Preparing to Deploy PCF on GCP using Terraform

Page last updated:

This guide describes the preparation steps required to install Pivotal Cloud Foundry (PCF) on Google Cloud Platform (GCP) using Terraform templates.

The Terraform template for PCF on GCP describes a set of GCP resources and properties. For more information about how Terraform creates resources in GCP, see the Google Cloud Provider topic on the Terraform site.

You may also find it helpful to review different deployment options in the Reference Architecture for Pivotal Cloud Foundry on GCP.

Prerequisites

In addition to fulfilling the prerequisites listed in the Installing Pivotal Cloud Foundry on GCP topic, ensure you have the following:

To avoid this upgrade issue, ensure that

Step 1: Obtain a GCP Service Account Key File

To use the Terraform templates to create the necessary infrastructure resources for PCF, you need a service account key file. Follow the procedure that corresponds to your use case:

  • I already have a service account I want to use
    1. Navigate to the GCP console
    2. Select IAM and locate your service account.
    3. From the Options column, open the dropdown menu and click Create Key.
  • I want to create a new service account
    1. Open a terminal window.
    2. Create a service account using the gcloud CLI:
      $ gcloud iam service-accounts create ACCOUNT-NAME
    3. Create a key file for your service account:
      $ gcloud iam service-accounts keys create "terraform.key.json" --iam-account "some-account-name@yourproject.iam.gserviceaccount.com"
    4. Bind the service account to your project and give it the owner role:
      $ gcloud projects add-iam-policy-binding PROJECT_ID --member 'serviceAccount:some-account-name@PROJECT_ID.iam.gserviceaccount.com' --role 'roles/owner'

Step 2: Download and Edit the Terraform Variables File

Before you can run Terraform commands to create infrastructure resources, you must fill out a template variables file.

  1. Navigate to the runtime release on Pivotal Network. For more information about the runtimes you can deploy for PCF, see Installing Runtimes.

  2. Select Pivotal Application Service. The Pivotal Application Service page opens.

  3. Download the GCP Terraform zip file.

  4. Extract the contents of the zip file and move the folder to the workspace directory on your local machine.

  5. From a terminal window, navigate to the folder:

    $ cd ~/workspace/TERRAFORMING-GCP-FOLDER

  6. Create a new file named terraform.tfvars:

    $ touch terraform.tfvars

  7. Open the terraform.tfvars file and paste in the following contents:

    Note: Ensure that you insert a new line at the end of the file.

    env_name         = "YOUR-ENVIRONMENT-NAME"
    opsman_image_url = "YOUR-OPS-MAN-IMAGE-URL"
    region           = "YOUR-GCP-REGION"
    zones            = ["YOUR-AZ-1", "YOUR-AZ-2", "YOUR-AZ-3"]
    project          = "YOUR-GCP-PROJECT"
    dns_suffix       = "YOUR-DNS-SUFFIX"
    
    ssl_cert = <<SSL_CERT
    -----BEGIN CERTIFICATE-----
    YOUR-CERTIFICATE
    -----END CERTIFICATE-----
    SSL_CERT
    
    ssl_private_key = <<SSL_KEY
    -----BEGIN EXAMPLE RSA PRIVATE KEY-----
    YOUR-PRIVATE-KEY
    -----END EXAMPLE RSA PRIVATE KEY-----
    SSL_KEY
    
    service_account_key = <<SERVICE_ACCOUNT_KEY
    YOUR-KEY-JSON
    SERVICE_ACCOUNT_KEY
    
    
  8. Edit the values in the file according to the table below:

    Value to replace Guidance
    YOUR-ENVIRONMENT-NAME Enter a name to use to identify resources in GCP. Terraform prepends the names of the resources it creates with this environment name. Example: pcf.
    YOUR-OPS-MAN-IMAGE-URL Enter the source URL of the Ops Manager image you want to boot. You can find this URL in the PDF included with the Ops Manager release on Pivotal Network.
    YOUR-GCP-REGION Enter the name of the GCP region in which you want Terraform to create resources. Example: us-central1.
    YOUR-AZ-1
    YOUR-AZ-2
    YOUR-AZ-3
    Enter three availability zones from your region. Example: us-central1-a, us-central1-b, us-central1-c.
    YOUR-GCP-PROJECT Enter the name of the GCP project in which you want Terraform to create resources.
    YOUR-DNS-SUFFIX Enter a domain name to use as part of the system domain for your PCF deployment. Terraform creates DNS records in GCP using YOUR-ENVIRONMENT-NAME and YOUR-DNS-SUFFIX. For example, if you enter example.com for your DNS suffix and have pcf as your environment name, Terraform creates DNS records at pcf.example.com.
    YOUR-CERTIFICATE Enter a certificate to use for HTTP load balancing. For production environments, use a certificate from a Certificate Authority (CA). For test environments, you can use a self-signed certificate.

    Your certificate must specify your system domain as the common name. Your system domain is YOUR-ENVIRONMENT-NAME.YOUR-DNS-SUFFIX.

    It also must include the following subdomains: *.sys.YOUR-SYSTEM-DOMAIN, *.login.sys.YOUR-SYSTEM-DOMAIN, *.uaa.sys.YOUR-SYSTEM-DOMAIN, *.apps.YOUR-SYSTEM-DOMAIN.

    YOUR-PRIVATE-KEY Enter a private key for the certificate you entered.
    YOUR-KEY-JSON Enter the contents of your service account key file. This file is in JSON format.

Step 3: Add Optional Variables

Complete this step if you want to do any of the following:

  • Change the default CIDR ranges
  • Deploy the Isolation Segment tile
  • Use an external Google Cloud SQL database
  • Use external Google Storage buckets
  • Disable generated GCP service account key for blobstore

In your terraform.tfvars file, specify the appropriate variables from the sections below.

Note: You can see the configurable options by opening the variables.tf file and looking for variables with default values.

CIDR Ranges for Subnets

If you want to change the CIDR ranges for the management, your runtime, or services networks that Terraform creates, add the following variables to your terraform.tfvars file, replacing YOUR-MANAGEMENT-CIDR, YOUR-RUNTIME-CIDR and YOUR-SERVICES-CIDR with your desired values.

management_cidr = YOUR-MANAGEMENT-CIDR
pas_cidr = YOUR-RUNTIME-CIDR
services_cidr = YOUR-SERVICES-CIDR

Isolation Segments

If you plan to deploy the Isolation Segment tile, add the following variables to your terraform.tfvars file, replacing YOUR-CERTIFICATE and YOUR-PRIVATE-KEY with a certificate and private key. This causes Terraform to create an additional HTTP load balancer across three availability zones to use for the Isolation Segment tile.

isolation_segment = true
iso_seg_ssl_cert = <<ISO_SEG_SSL_CERT
-----BEGIN CERTIFICATE-----
YOUR-CERTIFICATE
-----END CERTIFICATE-----
ISO_SEG_SSL_CERT
iso_seg_ssl_cert_private_key = <<ISO_SEG_SSL_KEY
-----BEGIN EXAMPLE RSA PRIVATE KEY-----
YOUR-PRIVATE-KEY
-----END EXAMPLE RSA PRIVATE KEY-----
ISO_SEG_SSL_KEY

External Database

  1. If you want to use an external Google Cloud SQL database for Ops Manager and Pivotal Application Service (PAS), add the following to your terraform.tfvars file:

    external_database = true
    
  2. If you want to specify a single host from which users can connect to the Ops Manager and runtime database, add the following variables to your terraform.tfvars file. Replace HOST_IP_ADDRESS with your desired IP addresses.

    opsman_sql_db_host = HOST_IP_ADDRESS
    pas_sql_db_host = HOST_IP_ADDRESS
    

External Storage Buckets

If you want to use Google Cloud Storage buckets for the PAS Cloud Controller, add the following to your terraform.tfvars file:

create_gcs_buckets = true

GCP Service Account Key for Blobstore

If you want to provide your own service account for blob storage instead of using a generated service account, add the following to your terraform.tfvars file:

create_blobstore_service_account_key = false

Step 4: Create GCP Resources with Terraform

Follow these steps to use the Terraform CLI to create resources on GCP:

  1. From the directory that contains the Terraform files, run the following command to initialize the directory based on the information you specified in the terraform.tfvars file.

    $ terraform init

  2. Run the following command to create the execution plan for Terraform.

    $ terraform plan -out=plan

  3. Run the following command to execute the plan from the previous step. It may take several minutes for Terraform to create all the resources in GCP.

    $ terraform apply plan

Step 5: Create DNS Record

  1. In a browser, navigate to the DNS provider for the DNS suffix you entered in your terraform.tfvars file.

  2. Create a new NS (Name server) record for your PCF system domain. Your system domain is YOUR-ENVIRONMENT-NAME.YOUR-DNS-SUFFIX.

    1. In this record, enter the name servers included in env_dns_zone_name_servers from your Terraform output.

What to Do Next

Proceed to the next step in the deployment, Configuring BOSH Director on GCP (Terraform).

Create a pull request or raise an issue on the source for this page in GitHub