-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathproject-setup.sh
executable file
·188 lines (141 loc) · 6.73 KB
/
project-setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
#! /bin/bash
set -e
BILLING_ACCOUNT_ID=$1
ORG_ID=$2
PARENT_PROJECT_ID=$3
PROJECT_ID=$4
PROJECT_NAME=$5
REGION=$6
DOMAIN=$7
CLOUD_NAME=gcp
PREFIX=$PROJECT_NAME
echo -e "\033[32mCreating ${PROJECT_ID}, named ${PROJECT_NAME} in ${REGION}...\033[0m"
gcloud projects create ${PROJECT_ID} --name=${PROJECT_NAME} --organization=${ORG_ID}
gcloud config set project ${PROJECT_ID}
gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=user:$(gcloud config list --format=json | jq -r ".core.account") --role=roles/owner
gcloud beta billing projects link ${PROJECT_ID} --billing-account ${BILLING_ACCOUNT_ID}
echo -e "\033[32mEnable some GCP services...\033[0m"
gcloud services enable compute.googleapis.com \
monitoring.googleapis.com \
logging.googleapis.com \
serviceusage.googleapis.com \
cloudkms.googleapis.com \
iam.googleapis.com \
cloudresourcemanager.googleapis.com \
dns.googleapis.com
echo -e "\033[32mCreate terraform state bucket...\033[0m"
gsutil mb -b off -c standard -l ${REGION} -p ${PROJECT_ID} gs://states-bucket-${PROJECT_ID}
echo -e "\033[32mCreate terraform service account and its json key...\033[0m"
gcloud iam service-accounts create terraform
gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=serviceAccount:terraform@${PROJECT_ID}.iam.gserviceaccount.com --role=roles/owner
gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=serviceAccount:terraform@${PROJECT_ID}.iam.gserviceaccount.com --role=roles/storage.admin
gcloud projects add-iam-policy-binding ${PARENT_PROJECT_ID} --member=serviceAccount:terraform@${PROJECT_ID}.iam.gserviceaccount.com --role=roles/compute.imageUser
gcloud projects add-iam-policy-binding ${PARENT_PROJECT_ID} --member=serviceAccount:terraform@${PROJECT_ID}.iam.gserviceaccount.com --role=roles/dns.admin
gcloud projects add-iam-policy-binding ${PARENT_PROJECT_ID} --member=serviceAccount:terraform@${PROJECT_ID}.iam.gserviceaccount.com --role=roles/compute.networkAdmin
gcloud projects add-iam-policy-binding ${PARENT_PROJECT_ID} --member=serviceAccount:terraform@${PROJECT_ID}.iam.gserviceaccount.com --role=roles/iam.serviceAccountUser
gcloud projects add-iam-policy-binding ${PARENT_PROJECT_ID} --member=serviceAccount:$(gcloud projects describe ${PROJECT_ID} --format=json | jq -r '.projectNumber')@cloudservices.gserviceaccount.com --role=roles/compute.imageUser
gcloud iam service-accounts keys create .${PROJECT_ID}-key.json --iam-account terraform@${PROJECT_ID}.iam.gserviceaccount.com
echo -e "\033[32mWrite tfvars and backend files.\033[0m"
cat <<EOT > gcp.tfvars
region = "${REGION}"
zone = "${REGION}-a"
project_id = "${PROJECT_ID}"
prefix = "${PROJECT_NAME}"
google_account_file = ".${PROJECT_ID}-key.json"
external_domain = "cloud.bitrock.it"
use_le_staging = true
dc_name = "gcp-dc"
control_plane_sa_name = "control-plane"
worker_plane_sa_name = "worker-plane"
image = "projects/${PARENT_PROJECT_ID}/global/images/family/caravan-centos-image-os"
parent_dns_project_id = "${PARENT_PROJECT_ID}"
parent_dns_zone_name = "dns-example-zone"
EOT
cat <<EOT > backend.tf
terraform {
backend "gcs" {
bucket = "states-bucket-${PROJECT_ID}"
prefix = "infraboot/terraform/state"
credentials = ".${PROJECT_ID}-key.json"
}
}
EOT
cat <<EOT > run.sh
#!/usr/bin/env bash
set -e
EXTERNAL_DOMAIN="${DOMAIN}"
export VAULT_ADDR="https://vault.${PREFIX}.\${EXTERNAL_DOMAIN}"
export CONSUL_ADDR="https://consul.${PREFIX}.\${EXTERNAL_DOMAIN}"
export NOMAD_ADDR="https://nomad.${PREFIX}.\${EXTERNAL_DOMAIN}"
DIR="\$( cd "\$( dirname "\${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
echo "Deploying infrastructure..."
terraform init -reconfigure
terraform apply -var-file ${CLOUD_NAME}.tfvars -auto-approve
echo "Waiting for Vault \${VAULT_ADDR} to be up..."
while [ \$(curl -k --silent --output /dev/null --write-out "%{http_code}" "\${VAULT_ADDR}/v1/sys/leader") != "200" ]; do
echo "Waiting for Vault to be up..."
sleep 5
done
echo "Waiting for Consul \${CONSUL_ADDR} to be up..."
while [ \$(curl -k --silent --output /dev/null --write-out "%{http_code}" "\${CONSUL_ADDR}/v1/status/leader") != "200" ]; do
echo "Waiting for Consul to be up..."
sleep 5
done
echo "Waiting for Nomad \${NOMAD_ADDR} to be up..."
while [ \$(curl -k --silent --output /dev/null --write-out "%{http_code}" "\${NOMAD_ADDR}/v1/status/leader") != "200" ]; do
echo "Waiting for Nomad to be up..."
sleep 5
done
export VAULT_TOKEN=\$(cat ".${PREFIX}-root_token")
export NOMAD_TOKEN=\$(vault read -tls-skip-verify -format=json nomad/creds/token-manager | jq -r .data.secret_id)
echo "Configuring platform..."
cd "\$DIR/../caravan-platform"
cp "${PREFIX}-${CLOUD_NAME}-backend.tf.bak" "backend.tf"
terraform init -reconfigure
terraform apply -var-file "${PREFIX}-${CLOUD_NAME}.tfvars" -auto-approve
echo "Waiting for Consul Connect to be ready..."
while [ \$(curl -k --silent --output /dev/null --write-out "%{http_code}" "\${CONSUL_ADDR}/v1/connect/ca/roots") != "200" ]; do
echo "Waiting for Consul Connect to be ready..."
sleep 5
done
echo "Configuring application support..."
cd "\$DIR/../caravan-application-support"
cp "${PREFIX}-${CLOUD_NAME}-backend.tf.bak" "backend.tf"
terraform init -reconfigure
terraform apply -var-file "${PREFIX}-${CLOUD_NAME}.tfvars" -auto-approve
cd "\$DIR"
echo "Done."
EOT
cat <<EOT > destroy.sh
#!/usr/bin/env bash
set -e
EXTERNAL_DOMAIN="${DOMAIN}"
export VAULT_ADDR="https://vault.${PREFIX}.\${EXTERNAL_DOMAIN}"
export CONSUL_ADDR="https://consul.${PREFIX}.\${EXTERNAL_DOMAIN}"
export NOMAD_ADDR="https://nomad.${PREFIX}.\${EXTERNAL_DOMAIN}"
DIR="\$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
export VAULT_TOKEN=\$(cat ".${PREFIX}-root_token")
export NOMAD_TOKEN=\$(vault read -tls-skip-verify -format=json nomad/creds/token-manager | jq -r .data.secret_id)
echo "Destroying application support..."
cd "\$DIR/../caravan-application-support"
cp "${PREFIX}-${CLOUD_NAME}-backend.tf.bak" "backend.tf"
terraform init -reconfigure
terraform destroy -var-file "${PREFIX}-${CLOUD_NAME}.tfvars" -auto-approve
echo "Destroying platform..."
cd "\$DIR/../caravan-platform"
cp "${PREFIX}-${CLOUD_NAME}-backend.tf.bak" "backend.tf"
terraform init -reconfigure
terraform destroy -var-file "${PREFIX}-${CLOUD_NAME}.tfvars" -auto-approve
echo "Destroying infrastructure..."
cd "\$DIR"
terraform init -reconfigure
terraform destroy -var-file ${CLOUD_NAME}.tfvars -auto-approve
echo "Done."
EOT
chmod +x run.sh
chmod +x destroy.sh
echo -e "\033[32m
Done!
All set, review configs and execute 'run.sh' and 'destroy.sh'.
Don't forget to add the service account \"terraform@${PROJECT_ID}.iam.gserviceaccount.com\" at https://www.google.com/webmasters/verification for your parent DNS zone.
\033[0m"