Please note that the master branch is generally unstable. If you are looking for something "tested", please consume one of our releases.

You will get a booted ops-manager VM plus some networking, just the bare bones basically.

We have have other terraform templates to help you!

• aws
• azure

This list will be updated when more infrastructures come along.

Your system needs the gcloud cli, as well as terraform:

brew update
brew install Caskroom/cask/google-cloud-sdk
brew install terraform

You will need a key file for your service account to allow terraform to deploy resources. If you don't have one, you can create a service account and a key for it:

gcloud iam service-accounts create ACCOUNT_NAME --display-name "Some Account Name"
gcloud iam service-accounts keys create "terraform.key.json" --iam-account "ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com"
gcloud projects add-iam-policy-binding PROJECT_ID --member 'serviceAccount:ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com' --role 'roles/owner'

You will need to enable the following Google Cloud APIs:

• Identity and Access Management
• Cloud Resource Manager
• Cloud DNS
• Cloud SQL API

Copy the stub content below into a file called terraform.tfvars and put it in the root of this project. These vars will be used when you run terraform apply. You should fill in the stub values with the correct content.

env_name         = "some-environment-name"
project          = "your-gcp-project"
region           = "us-central1"
zones            = ["us-central1-a", "us-central1-b", "us-central1-c"]
dns_suffix       = "gcp.some-project.cf-app.com"
opsman_image_url = "https://storage.googleapis.com/ops-manager-us/pcf-gcp-1.12.0.tar.gz"

buckets_location = "US"

ssl_cert = <<SSL_CERT
-----BEGIN CERTIFICATE-----
some cert
-----END CERTIFICATE-----
SSL_CERT

ssl_private_key = <<SSL_KEY
-----BEGIN RSA PRIVATE KEY-----
some cert private key
-----END RSA PRIVATE KEY-----
SSL_KEY

service_account_key = <<SERVICE_ACCOUNT_KEY
{
  "type": "service_account",
  "project_id": "your-gcp-project",
  "private_key_id": "another-gcp-private-key",
  "private_key": "-----BEGIN PRIVATE KEY-----another gcp private key-----END PRIVATE KEY-----\n",
  "client_email": "[email protected]",
  "client_id": "11111111111111",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/"
}
SERVICE_ACCOUNT_KEY

• env_name: (required) An arbitrary unique name for namespacing resources. Max 23 characters.
• project: (required) ID for your GCP project.
• region: (required) Region in which to create resources (e.g. us-central1)
• zones: (required) Zones in which to create resources. Must be within the given region. Currently you must specify exactly 3 Zones for this terraform configuration to work. (e.g. [us-central1-a, us-central1-b, us-central1-c])
• opsman_image_url (required) Source URL of the Ops Manager image you want to boot.
• service_account_key: (required) Contents of your service account key file generated using the gcloud iam service-accounts keys create command.
• dns_suffix: (required) Domain to add environment subdomain to (e.g. foo.example.com)
• buckets_location: (optional) Loction in which to create buckets. Defaults to US.
• ssl_cert: (optional) SSL certificate for HTTP load balancer configuration. Required unless ssl_ca_cert is specified.
• ssl_private_key: (optional) Private key for above SSL certificate. Required unless ssl_ca_cert is specified.
• ssl_ca_cert: (optional) SSL CA certificate used to generate self-signed HTTP load balancer certificate. Required unless ssl_cert is specified.
• ssl_ca_private_key: (optional) Private key for above SSL CA certificate. Required unless ssl_cert is specified.
• opsman_storage_bucket_count: (optional) Google Storage Bucket for BOSH's Blobstore.
• create_iam_service_account_members: (optional) Create IAM Service Account project roles. Default to true.

• pcf.$env_name.$dns_suffix: Points at the Ops Manager VM's public IP address.
• *.sys.$env_name.$dns_suffix: Points at the HTTP/S load balancer in front of the Router.
• doppler.sys.$env_name.$dns_suffix: Points at the TCP load balancer in front of the Router. This address is used to send websocket traffic to the Doppler server.
• loggregator.sys.$env_name.$dns_suffix: Points at the TCP load balancer in front of the Router. This address is used to send websocket traffic to the Loggregator Trafficcontroller.
• *.apps.$env_name.$dns_suffix: Points at the HTTP/S load balancer in front of the Router.
• *.ws.$env_name.$dns_suffix: Points at the TCP load balancer in front of the Router. This address can be used for application websocket traffic.
• ssh.sys.$env_name.$dns_suffix: Points at the TCP load balancer in front of the Diego brain.
• tcp.$env_name.$dns_suffix: Points at the TCP load balancer in front of the TCP router.

• isolation_segment: (optional) When set to "true" creates HTTP load-balancer across 3 zones for isolation segments.
• iso_seg_ssl_cert: (optional) SSL certificate for Iso Seg HTTP load balancer configuration. Required unless iso_seg_ssl_ca_cert is specified.
• iso_seg_ssl_private_key: (optional) Private key for above SSL certificate. Required unless iso_seg_ssl_ca_cert is specified.
• iso_seg_ssl_ca_cert: (optional) SSL CA certificate used to generate self-signed Iso Seg HTTP load balancer certificate. Required unless iso_seg_ssl_cert is specified.
• iso_seg_ssl_ca_private_key: (optional) Private key for above SSL CA certificate. Required unless iso_seg_ssl_cert is specified.

• opsman_sql_db_host: (optional) The host the user can connect from. Can be an IP address. Changing this forces a new resource to be created.

• pas_sql_db_host: (optional) The host the user can connect from. Can be an IP address. Changing this forces a new resource to be created.

• create_gcs_buckets: (optional) When set to "false", buckets will not be created for PAS Cloud Controller. Defaults to "true".

• pks: (optional) When set to "true" creates a tcp load-balancer for PKS api, dedicated subnets and allows access on Port 8443 to masters external IP address for kubectl access

Note: please make sure you have created the terraform.tfvars file above as mentioned.

terraform init
terraform plan -out=plan
terraform apply plan

terraform destroy