Deploying Ops Manager on GCP Using Terraform
Page last updated:
The Terraform templates described in this topic are not supported and are not recommended for use.
Advanced users can install Ops Manager with Terraform using paving in GitHub. You may need to modify the configuration of the Terraform templates in this repository based on your unique platform needs.
This guide describes the preparation steps required to install Ops Manager on Google Cloud Platform (GCP) using Terraform templates.
The Terraform template for Ops Manager on GCP describes a set of GCP resources and properties. For more information about how Terraform creates resources in GCP, see Google Cloud Provider on the Terraform site.
You may also find it helpful to review different deployment options in Reference Architecture for Ops Manager on GCP.
Prerequisites
In addition to fulfilling the prerequisites listed in Installing Ops Manager on GCP, ensure you have the following:
- The Terraform CLI
- The Google Cloud SDK
- In your GCP project, enable the following APIs:
Step 1: Obtain a GCP Service Account Key File
To use the Terraform templates to create the necessary infrastructure
resources for Ops Manager, you need a service account key file.
To create an account key file, follow the procedure below corresponding to your own use case.
- I already have a service account I want to use:
- Navigate to the GCP console.
- Select IAM and locate your service account.
- From the Options column, open the dropdown and click Create Key.
- I want to create a new service account:
- Open a terminal window.
- To create a service account using the gcloud CLI, run the following command:
- To create a key file for your service account, run the following command:
- To bind the service account to your project and give it the owner role, run the following command:
ACCOUNT-NAME
is the name you want to apply to the new account.PROJECT-ID
is your Google Cloud Platform Project ID.
gcloud iam service-accounts create ACCOUNT-NAME
gcloud iam service-accounts keys create "terraform.key.json" --iam-account "ACCOUNT-NAME@PROJECT-ID.iam.gserviceaccount.com"
gcloud projects add-iam-policy-binding PROJECT-ID --member 'serviceAccount:ACCOUNT-NAME@PROJECT-ID.iam.gserviceaccount.com' --role 'roles/owner'
Where:
Step 2: Download Templates and Edit Variables File
Before you can run Terraform commands to provision infrastructure resources, you must download the GCP Terraform Templates and create a Terraform template variables file as described below:
On VMware Tanzu Network, navigate to the VMware Tanzu Application Service for VMs (TAS for VMs) release.
Download the GCP Terraform ZIP file.
Extract the contents of the ZIP file.
Move the extracted folder to the
workspace
directory on your local machine.On the command line, navigate to the directory. For example:
$ cd ~/workspace/pivotal-cf-terraforming-gcp
Navigate to the
terraforming-pas
orterraforming-pks
directory that contains the Terraform files for your runtime.In the runtime directory, create a text file named
terraform.tfvars
.Open the
terraform.tfvars
file and add the following:Note: Ensure that you insert a new line at the end of the file.
env_name = "YOUR-ENVIRONMENT-NAME" opsman_image_url = "YOUR-OPS-MAN-IMAGE-URL" region = "YOUR-GCP-REGION" zones = ["YOUR-AZ-1", "YOUR-AZ-2", "YOUR-AZ-3"] project = "YOUR-GCP-PROJECT" dns_suffix = "YOUR-DNS-SUFFIX" ssl_cert = <<SSL_CERT -----BEGIN CERTIFICATE----- YOUR-CERTIFICATE -----END CERTIFICATE----- SSL_CERT ssl_private_key = <<SSL_KEY -----BEGIN EXAMPLE RSA PRIVATE KEY----- YOUR-PRIVATE-KEY -----END EXAMPLE RSA PRIVATE KEY----- SSL_KEY service_account_key = <<SERVICE_ACCOUNT_KEY YOUR-KEY-JSON SERVICE_ACCOUNT_KEY
Edit the values in the file according to the table below.
Value to replace Guidance YOUR-ENVIRONMENT-NAME
Enter a name to use to identify resources in GCP. Terraform prepends the names of the resources it creates with this environment name. Example: pcf
.YOUR-OPS-MAN-IMAGE-URL
Enter the source URL of the Ops Manager image you want to boot. You can find this URL in the PDF included with the Ops Manager release on VMware Tanzu Network.
To prevent the creation of an Ops Manager VM, set this value to an empty string (""
). When using Platform Automation, you must disable the creation of the Ops Manager VM from Terraform. For more information, see Platform Automation.YOUR-GCP-REGION
Enter the name of the GCP region in which you want Terraform to create resources. Example: us-central1
.YOUR-AZ-1
YOUR-AZ-2
YOUR-AZ-3Enter three availability zones from your region. Example: us-central1-a
,us-central1-b
,us-central1-c
.YOUR-GCP-PROJECT
Enter the name of the GCP project in which you want Terraform to create resources. YOUR-DNS-SUFFIX
Enter a domain name to use as part of the system domain for your Ops Manager deployment. Terraform creates DNS records in GCP using YOUR-ENVIRONMENT-NAME
andYOUR-DNS-SUFFIX
. For example, if you enterexample.com
for your DNS suffix and havepcf
as your environment name, Terraform creates DNS records atpcf.example.com
.YOUR-CERTIFICATE
Enter a certificate to use for HTTP load balancing. For production environments, use a certificate from a Certificate Authority (CA). For test environments, you can use a self-signed certificate. Your certificate must specify your system domain as the common name. Your system domain is
YOUR-ENVIRONMENT-NAME.YOUR-DNS-SUFFIX
.It also must include the following subdomains:
*.sys.YOUR-SYSTEM-DOMAIN
,*.login.sys.YOUR-SYSTEM-DOMAIN
,*.uaa.sys.YOUR-SYSTEM-DOMAIN
,*.apps.YOUR-SYSTEM-DOMAIN
.YOUR-PRIVATE-KEY
Enter a private key for the certificate you entered. YOUR-KEY-JSON
Enter the contents of your service account key file. This file is in JSON format.
Step 3: Add Optional Variables
Complete this step if you want to do any of the following:
- Change the default CIDR ranges
- Deploy the Isolation Segment tile
- Use an external Google Cloud SQL database
- Use external Google Storage buckets
- Disable generated GCP service account key for blobstore
In your terraform.tfvars
file, specify the appropriate variables from the sections below.
Note: You can see the configurable options by opening the variables.tf
file and looking for variables with default values.
CIDR Ranges for Subnets
If you want to change the CIDR ranges for the infrastructure, your runtime, or services networks that Terraform creates, add the following variables to your terraform.tfvars
file, replacing YOUR-INFRASTRUCTURE-CIDR
, YOUR-RUNTIME-CIDR
and YOUR-SERVICES-CIDR
with your desired values.
infrastructure_cidr = YOUR-INFRASTRUCTURE-CIDR
pas_cidr = YOUR-RUNTIME-CIDR
services_cidr = YOUR-SERVICES-CIDR
Isolation Segments
If you plan to deploy the Isolation Segment tile, add the following variables to your terraform.tfvars
file, replacing YOUR-CERTIFICATE
and YOUR-PRIVATE-KEY
with a certificate and private key. This causes Terraform to create an additional HTTP load balancer across three availability zones to use for the Isolation Segment tile.
isolation_segment = true
iso_seg_ssl_cert = <<ISO_SEG_SSL_CERT
-----BEGIN CERTIFICATE-----
YOUR-CERTIFICATE
-----END CERTIFICATE-----
ISO_SEG_SSL_CERT
iso_seg_ssl_cert_private_key = <<ISO_SEG_SSL_KEY
-----BEGIN EXAMPLE RSA PRIVATE KEY-----
YOUR-PRIVATE-KEY
-----END EXAMPLE RSA PRIVATE KEY-----
ISO_SEG_SSL_KEY
External Database
If you want to use an external Google Cloud SQL database for Ops Manager and TAS for VMs, add the following to your
terraform.tfvars
file:external_database = true
If you want to specify a single host from which users can connect to the Ops Manager and runtime databases, add the following to your
terraform.tfvars
file.opsman_sql_db_host = HOST-IP-ADDRESS pas_sql_db_host = HOST-IP-ADDRESS
Where
HOST-IP-ADDRESS
is your desired IP address(es).
External Storage Buckets
If you want to use Google Cloud Storage buckets for the TAS for VMs Cloud Controller, add the following to your terraform.tfvars
file:
create_gcs_buckets = true
GCP Service Account Key for Blobstore
If you want to provide your own service account for blob storage instead of using a generated service account, add the following to your terraform.tfvars
file:
create_blobstore_service_account_key = false
Step 4: Create GCP Resources with Terraform
Follow these steps to use the Terraform CLI to create resources on GCP:
From the directory that contains the Terraform files, run the following command to initialize the directory based on the information you specified in the
terraform.tfvars
file.terraform init
Run the following command to create the execution plan for Terraform.
terraform plan -out=plan
To execute the plan from the previous step, run the following command:
terraform apply plan
Note: It may take several minutes for Terraform to create all the resources in GCP.
Step 5: Create DNS Record
In a browser, navigate to the DNS provider for the DNS suffix you entered in your
terraform.tfvars
file.Create a new NS (Name server) record for your Ops Manager system domain. Your system domain is
YOUR-ENVIRONMENT-NAME.YOUR-DNS-SUFFIX
.- In this record, enter the name servers included in
env_dns_zone_name_servers
from your Terraform output.
- In this record, enter the name servers included in
Next Steps
After you complete this procedure, follow the instructions in Configuring BOSH Director on GCP Using Terraform.