Skip to content

slarimore02/terraform-gcp-avi-controller-gcp

Repository files navigation

AVI Controller Deployment on GCP Terraform module

Note: This repository has been archived and new versions are now available on the Terraform registry at https://registry.terraform.io/modules/vmware/avi-alb-deployment-gcp/google/latest or Github at https://github.com/vmware/terraform-google-avi-alb-deployment-gcp. Please use the new repository going forward.

This Terraform module creates and configures an AVI (NSX Advanced Load-Balancer) Controller on GCP

Avi - Single Site Deployment Avi - 2 Site GSLB Deployment

Module Functions

The module is meant to be modular and can create all or none of the prerequiste resources needed for the AVI GCP Deployment including:

  • VPC and Subnet for the Controller (optional with create_networking variable)
  • IAM Roles and Role Bindings for supplied Service Account (optional with create_iam variable)
  • GCP Compute Image from the provided bucket controller file
  • Firewall Rules for AVI Controller and SE communication
  • GCP Compute Instance using the Controller Compute Image

During the creation of the Controller instance the following initialization steps are performed:

  • Change default password to user specified password
  • Copy Ansible playbook to controller using the assigned public IP
  • Run Ansible playbook to configure initial settings and GCP Full Access Cloud

Optionally the following Avi configurations can be created:

  • Avi IPAM Profile (configure_ipam_profile variable)
  • Avi DNS Profile (configure_dns_profile variable)
  • DNS Virtual Service (configure_dns_vs variable)

Environment Requirements

Google Cloud Platform

The following are GCP prerequisites for running this module:

  • Service Account created for the Avi Controller
  • Projects identified for the Controller, Network, Service Engines, Storage, and Backend Servers. By default this be the a single project as set by the "project" variable. Optionally the "network_project", "service_engine_project", "storage_project", and "server_project" variables can be set to use a different project than the project the Controller will be deployed to.
  • If more than 1 project will be used "Disable Cross-Project Service Account Usage" organizational policy must be set to "Not enforced" and the the Service Account must be added to those additional projects.

Google Provider

For authenticating to GCP you must leverage either the "GOOGLE_APPLICATION_CREDENTIALS={{path_to_service_account_key}}" environment variable or use "gcloud auth application-default login"

Controller Image

The AVI Controller image for GCP should be uploaded to a GCP Cloud Storage bucket before running this module with the path specified in the controller-image-gs-path variable. This can be done with the following gsutil commands:

gsutil mb <bucket>
gsutil -m cp ./gcp_controller-<avi-version>.tar.gz  gs://<bucket>/

Host OS

The following packages must be installed on the host operating system:

  • curl

Usage

terraform {
  backend "local" {
  }
}
module "avi_controller_gcp" {
  source  = "slarimore02/avi-controller-gcp/gcp"
  version = "1.0.x"

  region = "us-west1"
  create_networking = "true"
  create_iam = "false"
  controller_default_password = "Value Redacted and available within the VMware Customer Portal"
  avi_version = "21.1.1"
  service_account_email = "<sa-account>@<project>.iam.gserviceaccount.com"
  controller_image_gs_path = "<bucket>/gcp_controller-21.1.1.tar.gz"
  controller_password = "password"
  name_prefix = "avi"
  project = "gcp-project"
}
output "controller_address" { 
  value = module.avi_controller_gcp.controllers
} 

GSLB Deployment Example

terraform {
  backend "local" {
  }
}
module "avi_controller_east" {
  source  = "slarimore02/avi-controller-gcp/gcp"
  version = "1.0.x"

  region                      = "us-east1"
  create_networking           = "false"
  custom_vpc_name             = "vpc"
  custom_subnetwork_name      = "subnet-east-1"
  create_iam                  = "false"
  avi_version                 = "21.1.1"
  controller_public_address   = "true"
  service_account_email       = "<email>@<account>.iam.gserviceaccount.com"
  controller_ha               = "true"
  controller_default_password = "<default-password>"
  controller_image_gs_path    = "<bucket>/gcp_controller-21.1.1.tar.gz"
  controller_password         = "<new-password>"
  name_prefix                 = "east1"
  project                     = "<project>"
  configure_ipam_profile      = "true"
  ipam_networks               = [{ network = "192.168.252.0/24" , static_pool = ["192.168.252.1", "192.168.252.254"]}]
  configure_dns_profile       = "true"
  dns_service_domain          = "east.domain"
  configure_dns_vs            = "true"
  dns_vs_settings             = { auto_allocate_ip = "true", auto_allocate_public_ip = "true", vs_ip = "", network = "192.168.252.0/24" }
}
module "avi_controller_west" {
  source  = "slarimore02/avi-controller-gcp/gcp"
  version = "1.0.x"

  region                          = "us-west1"
  create_networking               = "false"
  custom_vpc_name                 = "vpc"
  custom_subnetwork_name          = "subnet-west-1"
  create_iam                      = "false"
  avi_version                     = "21.1.1"
  controller_public_address       = "true"
  service_account_email           = "<email>@<project>.iam.gserviceaccount.com"
  controller_ha                   = "true"
  controller_default_password     = "<default-password>"
  controller_image_gs_path        = "<bucket>/gcp_controller-21.1.1.tar.gz"
  controller_password             = "<new-password>"
  name_prefix                     = "west1"
  project                         = "<project>"
  configure_ipam_profile          = "true"
  ipam_networks                   = [{ network = "192.168.251.0/24" , static_pool = ["192.168.251.1", "192.168.251.254"]}]
  configure_dns_profile           = "true"
  dns_service_domain              = "west.domain"
  configure_dns_vs                = "true"
  dns_vs_settings                 = { auto_allocate_ip = "true", auto_allocate_public_ip = "true", vs_ip = "", network = "192.168.251.0/24" }
  configure_gslb                  = "true"
  gslb_site_name                  = "West1"
  gslb_domains                    = ["gslb.domain"]
  configure_gslb_additional_sites = "true"
  additional_gslb_sites           = [{name = "East1", ip_address = module.avi_controller_east.controllers[0].private_ip_address , dns_vs_name = "DNS-VS"}]
}
output "west_controller_ip" { 
  value = module.avi_controller_west.controllers
}
output "east_controller_ip" { 
  value = module.avi_controller_east.controllers
}

Controller Sizing

The controller_size variable can be used to determine the vCPU and Memory resources allocated to the Avi Controller. There are 3 available sizes for the Controller as documented below:

Size vCPU Cores Memory (GB)
small 8 24
medium 16 32
large 24 48

Additional resources on sizing the Avi Controller:

https://avinetworks.com/docs/latest/avi-controller-sizing/ https://avinetworks.com/docs/latest/system-limits/

Day 1 Ansible Configuration and Avi Resource Cleanup

The module copies and runs an Ansible play for configuring the initial day 1 Avi config. The plays listed below can be reviewed by connecting to the Avi Controller by SSH. In an HA setup the first controller will have these files.

avi-controller-gcp-all-in-one-play.yml

This play will configure the Avi Cloud, Network, IPAM/DNS profiles, DNS Virtual Service, GSLB depending on the variables used by the module. The initial run of this play will be output into the ansible-playbook.log file which can be reviewed to determine what tasks were ran.

Example run (appropriate variables should be used):

~$ ansible-playbook avi-controller-gcp-all-in-one-play.yml -e password='${var.controller_password}' > ansible-playbook-run.log

avi-cleanup.yml

This play will disable all Virtual Services and delete all existing Avi service engines. This playbook should be ran before deleting the controller with terraform destroy to clean up the resources created by the Avi Controller.

Example run (appropriate variables should be used):

~$ ansible-playbook avi-cleanup.yml -e password='${var.controller_password}'

Requirements

Name Version
terraform >= 0.13.6
google ~> 4.17.0
null 3.1.1

Providers

Name Version
google 4.17.0
null 3.1.1

Modules

No modules.

Resources

Name Type
google_compute_firewall.avi_controller_mgmt resource
google_compute_firewall.avi_controller_to_controller resource
google_compute_firewall.avi_se_data resource
google_compute_firewall.avi_se_mgmt resource
google_compute_firewall.avi_se_to_se resource
google_compute_image.controller resource
google_compute_instance.avi_controller resource
google_compute_network.vpc_network resource
google_compute_router.avi resource
google_compute_subnetwork.avi resource
google_project_iam_custom_role.autoscaling_se resource
google_project_iam_custom_role.cluster_vip resource
google_project_iam_custom_role.ilb_byoip resource
google_project_iam_custom_role.network resource
google_project_iam_custom_role.server resource
google_project_iam_custom_role.serviceengine resource
google_project_iam_custom_role.storage resource
google_project_iam_member.avi_autoscaling_role resource
google_project_iam_member.avi_cluster_vip_role resource
google_project_iam_member.avi_ilb_byoip_role resource
google_project_iam_member.avi_network_role resource
google_project_iam_member.avi_se_role resource
google_project_iam_member.avi_se_service_account_role resource
google_project_iam_member.avi_server_role resource
google_project_iam_member.avi_storage_role resource
null_resource.ansible_provisioner resource
google_compute_zones.available data source
google_service_account.avi data source

Inputs

Name Description Type Default Required
additional_gslb_sites The Names and IP addresses of the GSLB Sites that will be configured. list(object({ name = string, ip_address = string, dns_vs_name = string }))
[
{
"dns_vs_name": "",
"ip_address": "",
"name": ""
}
]
no
avi_subnet The CIDR that will be used for creating a subnet in the Avi VPC string "10.255.1.0/24" no
avi_version The version of Avi that will be deployed string n/a yes
boot_disk_size The boot disk size for the Avi controller number 128 no
configure_dns_profile Configure Avi DNS Profile for DNS Record Creation for Virtual Services. If set to true the dns_service_domain variable must also be set bool "false" no
configure_dns_vs Create DNS Virtual Service. The configure_dns_profile and configure_ipam_profile variables must be set to true and their associated configuration variables must also be set bool "false" no
configure_firewall_se_data Configure Firewall rules for SE dataplane traffic. If set the firewall_se_data_rules and firewall_se_data_source_range must be set bool "false" no
configure_gslb Configure GSLB. The gslb_site_name, gslb_domains, and configure_dns_vs variables must also be set. Optionally the additional_gslb_sites variable can be used to add active GSLB sites bool "false" no
configure_gslb_additional_sites Configure Additional GSLB Sites. The additional_gslb_sites, gslb_site_name, gslb_domains, and configure_dns_vs variables must also be set. Optionally the additional_gslb_sites variable can be used to add active GSLB sites bool "false" no
configure_ipam_profile Configure Avi IPAM Profile for Virtual Service Address Allocation. If set to true the virtualservice_network variable must also be set bool "false" no
controller_default_password This is the default password for the Avi controller image and can be found in the image download page. string n/a yes
controller_ha If true a HA controller cluster is deployed and configured bool "false" no
controller_image_gs_path The Google Storage path to the GCP Avi Controller tar.gz image file using the bucket/filename syntax string n/a yes
controller_password The password that will be used authenticating with the Avi Controller. This password be a minimum of 8 characters and contain at least one each of uppercase, lowercase, numbers, and special characters string n/a yes
controller_public_address This variable controls if the Controller has a Public IP Address. When set to false the Ansible provisioner will connect to the private IP of the Controller. bool "false" no
controller_size This value determines the number of vCPUs and memory allocated for the Avi Controller. Possible values are small, medium, or large. string "small" no
create_cloud_router This variable is used to create a GCP Cloud Router when both the create_networking variable = true and the vip_allocation_strategy = ILB bool "false" no
create_firewall_rules This variable controls the VPC firewall rule creation for the Avi deployment. When set to false the necessary firewall rules must be in place before the deployment bool "true" no
create_gslb_se_group Create a SE group for GSLB. This option only applies when configure_gslb is set to true bool "true" no
create_iam Create IAM Roles and Role Bindings necessary for the Avi GCP Full Access Cloud. If not set the Roles and permissions in this document must be associated with the controller service account - https://Avinetworks.com/docs/latest/gcp-full-access-roles-and-permissions/ bool "false" no
create_networking This variable controls the VPC and subnet creation for the Avi Controller. When set to false the custom_vpc_name and custom_subnetwork_name must be set. bool "true" no
custom_machine_type This value overides the machine type used for the Avi Controller string "" no
custom_subnetwork_name This field can be used to specify an existing VPC subnetwork for the controller and SEs. The create_networking variable must also be set to false for this network to be used. string null no
custom_vpc_name This field can be used to specify an existing VPC for the controller and SEs. The create_networking variable must also be set to false for this network to be used. string null no
dns_search_domain The optional DNS search domain that will be used by the controller string "" no
dns_servers The optional DNS servers that will be used for local DNS resolution by the controller. Example ["8.8.4.4", "8.8.8.8"] list(string) null no
dns_service_domain The DNS Domain that will be available for Virtual Services. Avi will be the Authorative Nameserver for this domain and NS records may need to be created pointing to the Avi Service Engine addresses. An example is demo.Avi.com string "" no
dns_vs_settings The DNS Virtual Service settings. With the auto_allocate_ip option is set to "true" the VS IP address will be allocated via an IPAM profile. Example:{ auto_allocate_ip = "true", auto_allocate_public_ip = "true", vs_ip = "", network = "192.168.20.0/24" } object({ auto_allocate_ip = bool, auto_allocate_public_ip = bool, vs_ip = string, network = string }) null no
email_config The Email settings that will be used for sending password reset information or for trigged alerts. The default setting will send emails directly from the Avi Controller object({ smtp_type = string, from_email = string, mail_server_name = string, mail_server_port = string, auth_username = string, auth_password = string })
{
"auth_password": "",
"auth_username": "",
"from_email": "admin@avicontroller.net",
"mail_server_name": "localhost",
"mail_server_port": "25",
"smtp_type": "SMTP_LOCAL_HOST"
}
no
firewall_controller_allow_source_range The IP range allowed to connect to the Avi Controller. Access from all IP ranges will be allowed by default string "0.0.0.0/0" no
firewall_se_data_rules The ports allowed for Virtual Services hosted on Services Engines. The configure_firewall_se_data variable must be set to true for this rule to be created list(object({ protocol = string, port = list(string) }))
[
{
"port": [
"443",
"53"
],
"protocol": "tcp"
},
{
"port": [
"53"
],
"protocol": "udp"
}
]
no
firewall_se_data_source_range The IP range allowed to access Virtual Services hosted on Service Engines. The configure_firewall_se_data and firewall_se_data_rules variables must also be set string "0.0.0.0/0" no
gslb_domains A list of GSLB domains that will be configured list(string)
[
""
]
no
gslb_se_size The CPU, Memory, Disk Size of the Service Engines. The default is 2 vCPU, 8 GB RAM, and a 30 GB Disk per Service Engine. Syntax ["cpu_cores", "memory_in_GB", "disk_size_in_GB"] list(string)
[
"2",
"8",
"30"
]
no
gslb_site_name The name of the GSLB site the deployed Controller(s) will be a member of. string "" no
ipam_networks This variable configures the IPAM network(s). Example: [{ network = "192.168.1.0/24" , static_pool = ["192.168.1.10","192.168.1.30"]}] list(object({ network = string, static_pool = list(string) }))
[
{
"network": "",
"static_pool": [
""
]
}
]
no
name_prefix This prefix is appended to the names of the Controller and SEs string n/a yes
network_project The GCP Network project that the Controller and SEs will use. If not set the project variable will be used string "" no
ntp_servers The NTP Servers that the Avi Controllers will use. The server should be a valid IP address (v4 or v6) or a DNS name. Valid options for type are V4, DNS, or V6 list(object({ addr = string, type = string }))
[
{
"addr": "0.us.pool.ntp.org",
"type": "DNS"
},
{
"addr": "1.us.pool.ntp.org",
"type": "DNS"
},
{
"addr": "2.us.pool.ntp.org",
"type": "DNS"
},
{
"addr": "3.us.pool.ntp.org",
"type": "DNS"
}
]
no
project The project used for the Avi Controller string n/a yes
region The Region that the Avi controller and SEs will be deployed to string n/a yes
se_ha_mode The HA mode of the Service Engine Group. Possible values active/active, n+m, or active/standby string "active/active" no
se_service_account This is the service account that will be leveraged by the Avi Service Engines. This is optional and only needed if using service accounts are used for GCP firewall rules in 20.1.7 - https://avinetworks.com/docs/20.1/gcp-firewall-rules/#firewall-rule-filtering-with-service-accounts string null no
se_size The CPU, Memory, Disk Size of the Service Engines. The default is 2 vCPU, 2 GB RAM, and a 15 GB Disk per Service Engine. Syntax ["cpu_cores", "memory_in_GB", "disk_size_in_GB"] list(string)
[
"2",
"2",
"15"
]
no
server_project The backend server GCP Project. If not set the project variable will be used string "" no
service_account_email This is the service account that will be leveraged by the Avi Controller. If the create-iam variable is true then this module will create the necessary custom roles and bindings for the SA string n/a yes
service_engine_project The project used for Avi Service Engines. If not set the project variable will be used string "" no
storage_project The storage project used for the Avi Controller and SE Image. If not set the project variable will be used string "" no
vip_allocation_strategy The VIP allocation strategy for the GCP Cloud - ROUTES or ILB string "ROUTES" no

Outputs

Name Description
controllers The AVI Controller(s) Information