Apigee X via IaC Automation Pipeline exposed in Multiple GCP Regions with Shared VPC and External HTTPS Load Balancer
This sample deploys in a slightly different manner than you might be used to in case you have explored the other samples in this repository.
Deploying this sample happens in two stages.
- As a first step the Terraform scripts in this directory will create a Bootstrap GCP Project with all the resources required to deploy Apigee X with an Infrastructure as Code (IaC) Automation Pipeline.
- The second step will leverage two Cloud Source Repositories and Cloud Build for deploying Apigee X with the surrounding resources as well as a simple httpbin proxy.
- infra-repo A repo that contains the Terraform Resources to provision Apigee X and the additional components.
- app-repo An Apigee example proxy repository.
The below diagram depicts the Bootstrap GCP Project setup.
Please refer to the below diagram for a graphical representation of the architecture for this sample.
Note that the sample uses an EVAL Apigee X Organization and hence a single Apigee X Instance only. In case you have a PROD Apigee X Organization then you will be able to easily extend the sample accordingly.
You can deploy this sample by executing the shell commands listed below.
Set the GCP Project ID for the location of your Bootstrap GCP Project:
PROJECT_ID=my-bootstrap-project-idSet the GCP Project ID for the location of your APIGEE GCP Project (a Shared VPC Service Project):
APIGEE_PROJECT_ID=my-apigee-project-idSet the GCP Project ID for the location of your Shared VPC Host GCP Project:
HOST_PROJECT_ID=my-host-project-idDraw a copy of the x-demo.tfvars to customize your Terraform Input Variables.
cp ./x-demo.tfvars ./my-config.tfvars
cp ./infra/environments/poc/x-demo.tfvars ./infra/environments/poc/my-config.tfvarsIn case the three GCP Projects for which you set the Project IDs above do not exist yet and you do want to automate their creation you have to set the following variables in your my-config.tfvars:
- project_create: Set this to true
- billing_account: Set this to your billing account identifier
- project_parent: Set this to either 'organizations/0123456789' or 'folders/0123456789' where '0123456789' is either your GCP Organization identifier or the GCP Folder identifier respectively.
Decide on a backend and create the necessary config. To use a backend on Google Cloud Storage (GCS) use:
gsutil mb "gs://$PROJECT_ID-tf"
cat <<EOF >terraform.tf
terraform {
backend "gcs" {
bucket = "$PROJECT_ID-tf"
prefix = "terraform/state"
}
}
EOFValidate your config:
terraform init
terraform plan --var-file=./my-config.tfvars -var "project_id=$PROJECT_ID" -var "apigee_project_id=$APIGEE_PROJECT_ID" -var "host_project_id=$HOST_PROJECT_ID"and provision the Bootstrap GCP Project:
terraform apply --var-file=./my-config.tfvars -var "project_id=$PROJECT_ID" -var "apigee_project_id=$APIGEE_PROJECT_ID" -var "host_project_id=$HOST_PROJECT_ID"The scripts in the following steps will require that you have your git config initialized. In case you have not done so in your environment already please run the following two commands (using your details).
git config --global user.email "[email protected]"
git config --global user.name "Your Name"Create the Infrastructure as Code (takes roughly 25min):
cd ./infra/
./setupRepo.sh $PROJECT_ID Warning: This step will kick off a Cloud Build in the Boostrap GCP Project.
- Check the Cloud Build history in your Bootstrap GCP Project on https://console.cloud.google.com/cloud-build/builds?supportedpurview=project and make sure the build completes before continuing to the next step.
Provision a simple httpbin Proxy:
cd ../app/
./setupRepo.sh $PROJECT_ID Before you can test your sample setup you need to wait until the provisioning of the cloud resources has come to completion.
A good signal for the overall status is to check the status of the managed SSL certificate that the pipeline provisions for you.
Run the following command in your Cloud Shell to confirm that the status reads ACTIVE before you continue.
gcloud compute ssl-certificates list --project ${APIGEE_PROJECT_ID}
This should output something like the following:
NAME: cert-12345687890
TYPE: MANAGED
CREATION_TIMESTAMP: 2022-01-17T08:23:15.213-08:00
EXPIRE_TIME: 2022-04-17T08:58:29.000-07:00
MANAGED_STATUS: ACTIVE
test.123-456-789-012.nip.io: ACTIVE
Once that status reads ACTIVE it might still take a short moment for the certificate to propagate through the platform.
However, shortly after that you should see successful responses for requests sent to the test proxy (see command below).
Run the following command to execute a simple end-to-end test for your setup.
(Make sure you substitute test.123-456-789-012.nip.io with your values as returned by the command above)
curl https://test.123-456-789-012.nip.io/httpbin/headers
| Name | Version |
|---|---|
| n/a |
| Name | Source | Version |
|---|---|---|
| app-tfstate-bucket | github.com/terraform-google-modules/cloud-foundation-fabric//modules/gcs | v16.0.0 |
| bootstrap-project | github.com/terraform-google-modules/cloud-foundation-fabric//modules/project | v16.0.0 |
| infra-tfstate-bucket | github.com/terraform-google-modules/cloud-foundation-fabric//modules/gcs | v16.0.0 |
| Name | Type |
|---|---|
| google_billing_account_iam_member.billing_user | resource |
| google_cloudbuild_trigger.app_trigger | resource |
| google_cloudbuild_trigger.infra_trigger | resource |
| google_folder_iam_member.folder_project_creator | resource |
| google_folder_iam_member.folder_xpn_admin | resource |
| google_organization_iam_member.existing_org_xpn_admin | resource |
| google_organization_iam_member.folder_xpn_admin | resource |
| google_organization_iam_member.org_project_creator | resource |
| google_organization_iam_member.org_xpn_admin | resource |
| google_project_iam_member.apigee_project_owner | resource |
| google_project_iam_member.host_project_owner | resource |
| google_sourcerepo_repository.app | resource |
| google_sourcerepo_repository.infra | resource |
| google_folder.bootstrap_folder | data source |
| google_project.host_project | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| apigee_project_id | Shared VPC Service Project Id for Apigee Organization. | string |
n/a | yes |
| billing_account | Billing account id. | string |
null |
no |
| environment | Build environment | string |
"poc" |
no |
| host_project_id | Shared VPC Host Project Id | string |
n/a | yes |
| project_create | Create project. When set to false, uses a data source to reference existing project. | bool |
false |
no |
| project_id | Bootstrap Project Id (used to bootstrap the remaining resources). | string |
n/a | yes |
| project_parent | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | string |
null |
no |
| region | Region for the bootstrap resources. | string |
n/a | yes |
No outputs.