summaryrefslogtreecommitdiff
path: root/docs/automation/terraform/terraformGoogle.rst
diff options
context:
space:
mode:
authormkorobeinikov <92354771+mkorobeinikov@users.noreply.github.com>2024-03-25 07:05:19 +0300
committermkorobeinikov <92354771+mkorobeinikov@users.noreply.github.com>2024-03-29 07:56:22 +0300
commitde3a50c9669e8881de124fc77223c303049e3e06 (patch)
tree00daf6dfe6c3e606a11a12332aa60b32ef7e3b46 /docs/automation/terraform/terraformGoogle.rst
parent0d38de0e6f1d4c339cd25ea5346fcf87bbb3c5a7 (diff)
downloadvyos-documentation-de3a50c9669e8881de124fc77223c303049e3e06.tar.gz
vyos-documentation-de3a50c9669e8881de124fc77223c303049e3e06.zip
Article about terraform and google.
How to deploy the Google Cloud instance using Terraform and Ansible for the latest version.
Diffstat (limited to 'docs/automation/terraform/terraformGoogle.rst')
-rw-r--r--docs/automation/terraform/terraformGoogle.rst708
1 files changed, 708 insertions, 0 deletions
diff --git a/docs/automation/terraform/terraformGoogle.rst b/docs/automation/terraform/terraformGoogle.rst
index e69de29b..7cdd1211 100644
--- a/docs/automation/terraform/terraformGoogle.rst
+++ b/docs/automation/terraform/terraformGoogle.rst
@@ -0,0 +1,708 @@
+:lastproofread: 2024-03-25
+
+.. _terraformgoogle:
+
+Deploying VyOS in the google cloud
+==================================
+
+With the help of Terraform, you can quickly deploy VyOS-based infrastructure in the google cloud. If necessary, the infrastructure can be removed using terraform.
+Also we will make provisioning using Ansible.
+
+In this case, we'll create the necessary files for Terraform and Ansible next using Terraform we'll create a single instance on the google cloud and make provisioning using Ansible.
+
+Preparation steps for deploying VyOS on google
+----------------------------------------------
+
+How to create a single instance and install your configuration using Terraform+Ansible+google
+Step by step:
+
+google cloud
+
+
+ 1 Create an account with google cloud and a new project
+
+.. image:: /_static/images/project.png
+ :width: 50%
+ :align: center
+ :alt: Network Topology Diagram
+
+ 2 Create a service aacount and download your key (.JSON)
+
+.. image:: /_static/images/service.png
+ :width: 50%
+ :align: center
+ :alt: Network Topology Diagram
+
+.. image:: /_static/images/key.png
+ :width: 50%
+ :align: center
+ :alt: Network Topology Diagram
+
+The .JSON file download automaticly after creating and will look like:
+
+.. image:: /_static/images/json.png
+ :width: 50%
+ :align: center
+ :alt: Network Topology Diagram
+
+
+Terraform
+
+
+ 1 Create an UNIX or Windows instance
+
+ 2 Download and install Terraform
+
+ 3 Create the folder for example /root/google
+
+.. code-block:: none
+
+ mkdir /root/google
+
+ 4 Copy all files into your Terraform project "/root/google" (vyos.tf, var.tf, terraform.tfvars, .JSON), more detailed see `Structure of files Terrafom for google cloud`_
+
+ 5 Type the commands :
+
+
+.. code-block:: none
+
+ cd /<your folder>
+ terraform init
+
+
+Ansible
+
+
+ 1 Create an UNIX instance whenever you want (local, cloud, and so on)
+
+ 2 Download and install Ansible
+
+ 3 Create the folder for example /root/google/
+
+ 4 Copy all files into your Ansible project "/root/google/" (ansible.cfg, instance.yml, mykey.json and "all"), more detailed see `Structure of files Ansible for google cloud`_
+
+mykey.json you have to get using step 2 of the google cloud
+
+
+Start
+
+
+Type the commands on your Terrafom instance:
+
+.. code-block:: none
+
+ cd /<your folder>
+ terraform plan
+ terraform apply
+ yes
+
+
+Start creating a google cloud instance and check the result
+-----------------------------------------------------------
+
+.. code-block:: none
+
+ # terraform apply
+
+ Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ + create
+
+ Terraform will perform the following actions:
+
+ # google_compute_firewall.tcp_22[0] will be created
+ + resource "google_compute_firewall" "tcp_22" {
+ + creation_timestamp = (known after apply)
+ + destination_ranges = (known after apply)
+ + direction = (known after apply)
+ + enable_logging = (known after apply)
+ + id = (known after apply)
+ + name = "vyos-tcp-22"
+ + network = "default"
+ + priority = 1000
+ + project = "vyosproject"
+ + self_link = (known after apply)
+ + source_ranges = [
+ + "0.0.0.0/0",
+ ]
+ + target_tags = [
+ + "vyos-deployment",
+ ]
+
+ + allow {
+ + ports = [
+ + "22",
+ ]
+ + protocol = "tcp"
+ }
+ }
+
+ # google_compute_firewall.udp_500_4500[0] will be created
+ + resource "google_compute_firewall" "udp_500_4500" {
+ + creation_timestamp = (known after apply)
+ + destination_ranges = (known after apply)
+ + direction = (known after apply)
+ + enable_logging = (known after apply)
+ + id = (known after apply)
+ + name = "vyos-udp-500-4500"
+ + network = "default"
+ + priority = 1000
+ + project = "vyosproject"
+ + self_link = (known after apply)
+ + source_ranges = [
+ + "0.0.0.0/0",
+ ]
+ + target_tags = [
+ + "vyos-deployment",
+ ]
+
+ + allow {
+ + ports = [
+ + "500",
+ + "4500",
+ ]
+ + protocol = "udp"
+ }
+ }
+
+ # google_compute_instance.default will be created
+ + resource "google_compute_instance" "default" {
+ + can_ip_forward = true
+ + cpu_platform = (known after apply)
+ + current_status = (known after apply)
+ + deletion_protection = false
+ + effective_labels = (known after apply)
+ + guest_accelerator = (known after apply)
+ + id = (known after apply)
+ + instance_id = (known after apply)
+ + label_fingerprint = (known after apply)
+ + machine_type = "n2-highcpu-4"
+ + metadata = {
+ + "enable-oslogin" = "FALSE"
+ + "serial-port-enable" = "TRUE"
+ + "user-data" = ""
+ }
+ + metadata_fingerprint = (known after apply)
+ + min_cpu_platform = (known after apply)
+ + name = "vyos"
+ + project = "vyosproject"
+ + self_link = (known after apply)
+ + tags_fingerprint = (known after apply)
+ + terraform_labels = (known after apply)
+ + zone = "us-west1-a"
+
+ + boot_disk {
+ + auto_delete = true
+ + device_name = (known after apply)
+ + disk_encryption_key_sha256 = (known after apply)
+ + kms_key_self_link = (known after apply)
+ + mode = "READ_WRITE"
+ + source = (known after apply)
+
+ + initialize_params {
+ + image = "projects/sentrium-public/global/images/vyos-1-3-5-20231222143039"
+ + labels = (known after apply)
+ + provisioned_iops = (known after apply)
+ + provisioned_throughput = (known after apply)
+ + size = (known after apply)
+ + type = (known after apply)
+ }
+ }
+
+ + network_interface {
+ + internal_ipv6_prefix_length = (known after apply)
+ + ipv6_access_type = (known after apply)
+ + ipv6_address = (known after apply)
+ + name = (known after apply)
+ + network = "default"
+ + network_ip = (known after apply)
+ + nic_type = "GVNIC"
+ + stack_type = (known after apply)
+ + subnetwork = "default"
+ + subnetwork_project = (known after apply)
+
+ + access_config {
+ + nat_ip = (known after apply)
+ + network_tier = (known after apply)
+ }
+ }
+ }
+
+ # local_file.ip will be created
+ + resource "local_file" "ip" {
+ + content = (known after apply)
+ + content_base64sha256 = (known after apply)
+ + content_base64sha512 = (known after apply)
+ + content_md5 = (known after apply)
+ + content_sha1 = (known after apply)
+ + content_sha256 = (known after apply)
+ + content_sha512 = (known after apply)
+ + directory_permission = "0777"
+ + file_permission = "0777"
+ + filename = "ip.txt"
+ + id = (known after apply)
+ }
+
+ # null_resource.SSHconnection1 will be created
+ + resource "null_resource" "SSHconnection1" {
+ + id = (known after apply)
+ }
+
+ # null_resource.SSHconnection2 will be created
+ + resource "null_resource" "SSHconnection2" {
+ + id = (known after apply)
+ }
+
+ Plan: 6 to add, 0 to change, 0 to destroy.
+
+ Changes to Outputs:
+ + public_ip_address = (known after apply)
+ ╷
+ │ Warning: Quoted references are deprecated
+ │
+ │ on vyos.tf line 126, in resource "null_resource" "SSHconnection1":
+ │ 126: depends_on = ["google_compute_instance.default"]
+ │
+ │ In this context, references are expected literally rather than in quotes. Terraform 0.11 and earlier required quotes, but quoted references are now deprecated and will be removed in a
+ │ future version of Terraform. Remove the quotes surrounding this reference to silence this warning.
+ │
+ │ (and one more similar warning elsewhere)
+ ╵
+
+ Do you want to perform these actions?
+ Terraform will perform the actions described above.
+ Only 'yes' will be accepted to approve.
+
+ Enter a value: yes
+
+ google_compute_firewall.udp_500_4500[0]: Creating...
+ google_compute_firewall.tcp_22[0]: Creating...
+ google_compute_instance.default: Creating...
+ google_compute_firewall.udp_500_4500[0]: Still creating... [10s elapsed]
+ google_compute_firewall.tcp_22[0]: Still creating... [10s elapsed]
+ google_compute_instance.default: Still creating... [10s elapsed]
+ google_compute_firewall.tcp_22[0]: Creation complete after 16s [id=projects/vyosproject/global/firewalls/vyos-tcp-22]
+ google_compute_firewall.udp_500_4500[0]: Creation complete after 16s [id=projects/vyosproject/global/firewalls/vyos-udp-500-4500]
+ google_compute_instance.default: Creation complete after 20s [id=projects/vyosproject/zones/us-west1-a/instances/vyos]
+ null_resource.SSHconnection1: Creating...
+ null_resource.SSHconnection2: Creating...
+ null_resource.SSHconnection1: Provisioning with 'file'...
+ null_resource.SSHconnection2: Provisioning with 'remote-exec'...
+ null_resource.SSHconnection2 (remote-exec): Connecting to remote host via SSH...
+ null_resource.SSHconnection2 (remote-exec): Host: 10.***.***.104
+ null_resource.SSHconnection2 (remote-exec): User: root
+ null_resource.SSHconnection2 (remote-exec): Password: true
+ null_resource.SSHconnection2 (remote-exec): Private key: false
+ null_resource.SSHconnection2 (remote-exec): Certificate: false
+ null_resource.SSHconnection2 (remote-exec): SSH Agent: false
+ null_resource.SSHconnection2 (remote-exec): Checking Host Key: false
+ null_resource.SSHconnection2 (remote-exec): Target Platform: unix
+ local_file.ip: Creating...
+ local_file.ip: Creation complete after 0s [id=7d568c3b994a018c942a3cdb952ccbf3c729d0ca]
+ null_resource.SSHconnection2 (remote-exec): Connected!
+ null_resource.SSHconnection1: Creation complete after 4s [id=5175298735911137161]
+
+ null_resource.SSHconnection2 (remote-exec): PLAY [integration of terraform and ansible] ************************************
+
+ null_resource.SSHconnection2 (remote-exec): TASK [Wait 300 seconds, but only start checking after 60 seconds] **************
+ null_resource.SSHconnection2: Still creating... [10s elapsed]
+ null_resource.SSHconnection2: Still creating... [20s elapsed]
+ null_resource.SSHconnection2: Still creating... [30s elapsed]
+ null_resource.SSHconnection2: Still creating... [40s elapsed]
+ null_resource.SSHconnection2: Still creating... [50s elapsed]
+ null_resource.SSHconnection2: Still creating... [1m0s elapsed]
+ null_resource.SSHconnection2: Still creating... [1m10s elapsed]
+ null_resource.SSHconnection2 (remote-exec): ok: [104.***.***.158]
+
+ null_resource.SSHconnection2 (remote-exec): TASK [Configure general settings for the vyos hosts group] *********************
+ null_resource.SSHconnection2: Still creating... [1m20s elapsed]
+ null_resource.SSHconnection2 (remote-exec): changed: [104.***.***.158]
+
+ null_resource.SSHconnection2 (remote-exec): PLAY RECAP *********************************************************************
+ null_resource.SSHconnection2 (remote-exec): 104.***.***.158 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
+
+ null_resource.SSHconnection2: Creation complete after 1m22s [id=3355727070503709742]
+
+ Apply complete! Resources: 6 added, 0 changed, 0 destroyed.
+
+ Outputs:
+
+ public_ip_address = "104.***.***.158"
+
+
+
+After executing all the commands you will have your VyOS instance on the google cloud with your configuration, it's a very convenient desition.
+If you need to delete the instance please type the command:
+
+.. code-block:: none
+
+ terraform destroy
+
+
+Troubleshooting
+---------------
+
+ 1 Increase the time in the file instance.yml from 300 sec to 500 sec or more. (It depends on your location).
+Make sure that you have opened access to the instance in the security group.
+
+ 2 Terraform doesn't connect via SSH to your Ansible instance: you have to check the correct login and password in the part of the file VyOS.tf
+
+.. code-block:: none
+
+ connection {
+ type = "ssh"
+ user = "root" # open root access using login and password on your Ansible
+ password = var.password # check password in the file terraform.tfvars isn't empty
+ host = var.host # check the correct IP address of your Ansible host
+ }
+
+
+Make sure that Ansible is pinging from Terrafom.
+
+Structure of files Terrafom for google cloud
+--------------------------------------------
+
+.. code-block:: none
+
+ .
+ ├── vyos.tf # The main script
+ ├── ***.JSON # The credential file from google cloud
+ ├── var.tf # The file of all variables in "vyos.tf"
+ └── terraform.tfvars # The value of all variables (passwords, login, ip adresses and so on)
+
+
+
+File contents of Terrafom for google cloud
+------------------------------------------
+
+vyos.tf
+
+.. code-block:: none
+
+
+ ##############################################################################
+ # Build an VyOS VM from the Marketplace
+ #
+ # After deploying the GCP instance and getting an IP address, the IP address is copied into the file
+ #"ip.txt" and copied to the Ansible node for provisioning.
+ ##############################################################################
+
+ terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+ }
+
+ provider "google" {
+ project = var.project_id
+ request_timeout = "60s"
+ credentials = file(var.gcp_auth_file)
+ }
+
+ locals {
+ network_interfaces = [for i, n in var.networks : {
+ network = n,
+ subnetwork = length(var.sub_networks) > i ? element(var.sub_networks, i) : null
+ external_ip = length(var.external_ips) > i ? element(var.external_ips, i) : "NONE"
+ }
+ ]
+ }
+
+ resource "google_compute_instance" "default" {
+ name = var.goog_cm_deployment_name
+ machine_type = var.machine_type
+ zone = var.zone
+
+ metadata = {
+ enable-oslogin = "FALSE"
+ serial-port-enable = "TRUE"
+ user-data = var.vyos_user_data
+ }
+ boot_disk {
+ initialize_params {
+ image = var.image
+ }
+ }
+
+ can_ip_forward = true
+
+ dynamic "network_interface" {
+ for_each = local.network_interfaces
+ content {
+ network = network_interface.value.network
+ subnetwork = network_interface.value.subnetwork
+ nic_type = "GVNIC"
+ dynamic "access_config" {
+ for_each = network_interface.value.external_ip == "NONE" ? [] : [1]
+ content {
+ nat_ip = network_interface.value.external_ip == "EPHEMERAL" ? null : network_interface.value.external_ip
+ }
+ }
+ }
+ }
+ }
+
+ resource "google_compute_firewall" "tcp_22" {
+ count = var.enable_tcp_22 ? 1 : 0
+
+ name = "${var.goog_cm_deployment_name}-tcp-22"
+ network = element(var.networks, 0)
+
+ allow {
+ ports = ["22"]
+ protocol = "tcp"
+ }
+
+ source_ranges = ["0.0.0.0/0"]
+
+ target_tags = ["${var.goog_cm_deployment_name}-deployment"]
+ }
+
+ resource "google_compute_firewall" "udp_500_4500" {
+ count = var.enable_udp_500_4500 ? 1 : 0
+
+ name = "${var.goog_cm_deployment_name}-udp-500-4500"
+ network = element(var.networks, 0)
+
+ allow {
+ ports = ["500", "4500"]
+ protocol = "udp"
+ }
+
+ source_ranges = ["0.0.0.0/0"]
+
+ target_tags = ["${var.goog_cm_deployment_name}-deployment"]
+ }
+
+ output "public_ip_address" {
+ value = google_compute_instance.default.network_interface[0].access_config[0].nat_ip
+ }
+
+ ##############################################################################
+ #
+ # IP of google instance copied to a file ip.txt in local system Terraform
+ # ip.txt looks like:
+ # cat ./ip.txt
+ # ххх.ххх.ххх.ххх
+ ##############################################################################
+
+ resource "local_file" "ip" {
+ content = google_compute_instance.default.network_interface[0].access_config[0].nat_ip
+ filename = "ip.txt"
+ }
+
+ #connecting to the Ansible control node using SSH connection
+
+ ##############################################################################
+ # Steps "SSHconnection1" and "SSHconnection2" need to get file ip.txt from the terraform node and start remotely the playbook of Ansible.
+ ##############################################################################
+
+ resource "null_resource" "SSHconnection1" {
+ depends_on = ["google_compute_instance.default"]
+ connection {
+ type = "ssh"
+ user = "root"
+ password = var.password
+ host = var.host
+ }
+
+ #copying the ip.txt file to the Ansible control node from local system
+
+ provisioner "file" {
+ source = "ip.txt"
+ destination = "/root/google/ip.txt" # The folder of your Ansible project
+ }
+ }
+
+ resource "null_resource" "SSHconnection2" {
+ depends_on = ["google_compute_instance.default"]
+ connection {
+ type = "ssh"
+ user = "root"
+ password = var.password
+ host = var.host
+ }
+
+ #command to run Ansible playbook on remote Linux OS
+
+ provisioner "remote-exec" {
+ inline = [
+ "cd /root/google/",
+ "ansible-playbook instance.yml" # more detailed in "File contents of Ansible for google cloud"
+ ]
+ }
+ }
+
+
+var.tf
+
+.. code-block:: none
+
+ variable "image" {
+ type = string
+ default = "projects/sentrium-public/global/images/vyos-1-3-5-20231222143039"
+ }
+
+ variable "project_id" {
+ type = string
+ }
+
+ variable "zone" {
+ type = string
+ }
+
+ ##############################################################################
+ # You can choose more chipper type than n2-highcpu-4
+ ##############################################################################
+
+ variable "machine_type" {
+ type = string
+ default = "n2-highcpu-4"
+ }
+
+ variable "networks" {
+ description = "The network name to attach the VM instance."
+ type = list(string)
+ default = ["default"]
+ }
+
+ variable "sub_networks" {
+ description = "The sub network name to attach the VM instance."
+ type = list(string)
+ default = ["default"]
+ }
+
+ variable "external_ips" {
+ description = "The external IPs assigned to the VM for public access."
+ type = list(string)
+ default = ["EPHEMERAL"]
+ }
+
+ variable "enable_tcp_22" {
+ description = "Allow SSH traffic from the Internet"
+ type = bool
+ default = true
+ }
+
+ variable "enable_udp_500_4500" {
+ description = "Allow IKE/IPSec traffic from the Internet"
+ type = bool
+ default = true
+ }
+
+ variable "vyos_user_data" {
+ type = string
+ default = ""
+ }
+
+ // Marketplace requires this variable name to be declared
+ variable "goog_cm_deployment_name" {
+ description = "VyOS Universal Router Deployment"
+ type = string
+ default = "vyos"
+ }
+
+ # GCP authentication file
+ variable "gcp_auth_file" {
+ type = string
+ description = "GCP authentication file"
+ }
+
+ variable "password" {
+ description = "pass for Ansible"
+ type = string
+ sensitive = true
+ }
+ variable "host"{
+ description = "The IP of my Ansible"
+ type = string
+ }
+
+
+terraform.tfvars
+
+.. code-block:: none
+
+ ##############################################################################
+ # Must be filled in
+ ##############################################################################
+
+ zone = "us-west1-a"
+ gcp_auth_file = "/root/***/***.json" # path of your .json file
+ project_id = "" # the google project
+ password = "" # password for Ansible SSH
+ host = "" # IP of my Ansible
+
+
+Structure of files Ansible for google cloud
+-------------------------------------------
+
+.. code-block:: none
+
+ .
+ ├── group_vars
+ └── all
+ ├── ansible.cfg
+ └── instance.yml
+
+
+File contents of Ansible for google cloud
+-----------------------------------------
+
+ansible.cfg
+
+.. code-block:: none
+
+ [defaults]
+ inventory = /root/google/ip.txt
+ host_key_checking= False
+ remote_user=vyos
+
+instance.yml
+
+.. code-block:: none
+
+ ##############################################################################
+ # About tasks:
+ # "Wait 300 seconds, but only start checking after 60 seconds" - try to make ssh connection every 60 seconds until 300 seconds
+ # "Configure general settings for the VyOS hosts group" - make provisioning into google cloud VyOS node
+ # You have to add all necessary cammans of VyOS under the block "lines:"
+ ##############################################################################
+
+
+ - name: integration of terraform and ansible
+ hosts: all
+ gather_facts: 'no'
+
+ tasks:
+
+ - name: "Wait 300 seconds, but only start checking after 60 seconds"
+ wait_for_connection:
+ delay: 60
+ timeout: 300
+
+ - name: "Configure general settings for the VyOS hosts group"
+ vyos_config:
+ lines:
+ - set system name-server xxx.xxx.xxx.xxx
+ save:
+ true
+
+
+group_vars/all
+
+.. code-block:: none
+
+ ansible_connection: ansible.netcommon.network_cli
+ ansible_network_os: vyos.vyos.vyos
+ ansible_user: vyos
+ ansible_ssh_pass: vyos
+
+Sourse files for google cloud from GIT
+--------------------------------------
+
+All files about the article can be found here_
+
+
+.. _here: https://github.com/vyos/vyos-automation/tree/main/TerraformCloud/Google_terraform_ansible_single_vyos_instance-main \ No newline at end of file