Note: This repository has been archived and new versions are now available on the Terraform registry at https://registry.terraform.io/modules/vmware/avi-alb-deployment-gcp/google/latest or Github at https://github.com/vmware/terraform-google-avi-alb-deployment-gcp. Please use the new repository going forward.
This Terraform module creates and configures an AVI (NSX Advanced Load-Balancer) Controller on GCP
The module is meant to be modular and can create all or none of the prerequiste resources needed for the AVI GCP Deployment including:
- VPC and Subnet for the Controller (optional with create_networking variable)
- IAM Roles and Role Bindings for supplied Service Account (optional with create_iam variable)
- GCP Compute Image from the provided bucket controller file
- Firewall Rules for AVI Controller and SE communication
- GCP Compute Instance using the Controller Compute Image
During the creation of the Controller instance the following initialization steps are performed:
- Change default password to user specified password
- Copy Ansible playbook to controller using the assigned public IP
- Run Ansible playbook to configure initial settings and GCP Full Access Cloud
Optionally the following Avi configurations can be created:
- Avi IPAM Profile (configure_ipam_profile variable)
- Avi DNS Profile (configure_dns_profile variable)
- DNS Virtual Service (configure_dns_vs variable)
The following are GCP prerequisites for running this module:
- Service Account created for the Avi Controller
- Projects identified for the Controller, Network, Service Engines, Storage, and Backend Servers. By default this be the a single project as set by the "project" variable. Optionally the "network_project", "service_engine_project", "storage_project", and "server_project" variables can be set to use a different project than the project the Controller will be deployed to.
- If more than 1 project will be used "Disable Cross-Project Service Account Usage" organizational policy must be set to "Not enforced" and the the Service Account must be added to those additional projects.
For authenticating to GCP you must leverage either the "GOOGLE_APPLICATION_CREDENTIALS={{path_to_service_account_key}}" environment variable or use "gcloud auth application-default login"
The AVI Controller image for GCP should be uploaded to a GCP Cloud Storage bucket before running this module with the path specified in the controller-image-gs-path variable. This can be done with the following gsutil commands:
gsutil mb <bucket>
gsutil -m cp ./gcp_controller-<avi-version>.tar.gz gs://<bucket>/
The following packages must be installed on the host operating system:
- curl
terraform {
backend "local" {
}
}
module "avi_controller_gcp" {
source = "slarimore02/avi-controller-gcp/gcp"
version = "1.0.x"
region = "us-west1"
create_networking = "true"
create_iam = "false"
controller_default_password = "Value Redacted and available within the VMware Customer Portal"
avi_version = "21.1.1"
service_account_email = "<sa-account>@<project>.iam.gserviceaccount.com"
controller_image_gs_path = "<bucket>/gcp_controller-21.1.1.tar.gz"
controller_password = "password"
name_prefix = "avi"
project = "gcp-project"
}
output "controller_address" {
value = module.avi_controller_gcp.controllers
}
terraform {
backend "local" {
}
}
module "avi_controller_east" {
source = "slarimore02/avi-controller-gcp/gcp"
version = "1.0.x"
region = "us-east1"
create_networking = "false"
custom_vpc_name = "vpc"
custom_subnetwork_name = "subnet-east-1"
create_iam = "false"
avi_version = "21.1.1"
controller_public_address = "true"
service_account_email = "<email>@<account>.iam.gserviceaccount.com"
controller_ha = "true"
controller_default_password = "<default-password>"
controller_image_gs_path = "<bucket>/gcp_controller-21.1.1.tar.gz"
controller_password = "<new-password>"
name_prefix = "east1"
project = "<project>"
configure_ipam_profile = "true"
ipam_networks = [{ network = "192.168.252.0/24" , static_pool = ["192.168.252.1", "192.168.252.254"]}]
configure_dns_profile = "true"
dns_service_domain = "east.domain"
configure_dns_vs = "true"
dns_vs_settings = { auto_allocate_ip = "true", auto_allocate_public_ip = "true", vs_ip = "", network = "192.168.252.0/24" }
}
module "avi_controller_west" {
source = "slarimore02/avi-controller-gcp/gcp"
version = "1.0.x"
region = "us-west1"
create_networking = "false"
custom_vpc_name = "vpc"
custom_subnetwork_name = "subnet-west-1"
create_iam = "false"
avi_version = "21.1.1"
controller_public_address = "true"
service_account_email = "<email>@<project>.iam.gserviceaccount.com"
controller_ha = "true"
controller_default_password = "<default-password>"
controller_image_gs_path = "<bucket>/gcp_controller-21.1.1.tar.gz"
controller_password = "<new-password>"
name_prefix = "west1"
project = "<project>"
configure_ipam_profile = "true"
ipam_networks = [{ network = "192.168.251.0/24" , static_pool = ["192.168.251.1", "192.168.251.254"]}]
configure_dns_profile = "true"
dns_service_domain = "west.domain"
configure_dns_vs = "true"
dns_vs_settings = { auto_allocate_ip = "true", auto_allocate_public_ip = "true", vs_ip = "", network = "192.168.251.0/24" }
configure_gslb = "true"
gslb_site_name = "West1"
gslb_domains = ["gslb.domain"]
configure_gslb_additional_sites = "true"
additional_gslb_sites = [{name = "East1", ip_address = module.avi_controller_east.controllers[0].private_ip_address , dns_vs_name = "DNS-VS"}]
}
output "west_controller_ip" {
value = module.avi_controller_west.controllers
}
output "east_controller_ip" {
value = module.avi_controller_east.controllers
}
The controller_size variable can be used to determine the vCPU and Memory resources allocated to the Avi Controller. There are 3 available sizes for the Controller as documented below:
Size | vCPU Cores | Memory (GB) |
---|---|---|
small | 8 | 24 |
medium | 16 | 32 |
large | 24 | 48 |
Additional resources on sizing the Avi Controller:
https://avinetworks.com/docs/latest/avi-controller-sizing/ https://avinetworks.com/docs/latest/system-limits/
The module copies and runs an Ansible play for configuring the initial day 1 Avi config. The plays listed below can be reviewed by connecting to the Avi Controller by SSH. In an HA setup the first controller will have these files.
This play will configure the Avi Cloud, Network, IPAM/DNS profiles, DNS Virtual Service, GSLB depending on the variables used by the module. The initial run of this play will be output into the ansible-playbook.log file which can be reviewed to determine what tasks were ran.
Example run (appropriate variables should be used):
~$ ansible-playbook avi-controller-gcp-all-in-one-play.yml -e password='${var.controller_password}' > ansible-playbook-run.log
This play will disable all Virtual Services and delete all existing Avi service engines. This playbook should be ran before deleting the controller with terraform destroy to clean up the resources created by the Avi Controller.
Example run (appropriate variables should be used):
~$ ansible-playbook avi-cleanup.yml -e password='${var.controller_password}'
Name | Version |
---|---|
terraform | >= 0.13.6 |
~> 4.17.0 | |
null | 3.1.1 |
Name | Version |
---|---|
4.17.0 | |
null | 3.1.1 |
No modules.
Name | Description | Type | Default | Required |
---|---|---|---|---|
additional_gslb_sites | The Names and IP addresses of the GSLB Sites that will be configured. | list(object({ name = string, ip_address = string, dns_vs_name = string })) |
[ |
no |
avi_subnet | The CIDR that will be used for creating a subnet in the Avi VPC | string |
"10.255.1.0/24" |
no |
avi_version | The version of Avi that will be deployed | string |
n/a | yes |
boot_disk_size | The boot disk size for the Avi controller | number |
128 |
no |
configure_dns_profile | Configure Avi DNS Profile for DNS Record Creation for Virtual Services. If set to true the dns_service_domain variable must also be set | bool |
"false" |
no |
configure_dns_vs | Create DNS Virtual Service. The configure_dns_profile and configure_ipam_profile variables must be set to true and their associated configuration variables must also be set | bool |
"false" |
no |
configure_firewall_se_data | Configure Firewall rules for SE dataplane traffic. If set the firewall_se_data_rules and firewall_se_data_source_range must be set | bool |
"false" |
no |
configure_gslb | Configure GSLB. The gslb_site_name, gslb_domains, and configure_dns_vs variables must also be set. Optionally the additional_gslb_sites variable can be used to add active GSLB sites | bool |
"false" |
no |
configure_gslb_additional_sites | Configure Additional GSLB Sites. The additional_gslb_sites, gslb_site_name, gslb_domains, and configure_dns_vs variables must also be set. Optionally the additional_gslb_sites variable can be used to add active GSLB sites | bool |
"false" |
no |
configure_ipam_profile | Configure Avi IPAM Profile for Virtual Service Address Allocation. If set to true the virtualservice_network variable must also be set | bool |
"false" |
no |
controller_default_password | This is the default password for the Avi controller image and can be found in the image download page. | string |
n/a | yes |
controller_ha | If true a HA controller cluster is deployed and configured | bool |
"false" |
no |
controller_image_gs_path | The Google Storage path to the GCP Avi Controller tar.gz image file using the bucket/filename syntax | string |
n/a | yes |
controller_password | The password that will be used authenticating with the Avi Controller. This password be a minimum of 8 characters and contain at least one each of uppercase, lowercase, numbers, and special characters | string |
n/a | yes |
controller_public_address | This variable controls if the Controller has a Public IP Address. When set to false the Ansible provisioner will connect to the private IP of the Controller. | bool |
"false" |
no |
controller_size | This value determines the number of vCPUs and memory allocated for the Avi Controller. Possible values are small, medium, or large. | string |
"small" |
no |
create_cloud_router | This variable is used to create a GCP Cloud Router when both the create_networking variable = true and the vip_allocation_strategy = ILB | bool |
"false" |
no |
create_firewall_rules | This variable controls the VPC firewall rule creation for the Avi deployment. When set to false the necessary firewall rules must be in place before the deployment | bool |
"true" |
no |
create_gslb_se_group | Create a SE group for GSLB. This option only applies when configure_gslb is set to true | bool |
"true" |
no |
create_iam | Create IAM Roles and Role Bindings necessary for the Avi GCP Full Access Cloud. If not set the Roles and permissions in this document must be associated with the controller service account - https://Avinetworks.com/docs/latest/gcp-full-access-roles-and-permissions/ | bool |
"false" |
no |
create_networking | This variable controls the VPC and subnet creation for the Avi Controller. When set to false the custom_vpc_name and custom_subnetwork_name must be set. | bool |
"true" |
no |
custom_machine_type | This value overides the machine type used for the Avi Controller | string |
"" |
no |
custom_subnetwork_name | This field can be used to specify an existing VPC subnetwork for the controller and SEs. The create_networking variable must also be set to false for this network to be used. | string |
null |
no |
custom_vpc_name | This field can be used to specify an existing VPC for the controller and SEs. The create_networking variable must also be set to false for this network to be used. | string |
null |
no |
dns_search_domain | The optional DNS search domain that will be used by the controller | string |
"" |
no |
dns_servers | The optional DNS servers that will be used for local DNS resolution by the controller. Example ["8.8.4.4", "8.8.8.8"] | list(string) |
null |
no |
dns_service_domain | The DNS Domain that will be available for Virtual Services. Avi will be the Authorative Nameserver for this domain and NS records may need to be created pointing to the Avi Service Engine addresses. An example is demo.Avi.com | string |
"" |
no |
dns_vs_settings | The DNS Virtual Service settings. With the auto_allocate_ip option is set to "true" the VS IP address will be allocated via an IPAM profile. Example:{ auto_allocate_ip = "true", auto_allocate_public_ip = "true", vs_ip = "", network = "192.168.20.0/24" } | object({ auto_allocate_ip = bool, auto_allocate_public_ip = bool, vs_ip = string, network = string }) |
null |
no |
email_config | The Email settings that will be used for sending password reset information or for trigged alerts. The default setting will send emails directly from the Avi Controller | object({ smtp_type = string, from_email = string, mail_server_name = string, mail_server_port = string, auth_username = string, auth_password = string }) |
{ |
no |
firewall_controller_allow_source_range | The IP range allowed to connect to the Avi Controller. Access from all IP ranges will be allowed by default | string |
"0.0.0.0/0" |
no |
firewall_se_data_rules | The ports allowed for Virtual Services hosted on Services Engines. The configure_firewall_se_data variable must be set to true for this rule to be created | list(object({ protocol = string, port = list(string) })) |
[ |
no |
firewall_se_data_source_range | The IP range allowed to access Virtual Services hosted on Service Engines. The configure_firewall_se_data and firewall_se_data_rules variables must also be set | string |
"0.0.0.0/0" |
no |
gslb_domains | A list of GSLB domains that will be configured | list(string) |
[ |
no |
gslb_se_size | The CPU, Memory, Disk Size of the Service Engines. The default is 2 vCPU, 8 GB RAM, and a 30 GB Disk per Service Engine. Syntax ["cpu_cores", "memory_in_GB", "disk_size_in_GB"] | list(string) |
[ |
no |
gslb_site_name | The name of the GSLB site the deployed Controller(s) will be a member of. | string |
"" |
no |
ipam_networks | This variable configures the IPAM network(s). Example: [{ network = "192.168.1.0/24" , static_pool = ["192.168.1.10","192.168.1.30"]}] | list(object({ network = string, static_pool = list(string) })) |
[ |
no |
name_prefix | This prefix is appended to the names of the Controller and SEs | string |
n/a | yes |
network_project | The GCP Network project that the Controller and SEs will use. If not set the project variable will be used | string |
"" |
no |
ntp_servers | The NTP Servers that the Avi Controllers will use. The server should be a valid IP address (v4 or v6) or a DNS name. Valid options for type are V4, DNS, or V6 | list(object({ addr = string, type = string })) |
[ |
no |
project | The project used for the Avi Controller | string |
n/a | yes |
region | The Region that the Avi controller and SEs will be deployed to | string |
n/a | yes |
se_ha_mode | The HA mode of the Service Engine Group. Possible values active/active, n+m, or active/standby | string |
"active/active" |
no |
se_service_account | This is the service account that will be leveraged by the Avi Service Engines. This is optional and only needed if using service accounts are used for GCP firewall rules in 20.1.7 - https://avinetworks.com/docs/20.1/gcp-firewall-rules/#firewall-rule-filtering-with-service-accounts | string |
null |
no |
se_size | The CPU, Memory, Disk Size of the Service Engines. The default is 2 vCPU, 2 GB RAM, and a 15 GB Disk per Service Engine. Syntax ["cpu_cores", "memory_in_GB", "disk_size_in_GB"] | list(string) |
[ |
no |
server_project | The backend server GCP Project. If not set the project variable will be used | string |
"" |
no |
service_account_email | This is the service account that will be leveraged by the Avi Controller. If the create-iam variable is true then this module will create the necessary custom roles and bindings for the SA | string |
n/a | yes |
service_engine_project | The project used for Avi Service Engines. If not set the project variable will be used | string |
"" |
no |
storage_project | The storage project used for the Avi Controller and SE Image. If not set the project variable will be used | string |
"" |
no |
vip_allocation_strategy | The VIP allocation strategy for the GCP Cloud - ROUTES or ILB | string |
"ROUTES" |
no |
Name | Description |
---|---|
controllers | The AVI Controller(s) Information |