.backend_tf_appsupport

resource

local_file.backend_tf_platform

resource

local_file.tfvars_appsupport

resource

local_file.tfvars_platform

resource

local_sensitive_file.ssh_key

resource

null_resource.ca_certs

resource

null_resource.ca_certs_bundle

resource

random_id.keyring

resource

random_id.random

resource

tls_private_key.cert_private_key

resource

tls_private_key.ssh-key

resource

google_client_openid_userinfo.myself

data source

google_compute_zones.available

data source

google_dns_managed_zone.parent-zone

data source

google_project.project

data source

Inputs

Name

Description

Type

Default

Required

google_account_file

Path to Google account file

string

n/a

yes

image

Fully qualified image name

string

n/a

yes

project_id

GCP Project ID

string

n/a

yes

zone

GCP zone

string

n/a

yes

admins

List of admins to add to the project

list(string)

[]

no

allowed_ip_list

IP address list for SSH connection to the VMs

list(string)

[
“0.0.0.0/0”
]

no

base64

Cloud init decoding

bool

false

no

ca_certs

Fake certificates from staging Let’s Encrypt

map(object({
filename = string
pemurl = string
}))

{
“stg-int-r3”: {
“filename”: “letsencrypt-stg-int-r3.pem”,
“pemurl”: “https://letsencrypt.org/certs/staging/letsencrypt-stg-int-r3.pem”
},
“stg-root-x1”: {
“filename”: “letsencrypt-stg-root-x1.pem”,
“pemurl”: “https://letsencrypt.org/certs/staging/letsencrypt-stg-root-x1.pem”
}
}

no

consul_license_file

Path to Consul Enterprise license

string

null

no

control_plane_instance_count

Control plane instances number

string

"3"

no

control_plane_machine_type

Control plane instance machine type

string

"e2-standard-2"

no

control_plane_sa_name

Control plane service account name, it will be used by Vault Auth method

string

"control-plane"

no

csi_volumes

Example:
{
“jenkins” : {
“type” : “pd-ssd”
“size” : “30”
“replica_zones” : [“us-central1-a”, “us-central1-b”]
“tags” : { “application”: “jenkins_master” }
}
}

map(map(string))

{}

no

dc_name

Hashicorp cluster name

string

"gcp-dc"

no

enable_monitoring

Enables and setup monitoring node

bool

true

no

enable_nomad

Enables and setup Nomad cluster

bool

true

no

external_domain

Domain used for endpoints and certs

string

""

no

google_kms_crypto_key

GCP KMS crypto key

string

""

no

google_kms_key_ring

GCP KMS key ring

string

""

no

gzip

Cloud init compressing

bool

false

no

le_production_endpoint

LE’s endpoint when use_le_staging==false

string

"https://acme-v02.api.letsencrypt.org/directory"

no

le_staging_endpoint

LE’s endpoint when use_le_staging==true

string

"https://acme-staging-v02.api.letsencrypt.org/directory"

no

nomad_license_file

Path to Nomad Enterprise license

string

null

no

parent_dns_project_id

GCP parent project ID

string

""

no

parent_dns_zone_name

GCP parent project DNS zone name

string

"GCP"

no

preemptible_instance_type

Sets preemptible instance type

bool

false

no

prefix

The prefix of the objects’ names

string

""

no

region

GCP region where to deploy the cluster

string

"us-central1"

no

ssh_timeout

SSH timeout

string

"240s"

no

ssh_user

SSH user

string

"centos"

no

subnet_prefix

The address prefix to use for the subnet

string

"10.128.0.0/28"

no

use_le_staging

Use staging Let’s Encrypt endpoint

bool

false

no

vault_license_file

Path to Vault Enterprise license

string

null

no

volume_data_size

Volume size of control plan data disk

number

20

no

volume_data_type

Volume type of data disks

string

"pd-balanced"

no

volume_root_size

Volume size of control plan root disk

number

20

no

volume_root_type

Volume type of root disks

string

"pd-standard"

no

worker_plane_machine_type

Worker plane instance machine type

string

"n2-standard-2"

no

worker_plane_sa_name

Worker plane service account name, it will be used by Vault Auth method

string

"worker-plane"

no

workers_groups

Worker instance group map

map(any)

{
“workers-group”: {
“base_instance_name”: “worker”,
“instance_template”: “worker-template”,
“target_size”: 3,
“zone”: “us-central1-a”
}
}

no

workers_instance_templates

Worker instance template map

map(any)

{
“worker-template”: {
“image_family_name”: “centos-image”,
“machine_type”: “n1-standard-2”,
“name_prefix”: “worker-template-default-“,
“preemptible”: false
}
}

no

Outputs

Name

Description

PROJECT_APPSUPP_TFVAR

Caravan Application Support tfvars

PROJECT_PLATFORM_TFVAR

Caravan Platform tfvars

PROJECT_WORKLOAD_TFVAR

Caravan Workload tfvars

ca_certs

Let’s Encrypt staging CA certificates

cluster-public-ips

Control plane public IP addresses

control_plane_role_name

Control plane role name

control_plane_service_accounts

Control plane service accounts email list

csi_sa_key

n/a

csi_volumes

n/a

hashicorp_endpoints

Hashicorp clusters endpoints

load-balancer-ip-address

Load Balancer IP address

project_id

GCP project ID

worker_plane_role_name

Worker plane role name

worker_plane_service_account

Worker plane service account

worker_plane_service_accounts

Worker plane service accounts email list

Cleaning up

After terraform destroy -var-file=gcp.tfvars, for removing left resources and project, run the project-cleanup.sh script:

./project-cleanup.sh <PROJECT_ID> <PARENT_PROJECT_ID>