terraform-infrastructure

NOTE: Only use CI/CD to update infrastructure, do not use local terraform unless you know what you are doing. This is to prevent terraform state from being out of sync.

You can update terraform.tfvars here. Worker join token is generated by running sudo kubeadm token create --print-join-command

Setup using Github Action (recommended)

Add Github Actions with the following environment variables

1. Variables:

1.1. TERRAFORM_TFVARS

github_runner_token       = ""
worker_join_token         = ""
worker_join_hash_discover = ""

1.2. SSH_KEYS

thaiminhpv:ssh-rsa ... thaiminhpv@MinhDesktop
thaiminhpv:ssh-rsa ... minhpvt@minhpvt-PC

2. Secrets:

2.1. GCS_BUCKET_CREDENTIALS_TFSTATE

content of .json GCP file

2.2. minhpvt_GCP

content of .json GCP file

2.3. MINHPVTHE172884FPT

content of .json GCP file

Local usage (not recommended)

1. Create ssh-keys.txt

   thaiminhpv:ssh-rsa ... thaiminhpv@MinhDesktop
   thaiminhpv:ssh-rsa ... minhpvt@minhpvt-PC

2. Create terraform.tfvars

   cp terraform.tfvars.example terraform.tfvars

   Then, fill in the variables.

3. Run

   terraform init
   terraform plan
   terraform apply
   # terraform apply -auto-approve
   # terraform destroy

Extra notes

Service account

To create a new GCP service account, go to GCP console and create a new service account. Then, create a new key for that service account and download the json file. The json file should be named efiss-terraform-service-account_***.json and placed in the root directory of this project. Remember to gain role Project > Editor for the service account.

To assume the role of the service account, run

gcloud auth activate-service-account --key-file=./efiss-terraform-service-account_***.json --project=efiss-***

GCS bucket

• Deleting large bucket: https://stackoverflow.com/a/73806368/11806050

Create an empty bucket then use GCP Storage Transfer Service to transfer all data from the empty bucket to the specified bucket.

• Migrate bucket to another project:

  1. Create a new bucket in the new project named gs://efiss-migrate
  2. Use GCP Storage Transfer Service to transfer all data from the old bucket gs://efiss to the new bucket gs://efiss-migrate
  3. Delete the old bucket gs://efiss by migrate from gs://efiss-empty to gs://efiss
  4. Create bucket gs://efiss in the new project
  5. Use GCP Storage Transfer Service to transfer all data from the bucket gs://efiss-migrate to the new bucket gs://efiss
  6. Delete the bucket gs://efiss-migrate by migrate from gs://efiss-empty to gs://efiss-migrate

Allow all ports through firewall

gcloud compute --project=<project_name> firewall-rules create allow-all-ports --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=all --source-ranges=0.0.0.0/0