Hello,

This repo creates a service account which Toolsmiths do not use. We think it could be better to have a flag that will cause it to not create the service account.

This affects us because teams will often not provision their JSON Keys with the proper permissions and our concourse pipeline will fail when terraform tries to create the SA.

Do you think the right thing to do is make the creation of the service account optional?

Thanks,
Mike J
PM@Toolsmiths

If I want to deploy 2 environments into a single project, I run into a permissions issue.

Steps to reproduce:

1. terraform apply environment A
2. confirm that the service account for environment A has the following IAM permissions:

• Compute Instance Admin
• Compute Network Admin
• Compute Storage Admin
• Service Account Actor
• Storage Admin

3. terraform apply environment B
4. confirm that the service account for environment B has the same IAM permissions listed above
5. confirm that the service account for environment A has now lost all IAM permissions

Pivotal docs has examples with 192.168...
You are using 10.0...
I think it would be best to sync (may be change the docs?)
https://docs.pivotal.io/pivotalcf/2-0/customizing/gcp-om-config-terraform.html#network

Good day,

When using project ID of "fe-phopper" hit an error during terraform apply.

* google_compute_address.cf-ssh: Error creating address: googleapi: Error 404: Failed to find project fe-hopper, notFound
* google_compute_http_health_check.cf-tcp: 1 error(s) occurred:

* google_compute_http_health_check.cf-tcp: Error creating HttpHealthCheck: googleapi: Error 404: Failed to find project fe-hopper, notFound
* google_compute_address.cf-tcp: 1 error(s) occurred:

* google_compute_address.cf-tcp: Error creating address: googleapi: Error 404: Failed to find project fe-hopper, notFound
* google_storage_bucket.droplets: 1 error(s) occurred:

* google_storage_bucket.droplets: googleapi: Error 400: Unknown project id: fe-hopper, invalid```

changed to use the project number instead and terraform was able to continue.

```$
gcloud projects list | grep hopper   
fe-phopper                      FE-phopper                      1000717738221

I deployed Pivotal PAS Small Footprint Elastic Runtime using previously the ofitial terraform templates, my question is how can I ssh to Terraform?

From my Personal PC the 22 port is closed.
From OPs Manager the port 22 is open, I tryed use the vcap with the password from credentials, but the vcap ssh is unactive, so I supouse need the private Key to access, but where is this private Key?, terraform output variables created for me?

Regards

The Toolsmiths have seen an issue with about 2% (2 out of 100) of our deploys related to network flakes on GCP. The terraform commands run on a GCP Concourse worker, so we're in the same region.

We issue a command to create an object, then we get 'read: connection reset by peer'. Terraform fails, and then we do a terraform refresh before we try again. The subsequent terraform does not work, as there's a collision in names with the object that already exists. I can provide the full logs for the most recent occurrence.

Currently, we've found that doing a terraform destroy, and then a terraform apply will correctly delete & recreate the objects. We're planning to automate this in our app, with retries in the concourse pipeline, but it would be great if this functionality could get pushed into this repo so that everyone could get higher success rates on terraforming, even with IaaS instability.

Hi Infrastructure team! We currently have all our VMs in GCP assigned public IPs so they can talk out to the internet. It seems like a production environment would be more likely to setup a few NAT boxes to allow VMs without a public IP to talk out to the internet. Looks like terraforming-aws already follows this pattern. What are your thoughts on updating all the terraforming-* repos to use NAT boxes?

Hello,

Is there a timeline for when the next release will be cut? Toolsmiths have been waiting to use our PR #26 , and we've just had another deploy failure because of left-over storage buckets.

Thanks!
Mike J

Hi! We (platform-automation) are using terraforming-* to pave our infrastructure to test our automation tooling. In particular, our tooling manages the Ops Manager VM itself.

We'd like to make creating the main Ops Manager instance optional across all the terraforming-* repos. We're bringing it up here because currently, we are using override.tf to disable the creating of the VM. As of the latest release, we can't do that anymore, because the OpsMan instance is in a module now. (We appreciate the irony that it was merging our PR that created this problem.) It would be nice if we can just set a value in the vars.tf to disable it.

An implementation note: we still need all the other variables associated with the Ops Man VM to be created - for instance, IPs. This means that they'll need to be structured such that the OM instance depends on them, rather than the other way around.

We use a fork version of terraforming-gcp (lastest sync commit 0006580) that we make it only provisions one subnet instead of two. But the following error can be observed from both versions in opsman 1.8.7 & 1.8.10.

Started deploying
  Creating VM for instance 'bosh/0' from stemcell 'stemcell-ff1cd894-fdd9-4b3e-65b9-b3e0ca49185f'... Finished (00:00:51)
  Waiting for the agent on VM 'vm-9fc2e314-79bc-4f86-5c52-cbd250f0cf2d' to be ready... Failed (00:10:09)
Failed deploying (00:11:01)

Stopping registry... Finished (00:00:00)
Cleaning up rendered CPI jobs... Finished (00:00:00)

Command 'deploy' failed:
  Deploying:
    Creating instance 'bosh/0':
      Waiting until instance is ready:
        Sending ping to the agent:
          Performing request to agent endpoint 'https://vcap:KY******@10.0.0.10:6868/agent':
            Performing POST request:
              Post https://vcap:KY******@10.0.0.10:6868/agent: dial tcp 10.0.0.10:6868: i/o timeout
===== 2016-11-19 02:24:53 UTC Finished "bosh-init deploy /var/tempest/workspaces/default/deployments/bosh.yml"; Duration: 778s; Exit Status: 1
Exited with 1.

It turns out that one firewall rule '$env-cf-internal' whose 'target tags' is set to '$env-vms' so in opsman config the 'Default Deployment Tag' has to match that value (default is 'pcf-vms').

The actual variables offered to configure Cloud SQL for the ERT or OpsMan do not match those described in the README variables section here.

Instead of adding egress rules for Google APIs - we should just setup private google access on the required subnets. This is more secure for an internetless type setup.

v0.14.0
storage.tf does not have 'location' so buckets ends up in US
It should be configurable to EU or Asia
https://www.terraform.io/docs/providers/google/r/storage_bucket.html

after I run pks get-credentials

kubectl get all
Unable to connect to the server: x509: certificate is valid for 10.100.200.1, not my-cluster

pks version: 1.0.0 and 1.0.1
internal cluster ip: 10.0.0.11
external cluster ip: 35.197.22.74

Operators can currently choose to stand up a second 'optional' Ops Manager instance:

https://github.com/pivotal-cf/terraforming-gcp/blob/eca95728e665c64703eb7c5806d41c6dbdc00f21/dns.tf#L18

On our team we've typically used this instance for testing upgrade scenarios:

1. An existing installation is exported from the older 'optional' ops manager instance
2. The installation is imported into the normal ops manager instance to test the upgrade

Because it better reflects our usage we'd prefer to rename the 'optional' instance to something like 'initial'.

However maybe other folks out there are using the optional Ops Manager for some other purpose in which case the name change may not make sense. Please leave a comment on this issue to share with us how you are using the optional opsman.

Thanks,

Andrew.

In order to configure Ops Man on GCP with om, it's necessary to use the service account name terraform creates for the OM VM. (In the GUI, this isn't necessary, as Ops Manager detects the service account itself, but that's a whole other issue.)

google_service_account.opsman_service_account should be an output - it means you don't have to provide an auth_json when configuring the director, which is one less secret getting passed around in files.

I have forked your repo and added what I needed for

• PKS network
• bastion machine
• terraforming the LB for an on demand K8 cluster after PKS creation

in this repo in this branch:
https://github.com/avasseur-pivotal/terraforming-gcp/tree/avasseur-pks

I am wondering if some of it could be merged

PKS versions tested: 1.0 and 1.0.1
PCF Ops Manager: v2.0-build.255

pks create-cluster k10-test-0 --external-hostname k10-test-0 --plan small

Name:                     k10-test-0
Plan Name:                small
UUID:                     1b9fd033-f131-4030-8312-f1219297d9a0
Last Action:              CREATE
Last Action State:        in progress
Last Action Description:  Creating cluster
Kubernetes Master Host:   k10-test-0
Kubernetes Master Port:   8443
Worker Instances:         3
Kubernetes Master IP(s):  In Progress

pks cluster k10-test-0

Name:                     k10-test-0
Plan Name:                small
UUID:                     1b9fd033-f131-4030-8312-f1219297d9a0
Last Action:              CREATE
Last Action State:        in progress
Last Action Description:  Instance provisioning in progress
Kubernetes Master Host:   k10-test-0
Kubernetes Master Port:   8443
Worker Instances:         3
Kubernetes Master IP(s):  In Progress

errors in logs:

[on-demand-service-broker] 2018/03/12 20:34:56.959979 Started GET /v2/service_instances/1b9fd033-f131-4030-8312-f1219297d9a0/last_operation
[on-demand-service-broker] [8eeabcb5-58d5-453d-857b-5bf8985ddb8c] 2018/03/12 20:34:56.960181 getting tasks for deployment service-instance_1b9fd033-f131-4030-8312-f1219297d9a0 with context cef2086d-1e65-43a9-8ba7-7f2e3bccd374 from bosh
[on-demand-service-broker] [8eeabcb5-58d5-453d-857b-5bf8985ddb8c] 2018/03/12 20:34:56.982214 BOSH task ID 175 status: error create deployment for instance 1b9fd033-f131-4030-8312-f1219297d9a0: Description: create deployment Result: 'worker/7e08bf8f-70bf-416d-b299-63ab8162eabf (0)' is not running after update. Review logs for failed jobs: kubelet
[on-demand-service-broker] 2018/03/12 20:34:56.982292 Comp

error from node kubelet.stderr.log

I0312 21:55:12.355029    3767 kubelet_node_status.go:82] Attempting to register node vm-665f6975-e5cb-4b97-7a66-2e623c405105
E0312 21:55:13.263950    3767 container_manager_linux.go:583] [ContainerManager]: Fail to get rootfs information unable to find data for container /
I0312 21:55:13.365268    3767 kubelet_node_status.go:85] Successfully registered node vm-665f6975-e5cb-4b97-7a66-2e623c405105

The recent commit did replace create_timeout by a timeout block, but this raises an error.

google_compute_instance.ops-manager: [ERR] Error decoding timeout: Timeout Key (create) is not supported

According to the documentation only create_timeout is supported:
https://www.terraform.io/docs/providers/google/r/compute_instance.html#create_timeout

I'm working on deploying with the internetless option to address a requirement of no internet access, but I noticed Ops manager and Bosh director are deployed with public IPs. Are there any plans to provide an option to remove public IPs from those servers too?

Would be good to have in the README/Release notes the version of terraform that the scripts were tested with, as terraform can (and will) introduce breaking changes that can be quite destructive.

For example, running v0.6.0 with terraform v0.8.5 wiped out all of our IAM configuration.

Right now secrets like private keys and passwords are printed to stdout in plain text when running terraform apply or via automation like the Concourse terraform-resource. To avoid this, Terraform allows you to mark certain output fields as sensitive to make sure they get redacted when printing debug info to stdout. Could y'all mark some of the outputs like ops_manager_ssh_private_key as sensitive to cut down on exposure of secrets?

referring Issue, already created by @genevievelesperance, with Terraform >1.11 and output of ip_address.0.ip_address of the google_sql_database_instance

hashicorp/terraform-provider-google#912

The recent change to output for the isolation segment triggers an error, if isolation_segment is set to false:

Error: Error running plan: 1 error(s) occurred:

* module.isolation_segment.output.domain: Resource 'google_dns_record_set.wildcard-iso-dns' not found for variable 'google_dns_record_set.wildcard-iso-dns.name'

https://github.com/pivotal-cf/terraforming-gcp/blob/4b9a560a3a44a4bd76b53a235472ef7759402f6e/isolation_segment/outputs.tf#L16

Successfully deployed the cluster and have everything up and running on GCP. I can get into Opsmanager fine, and I can target the bosh director fine, but I cannot seem to figure out how to ssh into the director itself. I can ping the instance, I can telnet to port 22. I have tried ubuntu, my login, root, vcap...nothing seems to work.

The RelInt team discovered issues with failed HTTP requests during a deploy when Target Pools were used. The current theory by Google engineers is that switching to Instance Groups instead will fix this issue. Looks like y'all have a story to make this change in bbl as well.

The Terraform docs only mention Target Pools as the valid target for forwarding rules. However the API docs seem to indicate that an Instance Group ID is a valid value for target.

Update a certificate for the GCP load balancer in place is not possible.
It is necessary to first create a new one before destroying the old one.

This is supported by google_compute_ssl_certificate by using a name_prefix and configure create_before_destroy

name = "${var.env_name}-lbcert" in router.tf should be replaced by name_prefix = "${var.env_name}-lbcert-"

Issue with Terraform and seeking support

Terraform.tfvars

env_name = "testing"
project = "project1"
region = "us-central1"
zones = ["us-central1-a", "us-central1-b", "us-central1-c"]
dns_suffix = "gcp.project1.cf-app.com"
opsman_image_url = "https://storage.googleapis.com/ops-manager-us/pcf-gcp-1.12.0.tar.gz"

buckets_location = "US"

ssl_cert = <<SSL_CERT
-----BEGIN CERTIFICATE-----
some cert
-----END CERTIFICATE-----
SSL_CERT

ssl_private_key = <<SSL_KEY
-----BEGIN RSA PRIVATE KEY-----
some cert private key
-----END RSA PRIVATE KEY-----
SSL_KEY

service_account_key = <<project1@alien-proton-194710
{
"type": "service_account",
"project_id": "alien-proton-194710",
"private_key_id": "another-gcp-private-key",
"private_key": "-----BEGIN PRIVATE KEY-----another gcp private key-----END PRIVATE KEY-----\n",
"client_email": "[email protected]",
"client_id": "109584552096969396216",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/project1%40alien-proton-194710.iam.gserviceaccount.com"
}
SERVICE_ACCOUNT_KEY

Error

invalid value "terraform.tfvars" for flag -var-file-default: Error parsing terraform.tfvars: At 24:9: illegal char
Usage: terraform apply [options] [DIR-OR-PLAN]

Unable to track down the error, Please help

The create timeout option is deprecated with this warning message when submitting apply.

Warning: google_compute_image.ops-manager-image: "create_timeout": [DEPRECATED] Use timeouts block instead. See https://www.terraform.io/docs/configuration/resources.html#timeouts.

Consistently get the following:

Error applying plan:

2 error(s) occurred:

• google_compute_instance_group.httplb.1: Error creating InstanceGroup: googleapi: Error 409: The resource 'projects/fe-jyi/zones/us-east1-d/instanceGroups/pcflab-httpslb-us-east1-d' already exists, alreadyExists
• google_compute_instance_group.httplb.2: Error creating InstanceGroup: googleapi: Error 409: The resource 'projects/fe-jyi/zones/us-east1-d/instanceGroups/pcflab-httpslb-us-east1-d' already exists, alreadyExists

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Followed the instructions from the README but still seemed to get this error. Even tried to eliminate parallelism. Running this on MacOSX.

The variable.tf defaults to a /24 for management
the Pivotal docs defaults to a /26
https://github.com/pivotal-cf/terraforming-gcp/blob/master/variables.tf#L21

Hi,

We noticed that you had updated the AWS templates to accept a user-provided SSL cert/key instead of generating a self-signed cert, but the variable for the private key doesn't match the one in this repo. It would be nice if there was a common interface for people consuming all of the templates so that they don't have to think about which IaaS they are working with and what the input variables are called.

Thanks!
@davewalter && @ljfranklin

rationale: many of the tiles these days require an on demand services subnet be specified. it'd be convenience if networks.tf automatically created it. thanks.

We aren't creating ERT databases for locket and silk.

We're setting up a testing pipeline to check that our deployments work in an internetless environment. This means all traffic going outside the 10.* network is denied. We can either create a terraform override file just for us, or if you thought this was generally useful we could PR to this repo as an optional input variable. WDYT?

I'd like to remove this bit of code from the external SQL:

authorized_networks = [ { name = "all" value = "0.0.0.0/0" }, ]

There are a few ways to do this. First is that we should create NAT instances for externally bound traffic. This implies other changes. Secondly we could wait until Cloud SQL can do internal IPs and fix it then. Opening this for discussion.

When we ran the terraforming scripts using the README, we ended up with

* google_project.opsman_service_account_project: Error applying IAM policy for project "<redacted>": googleapi: Error 403: The caller does not have permission, forbidden

We fixed it by enabling the App Engine Admin API, which the README does not reference as needing to be enabled.

I tried deploying today and this error I got after the latest commit.

Error: Error running plan: 1 error(s) occurred:

module.external_database.output.pas_sql_cert: Resource 'google_sql_database_instance.master' not found for variable 'google_sql_database_instance.master.server_ca_cert.0.cert'

The variable dns_suffix assumes the trailing dot is not included. If the dot is applied, say with the value example.com., the following error occurs:

Error: Error applying plan:
1 error(s) occurred:
* google_dns_managed_zone.env_dns_zone: 1 error(s) occurred:
* google_dns_managed_zone.env_dns_zone: Error creating DNS ManagedZone: googleapi: Error 400: Invalid value for 'entity.managedZone.dnsName': 'example.com..', invalid

Notice the ... I assumed that dns_suffix should be a true suffix to a FQDN.
Once I updated from example.com. to example.com, the plan worked.

Thoughts for potential solution:

1. The documentation should explicitly specify to not include the trailing dot (This makes the most sense to me)
2. Usage of the dns_suffix variable should check for the trailing dot

I am trying to understand how installation of PCF on GCP can be done by Terraforming-GCP. After going through available documentation. I understood it involves 4 steps,

1. Prepare GCP env,
2. Install Ops Manager,
3. Install Bosh Director,
4. Install Elastic Runtime

As far as i understand using these Terraform scripts we can automate(correct me if I am wrong),

1. Prepare GCP env
2. Install Ops Manager

So do we have any APIs(provided by Pivotal) for Elastic Runtime? To create any kind of automated scripts for Elastic Runtime installation.

I searched in Pivotal docs & couldn't find them. Any help is appreciated.

If execute terraform with the PKS=true it will create all prerequisites resources to deploye the runtime PKS exaplained in the ofitial link https://docs.pivotal.io/runtimes/pks/1-1/gcp-index.html ofitial link?

Regards

Hello,

The version file in the root of this repo appears to be very old. Can we delete it or keep it up to date with the release version?

Thanks!

We have input variables to specify the host(s) that can connect as the opsman and ert SQL users, but the root user is hard-coded to "%".

We should include a variable to allow the user to specify the host(s) to restrict the root user to. Also, it should NOT have a default so the user has to think before adopting an insecure configuration.

I've seen this error a couple of times which is resolved by rerunning apply with no issue.

Error: Error applying plan:
1 error(s) occurred:

• google_sql_user.pas: 1 error(s) occurred:
• google_sql_user.pas: Error reading SQL User "xxxxxxx" in instance "xxxx-xxxx": googleapi: Error 503: Service temporarily unavailable., serverException

It feels like the TCP LB's forwarding rule port range is too large (1024-65535). It also doesn't match the values for AWS or Azure. We should standardise this to 100 ports everywhere to keep things simple.

It seems this pipeline configures NSX-T tile v2.1.3.
There is tile v2.1.4 and v2.2 available on Pivotal Network. We found the new versions are not compatible with the tile.

Are there plans to modify the pipeline to support the new versions?

Toolsmiths have just upgraded NSX-T to 2.2, and are having a slightly different issue with the configuration, but we expect to fix this issue soon.

• The README shows zone and the variables template has zones
• The README shows service_account_key as a file path, the provider template expects the entire service account key JSON as a string.
• The README makes no mention of ssl_cert or ssl_cert_private_key even though these are required variables.

After the module refactor terraform is having issues calculating count across the modules, when running plan with this setting on, the following error occurs:

✔ ~/code/terraforming-gcp/terraforming-pas [doc-fixes L|…2]
19:59 $ terraform plan -out=plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.


------------------------------------------------------------------------

Error: Error running plan: 4 error(s) occurred:

* module.pas.random_id.pas_db_username: random_id.pas_db_username: value of 'count' cannot be computed
* module.ops_manager.random_id.opsman_db_password: random_id.opsman_db_password: value of 'count' cannot be computed
* module.pas.random_id.pas_db_password: random_id.pas_db_password: value of 'count' cannot be computed
* module.ops_manager.random_id.opsman_db_username: random_id.opsman_db_username: value of 'count' cannot be computed

Disabling this setting allows it to work.

v0.14.0
The management subnet has the default private ip google access to false

If you uncheck resource config to have the director NOT having public IP adress (a good idea for security ) then it cannot bosh upload stemcell anymore

ubuntu@gcp-ops-manager:~/alex$ bosh2 -e pcf upload-stemcell light-bosh-stemcell-3445.17-google-kvm-ubuntu-trusty-go_agent.tgz
Using environment 'https://10.0.2.10' as user 'director' (bosh.*.read, openid, bosh.*.admin, bosh.read, bosh.admin)

######################################################### 100.00% 166.27 KB/s 0s
Task 23

Task 23 | 22:20:39 | Update stemcell: Extracting stemcell archive (00:00:00)
Task 23 | 22:20:39 | Update stemcell: Verifying stemcell manifest (00:00:00)
Task 23 | 22:20:39 | Update stemcell: Checking if this stemcell already exists (00:00:00)
Task 23 | 22:20:39 | Update stemcell: Uploading stemcell bosh-google-kvm-ubuntu-trusty-go_agent/3445.17 to the cloud (00:02:17)
                   L Error: CPI error 'Bosh::Clouds::CloudError' with message 'Creating stemcell: Creating Google Image from URL: Failed to create Google Image: Post https://www.googleapis.com/compute/v1/projects/fe-avasseur/global/images?alt=json: dial tcp 64.233.166.95:443: i/o timeout' in 'create_stemcell' CPI method
Task 23 | 22:22:56 | Error: CPI error 'Bosh::Clouds::CloudError' with message 'Creating stemcell: Creating Google Image from URL: Failed to create Google Image: Post https://www.googleapis.com/compute/v1/projects/fe-avasseur/global/images?alt=json: dial tcp 64.233.166.95:443: i/o timeout' in 'create_stemcell' CPI method

Task 23 Started  Sat Dec  9 22:20:39 UTC 2017
Task 23 Finished Sat Dec  9 22:22:56 UTC 2017
Task 23 Duration 00:02:17
Task 23 error

Change in networks.tf is required - imho with a better default to true

  ~ google_compute_subnetwork.management-subnet
      private_ip_google_access:        "false" => "true"

screenshot