I’m going to Terraform an entire Aviatrix deployment using terraform on this blog, mainly the controller and copilot. There is always discussion around the controller and copilot deployment using automation but I’m assume if you are reading this post you are already convinced.
Management Network
I’m creating a new management network and subnet. This step is not necessary but it helps validating that the gcp controller terraform module can deploy a controller into an existing vpc:
resource "google_compute_network" "google_compute_network-aviatrix_mgmt_vpc" {
project = var.project
name = var.aviatrix_mgmt_vpc
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "google_compute_subnetwork-aviatrix_mgmt_network" {
name = var.aviatrix_mgmt_network
ip_cidr_range = var.aviatrix_mgmt_network_cidr
region = var.region
network = google_compute_network.google_compute_network-aviatrix_mgmt_vpc.id
}
Controller Deployment
The module gcp-controller allows you to launch the Aviatrix Controller and create the Aviatrix access account connecting to the Controller in Google Cloud Platform:
module "aviatrix-controller-gcp" {
depends_on = [
google_compute_subnetwork.google_compute_subnetwork-aviatrix_mgmt_network
]
source = "AviatrixSystems/gcp-controller/aviatrix"
access_account_name = var.aviatrix_access_account
aviatrix_controller_admin_email = var.aviatrix_controller_admin_email
aviatrix_controller_admin_password = var.aviatrix_controller_admin_password
aviatrix_customer_id = var.aviatrix_customer_id
gcloud_project_credentials_filepath = var.gcloud_project_credentials_filepath
incoming_ssl_cidrs = var.incoming_ssl_cidrs
use_existing_network = true
network_name = google_compute_network.google_compute_network-aviatrix_mgmt_vpc.name
subnet_name = google_compute_subnetwork.google_compute_subnetwork-aviatrix_mgmt_network.name
}
My terraform.tfvars looks like:
aviatrix_mgmt_vpc = "aviatrix-mgmt-vpc"
aviatrix_mgmt_network = "aviatrix-mgmt-network"
aviatrix_mgmt_network_cidr = "192.168.254.0/24"
aviatrix_controller_admin_email = "rtrentin@aviatrix.com"
aviatrix_controller_admin_password = "mytopsecretpassword"
aviatrix_customer_id = "avx-x-x.x"
aviatrix_access_account = "test-lab-aviatrix-gcp"
project = "rtrentin-01"
region = "us-central1"
gcloud_project_credentials_filepath = "/Users/ricardotrentin/.gcp/rtrentin-01-6cxxdcdxxb84.json"
incoming_ssl_cidrs = ["0.0.0.0/0"]
I’m using a Google Cloud Service Account to authenticate. The credentials file is located at gcloud_project_credentials_filepath. Before applying the terraform file, we need to execute a few steps before:
gh repo clone AviatrixSystems/terraform-aviatrix-gcp-controller
cd terraform-aviatrix-gcp-controller
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
export GOOGLE_APPLICATION_CREDENTIALS="path to credential file"Once the requirements are satisfied, we can run terraform apply:
(venv) ricardotrentin@RicardontinsMBP controller % terraform state list
google_compute_network.google_compute_network-aviatrix_mgmt_vpc
google_compute_subnetwork.google_compute_subnetwork-aviatrix_mgmt_network
module.aviatrix-controller-gcp.data.google_compute_network.controller_network[0]
module.aviatrix-controller-gcp.data.google_compute_subnetwork.controller_subnet[0]
module.aviatrix-controller-gcp.module.aviatrix-controller-build.google_compute_firewall.controller_firewall
module.aviatrix-controller-gcp.module.aviatrix-controller-build.google_compute_instance.controller
module.aviatrix-controller-gcp.module.aviatrix-controller-initialize.null_resource.run_script
module.aviatrix-controller-gcp.module.aviatrix-controller-ip-address.google_compute_address.ip_addressChecking
Access accounts:
Software version:
References
https://registry.terraform.io/modules/AviatrixSystems/gcp-controller/aviatrix/latest
One thought on ““Terraform-ing” your way towards Secure Multi Cloud Networking with Aviatrix”