vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 08:41:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1345 from mkorobeinikov/master

Browse Source 
Article about terraform and google.
This commit is contained in:
Robert Göhler 2024-04-04 12:07:44 +02:00 committed by GitHub
commit 09c7f833bc
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 708 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
docs/_static/images/json.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
docs/_static/images/key.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 162 KiB

BIN
docs/_static/images/project.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
docs/_static/images/service.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 191 KiB

708
docs/automation/terraform/terraformGoogle.rst
View File

@ -0,0 +1,708 @@
:lastproofread: 2024-03-25
.. _terraformgoogle:
Deploying VyOS in the google cloud
==================================
With the help of Terraform, you can quickly deploy VyOS-based infrastructure in the google cloud. If necessary, the infrastructure can be removed using terraform.
Also we will make provisioning using Ansible.
In this case, we'll create the necessary files for Terraform and Ansible next using Terraform we'll create a single instance on the google cloud and make provisioning using Ansible.
Preparation steps for deploying VyOS on google
----------------------------------------------
How to create a single instance and install your configuration using Terraform+Ansible+google
Step by step:
google cloud
1 Create an account with google cloud and a new project
.. image:: /_static/images/project.png
:width: 50%
:align: center
:alt: Network Topology Diagram
2 Create a service aacount and download your key (.JSON)
.. image:: /_static/images/service.png
:width: 50%
:align: center
:alt: Network Topology Diagram
.. image:: /_static/images/key.png
:width: 50%
:align: center
:alt: Network Topology Diagram
The .JSON file download automaticly after creating and will look like:
.. image:: /_static/images/json.png
:width: 50%
:align: center
:alt: Network Topology Diagram
Terraform
1 Create an UNIX or Windows instance
2 Download and install Terraform
3 Create the folder for example /root/google
.. code-block:: none
mkdir /root/google
4 Copy all files into your Terraform project "/root/google" (vyos.tf, var.tf, terraform.tfvars, .JSON), more detailed see `Structure of files Terrafom for google cloud`_
5 Type the commands :
.. code-block:: none
cd /<your folder>
terraform init
Ansible
1 Create an UNIX instance whenever you want (local, cloud, and so on)
2 Download and install Ansible
3 Create the folder for example /root/google/
4 Copy all files into your Ansible project "/root/google/" (ansible.cfg, instance.yml, mykey.json and "all"), more detailed see `Structure of files Ansible for google cloud`_
mykey.json you have to get using step 2 of the google cloud
Start
Type the commands on your Terrafom instance:
.. code-block:: none
cd /<your folder>
terraform plan
terraform apply
yes
Start creating a google cloud instance and check the result
-----------------------------------------------------------
.. code-block:: none
# terraform apply
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# google_compute_firewall.tcp_22[0] will be created
+ resource "google_compute_firewall" "tcp_22" {
+ creation_timestamp = (known after apply)
+ destination_ranges = (known after apply)
+ direction = (known after apply)
+ enable_logging = (known after apply)
+ id = (known after apply)
+ name = "vyos-tcp-22"
+ network = "default"
+ priority = 1000
+ project = "vyosproject"
+ self_link = (known after apply)
+ source_ranges = [
+ "0.0.0.0/0",
]
+ target_tags = [
+ "vyos-deployment",
]
+ allow {
+ ports = [
+ "22",
]
+ protocol = "tcp"
}
}
# google_compute_firewall.udp_500_4500[0] will be created
+ resource "google_compute_firewall" "udp_500_4500" {
+ creation_timestamp = (known after apply)
+ destination_ranges = (known after apply)
+ direction = (known after apply)
+ enable_logging = (known after apply)
+ id = (known after apply)
+ name = "vyos-udp-500-4500"
+ network = "default"
+ priority = 1000
+ project = "vyosproject"
+ self_link = (known after apply)
+ source_ranges = [
+ "0.0.0.0/0",
]
+ target_tags = [
+ "vyos-deployment",
]
+ allow {
+ ports = [
+ "500",
+ "4500",
]
+ protocol = "udp"
}
}
# google_compute_instance.default will be created
+ resource "google_compute_instance" "default" {
+ can_ip_forward = true
+ cpu_platform = (known after apply)
+ current_status = (known after apply)
+ deletion_protection = false
+ effective_labels = (known after apply)
+ guest_accelerator = (known after apply)
+ id = (known after apply)
+ instance_id = (known after apply)
+ label_fingerprint = (known after apply)
+ machine_type = "n2-highcpu-4"
+ metadata = {
+ "enable-oslogin" = "FALSE"
+ "serial-port-enable" = "TRUE"
+ "user-data" = ""
}
+ metadata_fingerprint = (known after apply)
+ min_cpu_platform = (known after apply)
+ name = "vyos"
+ project = "vyosproject"
+ self_link = (known after apply)
+ tags_fingerprint = (known after apply)
+ terraform_labels = (known after apply)
+ zone = "us-west1-a"
+ boot_disk {
+ auto_delete = true
+ device_name = (known after apply)
+ disk_encryption_key_sha256 = (known after apply)
+ kms_key_self_link = (known after apply)
+ mode = "READ_WRITE"
+ source = (known after apply)
+ initialize_params {
+ image = "projects/sentrium-public/global/images/vyos-1-3-5-20231222143039"
+ labels = (known after apply)
+ provisioned_iops = (known after apply)
+ provisioned_throughput = (known after apply)
+ size = (known after apply)
+ type = (known after apply)
}
}
+ network_interface {
+ internal_ipv6_prefix_length = (known after apply)
+ ipv6_access_type = (known after apply)
+ ipv6_address = (known after apply)
+ name = (known after apply)
+ network = "default"
+ network_ip = (known after apply)
+ nic_type = "GVNIC"
+ stack_type = (known after apply)
+ subnetwork = "default"
+ subnetwork_project = (known after apply)
+ access_config {
+ nat_ip = (known after apply)
+ network_tier = (known after apply)
}
}
}
# local_file.ip will be created
+ resource "local_file" "ip" {
+ content = (known after apply)
+ content_base64sha256 = (known after apply)
+ content_base64sha512 = (known after apply)
+ content_md5 = (known after apply)
+ content_sha1 = (known after apply)
+ content_sha256 = (known after apply)
+ content_sha512 = (known after apply)
+ directory_permission = "0777"
+ file_permission = "0777"
+ filename = "ip.txt"
+ id = (known after apply)
}
# null_resource.SSHconnection1 will be created
+ resource "null_resource" "SSHconnection1" {
+ id = (known after apply)
}
# null_resource.SSHconnection2 will be created
+ resource "null_resource" "SSHconnection2" {
+ id = (known after apply)
}
Plan: 6 to add, 0 to change, 0 to destroy.
Changes to Outputs:
+ public_ip_address = (known after apply)
│ Warning: Quoted references are deprecated
│ on vyos.tf line 126, in resource "null_resource" "SSHconnection1":
│ 126: depends_on = ["google_compute_instance.default"]
│ In this context, references are expected literally rather than in quotes. Terraform 0.11 and earlier required quotes, but quoted references are now deprecated and will be removed in a
│ future version of Terraform. Remove the quotes surrounding this reference to silence this warning.
│ (and one more similar warning elsewhere)
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
google_compute_firewall.udp_500_4500[0]: Creating...
google_compute_firewall.tcp_22[0]: Creating...
google_compute_instance.default: Creating...
google_compute_firewall.udp_500_4500[0]: Still creating... [10s elapsed]
google_compute_firewall.tcp_22[0]: Still creating... [10s elapsed]
google_compute_instance.default: Still creating... [10s elapsed]
google_compute_firewall.tcp_22[0]: Creation complete after 16s [id=projects/vyosproject/global/firewalls/vyos-tcp-22]
google_compute_firewall.udp_500_4500[0]: Creation complete after 16s [id=projects/vyosproject/global/firewalls/vyos-udp-500-4500]
google_compute_instance.default: Creation complete after 20s [id=projects/vyosproject/zones/us-west1-a/instances/vyos]
null_resource.SSHconnection1: Creating...
null_resource.SSHconnection2: Creating...
null_resource.SSHconnection1: Provisioning with 'file'...
null_resource.SSHconnection2: Provisioning with 'remote-exec'...
null_resource.SSHconnection2 (remote-exec): Connecting to remote host via SSH...
null_resource.SSHconnection2 (remote-exec): Host: 10.***.***.104
null_resource.SSHconnection2 (remote-exec): User: root
null_resource.SSHconnection2 (remote-exec): Password: true
null_resource.SSHconnection2 (remote-exec): Private key: false
null_resource.SSHconnection2 (remote-exec): Certificate: false
null_resource.SSHconnection2 (remote-exec): SSH Agent: false
null_resource.SSHconnection2 (remote-exec): Checking Host Key: false
null_resource.SSHconnection2 (remote-exec): Target Platform: unix
local_file.ip: Creating...
local_file.ip: Creation complete after 0s [id=7d568c3b994a018c942a3cdb952ccbf3c729d0ca]
null_resource.SSHconnection2 (remote-exec): Connected!
null_resource.SSHconnection1: Creation complete after 4s [id=5175298735911137161]
null_resource.SSHconnection2 (remote-exec): PLAY [integration of terraform and ansible] ************************************
null_resource.SSHconnection2 (remote-exec): TASK [Wait 300 seconds, but only start checking after 60 seconds] **************
null_resource.SSHconnection2: Still creating... [10s elapsed]
null_resource.SSHconnection2: Still creating... [20s elapsed]
null_resource.SSHconnection2: Still creating... [30s elapsed]
null_resource.SSHconnection2: Still creating... [40s elapsed]
null_resource.SSHconnection2: Still creating... [50s elapsed]
null_resource.SSHconnection2: Still creating... [1m0s elapsed]
null_resource.SSHconnection2: Still creating... [1m10s elapsed]
null_resource.SSHconnection2 (remote-exec): ok: [104.***.***.158]
null_resource.SSHconnection2 (remote-exec): TASK [Configure general settings for the vyos hosts group] *********************
null_resource.SSHconnection2: Still creating... [1m20s elapsed]
null_resource.SSHconnection2 (remote-exec): changed: [104.***.***.158]
null_resource.SSHconnection2 (remote-exec): PLAY RECAP *********************************************************************
null_resource.SSHconnection2 (remote-exec): 104.***.***.158 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
null_resource.SSHconnection2: Creation complete after 1m22s [id=3355727070503709742]
Apply complete! Resources: 6 added, 0 changed, 0 destroyed.
Outputs:
public_ip_address = "104.***.***.158"
After executing all the commands you will have your VyOS instance on the google cloud with your configuration, it's a very convenient desition.
If you need to delete the instance please type the command:
.. code-block:: none
terraform destroy
Troubleshooting
---------------
1 Increase the time in the file instance.yml from 300 sec to 500 sec or more. (It depends on your location).
Make sure that you have opened access to the instance in the security group.
2 Terraform doesn't connect via SSH to your Ansible instance: you have to check the correct login and password in the part of the file VyOS.tf
.. code-block:: none
connection {
type = "ssh"
user = "root" # open root access using login and password on your Ansible
password = var.password # check password in the file terraform.tfvars isn't empty
host = var.host # check the correct IP address of your Ansible host
}
Make sure that Ansible is pinging from Terrafom.
Structure of files Terrafom for google cloud
--------------------------------------------
.. code-block:: none
.
├── vyos.tf # The main script
├── ***.JSON # The credential file from google cloud
├── var.tf # The file of all variables in "vyos.tf"
└── terraform.tfvars # The value of all variables (passwords, login, ip adresses and so on)
File contents of Terrafom for google cloud
------------------------------------------
vyos.tf
.. code-block:: none
##############################################################################
# Build an VyOS VM from the Marketplace
#
# After deploying the GCP instance and getting an IP address, the IP address is copied into the file
#"ip.txt" and copied to the Ansible node for provisioning.
##############################################################################
terraform {
required_providers {
google = {
source = "hashicorp/google"
}
}
}
provider "google" {
project = var.project_id
request_timeout = "60s"
credentials = file(var.gcp_auth_file)
}
locals {
network_interfaces = [for i, n in var.networks : {
network = n,
subnetwork = length(var.sub_networks) > i ? element(var.sub_networks, i) : null
external_ip = length(var.external_ips) > i ? element(var.external_ips, i) : "NONE"
}
]
}
resource "google_compute_instance" "default" {
name = var.goog_cm_deployment_name
machine_type = var.machine_type
zone = var.zone
metadata = {
enable-oslogin = "FALSE"
serial-port-enable = "TRUE"
user-data = var.vyos_user_data
}
boot_disk {
initialize_params {
image = var.image
}
}
can_ip_forward = true
dynamic "network_interface" {
for_each = local.network_interfaces
content {
network = network_interface.value.network
subnetwork = network_interface.value.subnetwork
nic_type = "GVNIC"
dynamic "access_config" {
for_each = network_interface.value.external_ip == "NONE" ? [] : [1]
content {
nat_ip = network_interface.value.external_ip == "EPHEMERAL" ? null : network_interface.value.external_ip
}
}
}
}
}
resource "google_compute_firewall" "tcp_22" {
count = var.enable_tcp_22 ? 1 : 0
name = "${var.goog_cm_deployment_name}-tcp-22"
network = element(var.networks, 0)
allow {
ports = ["22"]
protocol = "tcp"
}
source_ranges = ["0.0.0.0/0"]
target_tags = ["${var.goog_cm_deployment_name}-deployment"]
}
resource "google_compute_firewall" "udp_500_4500" {
count = var.enable_udp_500_4500 ? 1 : 0
name = "${var.goog_cm_deployment_name}-udp-500-4500"
network = element(var.networks, 0)
allow {
ports = ["500", "4500"]
protocol = "udp"
}
source_ranges = ["0.0.0.0/0"]
target_tags = ["${var.goog_cm_deployment_name}-deployment"]
}
output "public_ip_address" {
value = google_compute_instance.default.network_interface[0].access_config[0].nat_ip
}
##############################################################################
#
# IP of google instance copied to a file ip.txt in local system Terraform
# ip.txt looks like:
# cat ./ip.txt
# ххх.ххх.ххх.ххх
##############################################################################
resource "local_file" "ip" {
content = google_compute_instance.default.network_interface[0].access_config[0].nat_ip
filename = "ip.txt"
}
#connecting to the Ansible control node using SSH connection
##############################################################################
# Steps "SSHconnection1" and "SSHconnection2" need to get file ip.txt from the terraform node and start remotely the playbook of Ansible.
##############################################################################
resource "null_resource" "SSHconnection1" {
depends_on = ["google_compute_instance.default"]
connection {
type = "ssh"
user = "root"
password = var.password
host = var.host
}
#copying the ip.txt file to the Ansible control node from local system
provisioner "file" {
source = "ip.txt"
destination = "/root/google/ip.txt" # The folder of your Ansible project
}
}
resource "null_resource" "SSHconnection2" {
depends_on = ["google_compute_instance.default"]
connection {
type = "ssh"
user = "root"
password = var.password
host = var.host
}
#command to run Ansible playbook on remote Linux OS
provisioner "remote-exec" {
inline = [
"cd /root/google/",
"ansible-playbook instance.yml" # more detailed in "File contents of Ansible for google cloud"
]
}
}
var.tf
.. code-block:: none
variable "image" {
type = string
default = "projects/sentrium-public/global/images/vyos-1-3-5-20231222143039"
}
variable "project_id" {
type = string
}
variable "zone" {
type = string
}
##############################################################################
# You can choose more chipper type than n2-highcpu-4
##############################################################################
variable "machine_type" {
type = string
default = "n2-highcpu-4"
}
variable "networks" {
description = "The network name to attach the VM instance."
type = list(string)
default = ["default"]
}
variable "sub_networks" {
description = "The sub network name to attach the VM instance."
type = list(string)
default = ["default"]
}
variable "external_ips" {
description = "The external IPs assigned to the VM for public access."
type = list(string)
default = ["EPHEMERAL"]
}
variable "enable_tcp_22" {
description = "Allow SSH traffic from the Internet"
type = bool
default = true
}
variable "enable_udp_500_4500" {
description = "Allow IKE/IPSec traffic from the Internet"
type = bool
default = true
}
variable "vyos_user_data" {
type = string
default = ""
}
// Marketplace requires this variable name to be declared
variable "goog_cm_deployment_name" {
description = "VyOS Universal Router Deployment"
type = string
default = "vyos"
}
# GCP authentication file
variable "gcp_auth_file" {
type = string
description = "GCP authentication file"
}
variable "password" {
description = "pass for Ansible"
type = string
sensitive = true
}
variable "host"{
description = "The IP of my Ansible"
type = string
}
terraform.tfvars
.. code-block:: none
##############################################################################
# Must be filled in
##############################################################################
zone = "us-west1-a"
gcp_auth_file = "/root/***/***.json" # path of your .json file
project_id = "" # the google project
password = "" # password for Ansible SSH
host = "" # IP of my Ansible
Structure of files Ansible for google cloud
-------------------------------------------
.. code-block:: none
.
├── group_vars
└── all
├── ansible.cfg
└── instance.yml
File contents of Ansible for google cloud
-----------------------------------------
ansible.cfg
.. code-block:: none
[defaults]
inventory = /root/google/ip.txt
host_key_checking= False
remote_user=vyos
instance.yml
.. code-block:: none
##############################################################################
# About tasks:
# "Wait 300 seconds, but only start checking after 60 seconds" - try to make ssh connection every 60 seconds until 300 seconds
# "Configure general settings for the VyOS hosts group" - make provisioning into google cloud VyOS node
# You have to add all necessary cammans of VyOS under the block "lines:"
##############################################################################
- name: integration of terraform and ansible
hosts: all
gather_facts: 'no'
tasks:
- name: "Wait 300 seconds, but only start checking after 60 seconds"
wait_for_connection:
delay: 60
timeout: 300
- name: "Configure general settings for the VyOS hosts group"
vyos_config:
lines:
- set system name-server xxx.xxx.xxx.xxx
save:
true
group_vars/all
.. code-block:: none
ansible_connection: ansible.netcommon.network_cli
ansible_network_os: vyos.vyos.vyos
ansible_user: vyos
ansible_ssh_pass: vyos
Sourse files for google cloud from GIT
--------------------------------------
All files about the article can be found here_
.. _here: https://github.com/vyos/vyos-automation/tree/main/TerraformCloud/Google_terraform_ansible_single_vyos_instance-main