History

Konrad Schieban 330fe0096b Add GCVE Logging and Monitoring Blueprint (#2347 ) --------- Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>		2024-06-11 14:36:23 +00:00
..
dashboards	Add GCVE Logging and Monitoring Blueprint (#2347 )	2024-06-11 14:36:23 +00:00
scripts	Add GCVE Logging and Monitoring Blueprint (#2347 )	2024-06-11 14:36:23 +00:00
README.md	Add GCVE Logging and Monitoring Blueprint (#2347 )	2024-06-11 14:36:23 +00:00
gcve-mon-diagram.png	Add GCVE Logging and Monitoring Blueprint (#2347 )	2024-06-11 14:36:23 +00:00
main.tf	Add GCVE Logging and Monitoring Blueprint (#2347 )	2024-06-11 14:36:23 +00:00
outputs.tf	Add GCVE Logging and Monitoring Blueprint (#2347 )	2024-06-11 14:36:23 +00:00
variables.tf	Add GCVE Logging and Monitoring Blueprint (#2347 )	2024-06-11 14:36:23 +00:00

README.md

Google Cloud VMWare Engine Logging Monitoring Module

This Blueprint simplifies the setup of monitoring and syslog logging for Google Cloud VMware Engine (GCVE) private clouds.

Overview

Infrastructure monitoring and logging for GCVE are typically set up using a standalone Bindplane agent. This blueprint automates the deployment of the Bindplane agent using a Managed Instance Group. The agent collects metrics and syslog logs from VMware vCenter and forwards them to Cloud Monitoring and Cloud Logging.

GCVE Logging and Monitoring Blueprint

Deployed Resources

This blueprint deploys and configures the following resources:

Service Account: Grants the Bindplane agent permissions to write logs/metrics and access Secret Manager.
Firewall Rule (optional): Allows health checks on TCP port 5142 to ensure the agent is running.
Monitoring Dashboards (optional): Provides default dashboards for GCVE metrics.
VM Template: Creates a Debian 11-based template for the Bindplane agent.
Managed Instance Group: Manages the deployment and provides autohealing to the Bindplane agent.
Secret Manager Secrets: Stores vCenter credentials (username, password, FQDN).

Completing the Setup

After deploying this blueprint, you need to complete the following steps:

Configure GCVE to send traffic to the Bindplane agent, which listens on TCP port 5142 by default.
Update secrets in Secret Manager with vCenter credentials and FQDN.

Troubleshooting

If you encounter issues, check the following:

Firewall: Ensure that the firewall rule allows traffic to TCP port 5142.
vCenter Configuration: Verify that GCVE is correctly configured to forward syslog messages.
Agent Logs: Examine the Bindplane agent logs for errors.

Security Considerations

Least Privilege: Grant the Bindplane agent service account only the necessary permissions.
Secret Management: Store vCenter credentials securely in Secret Manager.

Overview
Deployed Resources
Completing the Setup
Troubleshooting
Security Considerations
Basic Monitoring setup with default settings
Variables
Outputs

Basic Monitoring setup with default settings


module "gcve-monitoring" {
  source     = "./fabric/blueprints/gcve/monitoring"
  project_id = "gcve-mon-project"
  project_create = {
    billing_account = "0123AB-ABCDEF-123456"
    parent          = "folders/1234567890"
    shared_vpc_host = "abcde-prod-net-spoke-0"
  }

  vm_mon_config = {
    vm_mon_name = "bp-agent"
    vm_mon_type = "e2-small"
    vm_mon_zone = "europe-west1-b"
  }

  vpc_config = {
    host_project_id      = "abcde-prod-net-spoke-0"
    vpc_self_link        = "https://www.googleapis.com/compute/v1/projects/abcde-prod-net-spoke-0/global/networks/prod-spoke-0"
    subnetwork_self_link = "projects/abcde-prod-net-spoke-0/regions/europe-west1/subnetworks/prod-default-ew1"
  }

  vsphere_secrets = {
    vsphere_server   = "gcve-mon-vsphere-server"
    vsphere_user     = "gcve-mon-vsphere-user"
    vsphere_password = "gcve-mon-vsphere-password"
  }

  sa_gcve_monitoring   = "gcve-mon-sa"
  gcve_region          = "europe-west1"
  initial_delay_sec    = 180
  create_dashboards    = true
  create_firewall_rule = true
}
# tftest modules=7 resources=22

Variables

name	description	type	required	default
gcve_region	Region where the Private Cloud is deployed.	`string`	✓
project_id	Project id of existing or created project.	`string`	✓
vm_mon_config	GCE monitoring instance configuration.	`object({…})`	✓
vpc_config	Shared VPC project and VPC details.	`object({…})`	✓
create_dashboards	Specify sample GCVE monitoring dashboards should be installed.	`bool`		`true`
create_firewall_rule	Specify whether a firewall rule to allow Load Balancer Healthcheck should be implemented.	`bool`		`true`
initial_delay_sec	How long to delay checking for healthcheck upon initialization.	`number`		`180`
monitoring_image	Resource URI for OS image used to deploy monitoring agent.	`string`		`"projects/debian-cloud/global/images/family/debian-11"`
project_create	Project configuration for newly created project. Leave null to use existing project. Project creation forces VPC and cluster creation.	`object({…})`		`null`
sa_gcve_monitoring	Service account for GCVE monitoring agent.	`string`		`"gcve-mon-sa"`
vsphere_secrets	Secret Manager secrets that contain vSphere credentials and FQDN.	`object({…})`		`{}`

Outputs

name	description	sensitive
gcve-mon-firewall	Ingress rule to allow GCVE Syslog traffic.
gcve-mon-mig	Managed Instance Group for GCVE Monitoring.
gcve-mon-sa	Service Account for GCVE Monitoring.