History

Ludovico Magnocavallo 819894d2ba IAM interface refactor (#1595 ) * IAM modules refactor proposal * policy * subheading * Update 20230816-iam-refactor.md * log Julio's +1 * data-catalog-policy-tag * dataproc * dataproc * folder * folder * folder * folder * project * better filtering in test examples * project * folder * folder * organization * fix variable descriptions * kms * net-vpc * dataplex-datascan * modules/iam-service-account * modules/source-repository/ * blueprints/cloud-operations/vm-migration/ * blueprints/third-party-solutions/wordpress * dataplex-datascan * blueprints/cloud-operations/workload-identity-federation * blueprints/data-solutions/cloudsql-multiregion/ * blueprints/data-solutions/composer-2 * Update 20230816-iam-refactor.md * Update 20230816-iam-refactor.md * capture discussion in architectural doc * update variable names and refactor proposal * project * blueprints first round * folder * organization * data-catalog-policy-tag * re-enable folder inventory * project module style fix * dataproc * source-repository * source-repository tests * dataplex-datascan * dataplex-datascan tests * net-vpc * net-vpc test examples * iam-service-account * iam-service-account test examples * kms * boilerplate * tfdoc * fix module tests * more blueprint fixes * fix typo in data blueprints * incomplete refactor of data platform foundations * tfdoc * data platform foundation * refactor data platform foundation iam locals * remove redundant example test * shielded folder fix * fix typo * project factory * project factory outputs * tfdoc * test workflow: less verbose tests, fix tf version * re-enable -vv, shorter traceback, fix action version * ignore github extension warning, re-enable action version * fast bootstrap IAM, untested * bootstrap stage IAM fixes * stage 0 tests * fast stage 1 * tenant stage 1 * minor changes to fast stage 0 and 1 * fast security stage * fast mt stage 0 * fast mt stage 0 * fast pf		2023-08-20 09:44:20 +02:00
..
README.md	IAM interface refactor (#1595 )	2023-08-20 09:44:20 +02:00
backend.tf.sample	First commit	2022-09-19 10:34:46 +02:00
composer.tf	Improve composer config variable.	2022-09-21 15:00:52 +02:00
diagram.png	First commit	2022-09-19 10:34:46 +02:00
main.tf	IAM interface refactor (#1595 )	2023-08-20 09:44:20 +02:00
outputs.tf	Do not modify in parameters in format_* functions	2022-10-20 18:56:54 +02:00
variables.tf	IAM interface refactor (#1595 )	2023-08-20 09:44:20 +02:00

README.md

Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key

This blueprint creates a Private instance of Cloud Composer version 2 on a VPC with a dedicated service account. Cloud Composer 2 is the new major version for Cloud Composer that supports:

environment autoscaling
workloads configuration: CPU, memory, and storage parameters for Airflow workers, schedulers, web server, and database.

Please consult the documentation page for an exhaustive comparison between Composer Version 1 and Version 2.

The solution will use:

Cloud Composer
VPC with Private Service Access to deploy resources, if no Shared VPC configuration provided.
Google Cloud NAT to access internet resources, if no Shared VPC configuration provided.

The solution supports as inputs:

Shared VPC
Cloud KMS CMEK keys

This is the high level diagram:

Requirements

This blueprint will deploy all its resources into the project defined by the project_id variable. Please note that we assume this project already exists. However, if you provide the appropriate values to the project_create variable, the project will be created as part of the deployment.

If project_create is left to null, the identity performing the deployment needs the owner role on the project defined by the project_id variable. Otherwise, the identity performing the deployment needs resourcemanager.projectCreator on the resource hierarchy node specified by project_create.parent and billing.user on the billing account specified by project_create.billing_account_id.

Deployment

Run Terraform init:

terraform init

Configure the Terraform variable in your terraform.tfvars file. You need to specify at least the following variables:

project_id          = "lcaggioni-sandbox"
prefix              = "lc"

You can run now:

terraform apply

You can now connect to your instance.

Customizations

VPC

If a shared VPC is not configured, a VPC will be created within the project. The following IP ranges will be used:

Cloudsql: 10.20.10.0/24
GKE: 10.20.11.0/28

Change the code as needed to match your needed configuration, remember that these addresses should not overlap with any other range used in network.

Shared VPC

As is often the case in real-world configurations, this blueprint accepts as input an existing Shared-VPC via the network_config variable.

Example:

network_config = {
  host_project      = "PROJECT"
  network_self_link = "projects/PROJECT/global/networks/VPC_NAME"
  subnet_self_link  = "projects/PROJECT/regions/REGION/subnetworks/VPC_NAME"
  composer_secondary_ranges = {
    pods     = "pods"
    services = "services"
  }
}
# tftest skip

Make sure that:

The GKE API (container.googleapis.com) is enabled in the VPC host project.
The subnet has secondary ranges configured with 2 ranges:
- pods: /22 example: 10.10.8.0/22
- services = /24 example: 10.10.12.0/24`
Firewall rules are set, as described in the documentation

In order to run the example and deploy Cloud Composer on a shared VPC the identity running Terraform must have the following IAM role on the Shared VPC Host project.

Compute Network Admin (roles/compute.networkAdmin)
Compute Shared VPC Admin (roles/compute.xpnAdmin)

Encryption

As is often the case in real-world configurations, this blueprint accepts as input an existing Cloud KMS keys via the service_encryption_keys variable.

Example:

service_encryption_keys = {
  `europe/west1` = `projects/PROJECT/locations/REGION/keyRings/KR_NAME/cryptoKeys/KEY_NAME`
}
# tftest skip

Variables

name	description	type	required	default
prefix	Prefix used for resource names.	`string`	✓
project_id	Project id, references existing project if `project_create` is null.	`string`	✓
composer_config	Composer environment configuration. It accepts only following attributes: `environment_size`, `software_config` and `workloads_config`. See attribute reference for details on settings variables.	`object({…})`		`{…}`
iam_bindings_additive	Map of Role => principal in IAM format (`group:foo@example.org`) to be added on the project.	`map(list(string))`		`{}`
network_config	Shared VPC network configurations to use. If null networks will be created in projects with preconfigured values.	`object({…})`		`null`
project_create	Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format.	`object({…})`		`null`
region	Reagion where instances will be deployed.	`string`		`"europe-west1"`
service_encryption_keys	Cloud KMS keys to use to encrypt resources. Provide a key for each reagion in use.	`map(string)`		`null`

Outputs

name	description	sensitive
composer_airflow_uri	The URI of the Apache Airflow Web UI hosted within the Cloud Composer environment..
composer_dag_gcs	The Cloud Storage prefix of the DAGs for the Cloud Composer environment.

Test

module "test" {
  source     = "./fabric/blueprints/data-solutions/composer-2/"
  project_id = "project"
  project_create = {
    billing_account_id = "123456-123456-123456"
    parent             = "folders/12345678"
  }
  prefix = "prefix"
}
# tftest modules=5 resources=28