├── .gitattributes ├── .gitignore ├── .gitmodules ├── LICENSE ├── README.md ├── credentials-template.yml ├── pipeline.yml ├── tasks ├── interpolate.yml ├── make-git-commit.yml └── update-ssl-certificate.yml ├── templates ├── config │ ├── auth.yml │ ├── cf.yml │ ├── director.yml │ ├── healthwatch.yml │ ├── metrics.yml │ ├── mysql.yml │ └── opsman.yml ├── download-product-configs │ ├── healthwatch.yml │ ├── metrics.yml │ ├── mysql.yml │ ├── opsman.yml │ ├── pas.yml │ ├── stemcell-170.yml │ └── stemcell-250.yml └── env │ └── env.yml └── terraform_override_files ├── acme_override.tf ├── dns_override.tf └── output_override.tf /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | credentials.yml -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "terraforming-gcp"] 2 | path = terraforming-gcp 3 | url = https://github.com/vchrisb/terraforming-gcp.git 4 | branch = refactor_isoseg_lb 5 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 vchrisb 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # pcf-automation-gcp-paving 2 | 3 | This repo contains a concourse pipeline and tasks to automatically deploy Pivotal Application Services on GCP, including paving the environment using Terraform. 4 | It is mostly meant to be used for testing, as credentials handling could be improved. 5 | It is using [terraforming-gcp](https://github.com/pivotal-cf/terraforming-gcp) and [Platform Automation](http://docs-platform-automation.cfapps.io/platform-automation/v2.0/index.html) to do so. 6 | 7 | # Features 8 | 9 | * the pipeline can be deployed multiple times with different values for `env_name` 10 | * for each pipeline there will be a dedicated subdomain created in gcp: `env_name.dns_suffix` 11 | * letsencrypt certificates are generated for PAS and Ops Manager 12 | * Tiles deployed 13 | * Healthwatch 14 | * PCF Metrics 15 | * MySQL 16 | 17 | # Reqirements 18 | 19 | * GCP account 20 | * Pivotal Network account 21 | * Private Git Repository 22 | * three private GCS Buckets 23 | * concourse 24 | * a (sub-)domain hosted on GCP 25 | 26 | # Credentials 27 | 28 | To keep it simple and easy deployable on any concourse installation, the pipeline currently gets most of its credentials and customization fron a `credentials.yml` file. 29 | Copy the `credentials-template.yml` file to `credentials.yml` and modify the appropriate items. 30 | 31 | # Deploy Pipline 32 | 33 | ``` 34 | fly login -t env -c https://concourse.domain.com -n team 35 | fly -t env set-pipeline -p pcf-platform-automation -c pipeline.yml -l credentials.yml --verbose 36 | fly -t env unpause-pipeline -p pcf-platform-automation 37 | ``` 38 | -------------------------------------------------------------------------------- /credentials-template.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform-automation-version: 2\.(.*) 3 | github: 4 | repos: 5 | configuration: 6 | uri: 7 | private_key: | 8 | -----BEGIN OPENSSH PRIVATE KEY----- 9 | -----END OPENSSH PRIVATE KEY----- 10 | state: 11 | uri: 12 | private_key: | 13 | -----BEGIN OPENSSH PRIVATE KEY----- 14 | -----END OPENSSH PRIVATE KEY----- 15 | pcf-automation-source: 16 | uri: git@github.com:vchrisb/pcf-automation-gcp-paving 17 | private_key: | 18 | -----BEGIN OPENSSH PRIVATE KEY----- 19 | -----END OPENSSH PRIVATE KEY----- 20 | gcp: 21 | gcp_service_account: | 22 | { 23 | "type": "service_account", 24 | "project_id": "", 25 | "private_key_id": "", 26 | "private_key": "-----BEGIN PRIVATE KEY----------END PRIVATE KEY-----\n", 27 | "client_email": "", 28 | "client_id": "", 29 | "auth_uri": "https://accounts.google.com/o/oauth2/auth", 30 | "token_uri": "https://accounts.google.com/o/oauth2/token", 31 | "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", 32 | "client_x509_cert_url": "" 33 | } 34 | project: 35 | region: us-east1 36 | zones: ["us-east1-b", "us-east1-c", "us-east1-d"] 37 | buckets_location: US 38 | buckets: 39 | terraform: terraform 40 | pivnet_products: pivnet-products 41 | installation: installation 42 | parent_zone: 43 | name: automation 44 | dns_suffix: gcp.domain.net 45 | pas: 46 | env_name: sandbox 47 | create_tcp_router: false 48 | create_mesh_lb: true 49 | cloud_controller_encrypt_key: password 50 | mysql_email: admin@domain.net 51 | credhub_key_encryption_password: password 52 | opsman: 53 | username: admin 54 | password: 55 | decryption-passphrase: 56 | pivnet-api-token: 57 | -------------------------------------------------------------------------------- /pipeline.yml: -------------------------------------------------------------------------------- 1 | --- 2 | resource_types: 3 | - name: terraform 4 | type: docker-image 5 | source: 6 | repository: ljfranklin/terraform-resource 7 | tag: beta-backend 8 | - name: pivnet 9 | type: docker-image 10 | source: 11 | repository: pivotalcf/pivnet-resource 12 | tags: latest-final 13 | - name: gcs-resource 14 | type: docker-image 15 | source: 16 | repository: frodenas/gcs-resource 17 | 18 | resources: 19 | 20 | - name: platform-automation-pivnet 21 | type: pivnet 22 | icon: cloud-download-outline 23 | source: 24 | api_token: ((pivnet-api-token)) 25 | product_slug: platform-automation 26 | product_version: ((platform-automation-version)) 27 | sort_by: semver 28 | 29 | - name: env-state-gcp 30 | type: terraform 31 | icon: folder-google-drive 32 | source: 33 | backend_type: gcs 34 | backend_config: 35 | bucket: ((gcp.buckets.terraform)) 36 | prefix: ((pas.env_name)) 37 | credentials: ((gcp.gcp_service_account)) 38 | vars: 39 | project: ((gcp.project)) 40 | region: ((gcp.region)) 41 | zones: ((gcp.zones)) 42 | service_account_key: ((gcp.gcp_service_account)) 43 | buckets_location: ((gcp.buckets_location)) 44 | dns_suffix: ((gcp.parent_zone.dns_suffix)) 45 | opsman_image_url: "" 46 | parent_managed_zone: ((gcp.parent_zone.name)) 47 | email: ((pas.mysql_email)) 48 | create_mesh_lb: ((pas.create_mesh_lb)) 49 | create_tcp_router: ((pas.create_tcp_router)) 50 | 51 | # buckets 52 | 53 | - name: platform-automation-tasks 54 | type: gcs-resource 55 | icon: folder-google-drive 56 | source: 57 | bucket: ((gcp.buckets.pivnet_products)) 58 | json_key: ((gcp.gcp_service_account)) 59 | regexp: platform-automation-tasks-((platform-automation-version)).zip 60 | 61 | - name: platform-automation-image 62 | type: gcs-resource 63 | icon: folder-google-drive 64 | source: 65 | bucket: ((gcp.buckets.pivnet_products)) 66 | json_key: ((gcp.gcp_service_account)) 67 | regexp: platform-automation-image-((platform-automation-version)).tgz 68 | 69 | - name: opsman-image 70 | type: gcs-resource 71 | icon: folder-google-drive 72 | source: 73 | bucket: ((gcp.buckets.pivnet_products)) 74 | json_key: ((gcp.gcp_service_account)) 75 | regexp: ops-manager-gcp-(.*).yml 76 | 77 | - name: pas-product 78 | type: gcs-resource 79 | icon: folder-google-drive 80 | source: 81 | bucket: ((gcp.buckets.pivnet_products)) 82 | json_key: ((gcp.gcp_service_account)) 83 | regexp: cf-(.*).pivotal 84 | 85 | - name: stemcell-170 86 | type: gcs-resource 87 | icon: folder-google-drive 88 | source: 89 | bucket: ((gcp.buckets.pivnet_products)) 90 | json_key: ((gcp.gcp_service_account)) 91 | regexp: stemcell/light-bosh-stemcell-170.(.*)-google-kvm-ubuntu-xenial-go_agent.tgz #light-bosh-stemcell-170.51-google-kvm-ubuntu-xenial-go_agent.tgz 92 | 93 | - name: stemcell-250 94 | type: gcs-resource 95 | icon: folder-google-drive 96 | source: 97 | bucket: ((gcp.buckets.pivnet_products)) 98 | json_key: ((gcp.gcp_service_account)) 99 | regexp: stemcell/light-bosh-stemcell-250.(.*)-google-kvm-ubuntu-xenial-go_agent.tgz #light-bosh-stemcell-170.51-google-kvm-ubuntu-xenial-go_agent.tgz 100 | 101 | - name: healthwatch-product 102 | type: gcs-resource 103 | icon: folder-google-drive 104 | source: 105 | bucket: ((gcp.buckets.pivnet_products)) 106 | json_key: ((gcp.gcp_service_account)) 107 | regexp: p-healthwatch-(.*).pivotal 108 | 109 | - name: metrics-product 110 | type: gcs-resource 111 | icon: folder-google-drive 112 | source: 113 | bucket: ((gcp.buckets.pivnet_products)) 114 | json_key: ((gcp.gcp_service_account)) 115 | regexp: apm-(.*).pivotal 116 | 117 | - name: mysql-product 118 | type: gcs-resource 119 | icon: folder-google-drive 120 | source: 121 | bucket: ((gcp.buckets.pivnet_products)) 122 | json_key: ((gcp.gcp_service_account)) 123 | regexp: pivotal-mysql-(.*).pivotal 124 | 125 | - name: installation 126 | type: gcs-resource 127 | icon: folder-google-drive 128 | source: 129 | bucket: ((gcp.buckets.installation)) 130 | json_key: ((gcp.gcp_service_account)) 131 | regexp: installation-((pas.env_name))-(.*).zip 132 | 133 | # configurations 134 | - name: pcf-automation-source 135 | type: git 136 | icon: github-circle 137 | source: 138 | private_key: ((github.repos.pcf-automation-source.private_key)) 139 | uri: ((github.repos.pcf-automation-source.uri)) 140 | branch: master 141 | 142 | - name: configuration 143 | type: git 144 | icon: github-circle 145 | source: 146 | private_key: ((github.repos.configuration.private_key)) 147 | uri: ((github.repos.configuration.uri)) 148 | branch: master 149 | paths: 150 | - ((pas.env_name))/* 151 | 152 | - name: state 153 | type: git 154 | icon: github-circle 155 | source: 156 | private_key: ((github.repos.state.private_key)) 157 | uri: ((github.repos.state.uri)) 158 | branch: master 159 | paths: 160 | - ((pas.env_name))/* 161 | 162 | - name: configuration-repo 163 | type: git 164 | icon: github-circle 165 | source: 166 | private_key: ((github.repos.configuration.private_key)) 167 | uri: ((github.repos.configuration.uri)) 168 | branch: master 169 | 170 | - name: state-repo 171 | type: git 172 | icon: github-circle 173 | source: 174 | private_key: ((github.repos.state.private_key)) 175 | uri: ((github.repos.state.uri)) 176 | branch: master 177 | 178 | # triggers used to have jobs do something in a timely manner 179 | 180 | - name: one-time-trigger 181 | type: time 182 | icon: alarm-check 183 | source: 184 | interval: 999999h 185 | 186 | jobs: 187 | 188 | - name: bootstrap-configuration 189 | serial: true 190 | public: false 191 | plan: 192 | - aggregate: 193 | - get: one-time-trigger 194 | trigger: true 195 | - get: pcf-automation-source 196 | - get: configuration-repo 197 | - get: state-repo 198 | - task: add-new-templates 199 | input_mapping: 200 | config: configuration-repo 201 | state: state-repo 202 | pcf-automation: pcf-automation-source 203 | params: 204 | ENV_NAME: ((pas.env_name)) 205 | GIT_AUTHOR_EMAIL: "pcf-pipeline-bot@banck.net" 206 | GIT_AUTHOR_NAME: "PCF Automation Bot" 207 | COMMIT_MESSAGE: 'Update template files' 208 | config: 209 | platform: linux 210 | image_resource: 211 | type: docker-image 212 | source: 213 | repository: alpine/git 214 | inputs: 215 | - name: config 216 | - name: state 217 | - name: pcf-automation 218 | outputs: 219 | - name: config-commit 220 | - name: state-commit 221 | run: 222 | path: /bin/sh 223 | args: 224 | - -c 225 | - | 226 | set -eux 227 | git config --global user.email "$GIT_AUTHOR_EMAIL" 228 | git config --global user.name "$GIT_AUTHOR_NAME" 229 | git clone config config-commit 230 | mkdir -p config-commit/$ENV_NAME 231 | cp -a pcf-automation/templates/* config-commit/$ENV_NAME 232 | cp -a pcf-automation/terraforming-gcp config-commit/$ENV_NAME 233 | cp -a pcf-automation/terraform_override_files config-commit/$ENV_NAME 234 | cd config-commit 235 | git add -A 236 | git diff-index --quiet HEAD || git commit -m "$COMMIT_MESSAGE" 237 | cd .. 238 | git clone state state-commit 239 | mkdir -p state-commit/$ENV_NAME/state 240 | touch state-commit/$ENV_NAME/state/state.yml 241 | cd state-commit 242 | git add -A 243 | git diff-index --quiet HEAD || git commit -m "Created empty state file" 244 | - put: configuration 245 | params: 246 | repository: config-commit 247 | merge: true 248 | - put: state 249 | params: 250 | repository: state-commit 251 | merge: true 252 | 253 | - name: terraforming-gcp 254 | serial: true 255 | public: false 256 | plan: 257 | - get: configuration 258 | trigger: true 259 | - get: pcf-automation-source 260 | passed: [bootstrap-configuration] 261 | - put: env-state-gcp 262 | params: 263 | env_name: ((pas.env_name)) 264 | terraform_source: configuration/((pas.env_name))/terraforming-gcp/terraforming-pas 265 | override_files: 266 | - configuration/((pas.env_name))/terraform_override_files/dns_override.tf 267 | - configuration/((pas.env_name))/terraform_override_files/acme_override.tf 268 | - configuration/((pas.env_name))/terraform_override_files/output_override.tf 269 | delete_on_failure: false 270 | 271 | 272 | - name: fetch-platform-automation 273 | # We use the pivnet resource to bootstrap the pipeline, 274 | # and because this product is part of the pipeline, not the foundation 275 | plan: 276 | - get: platform-automation-pivnet 277 | trigger: true 278 | - aggregate: 279 | - put: platform-automation-tasks 280 | params: 281 | file: platform-automation-pivnet/*tasks*.zip 282 | - put: platform-automation-image 283 | params: 284 | file: platform-automation-pivnet/*image*.tgz 285 | 286 | ### FETCH JOBS 287 | - name: fetch-opsman 288 | serial: true 289 | public: false 290 | plan: 291 | - aggregate: 292 | - get: platform-automation-image 293 | params: 294 | unpack: true 295 | - get: platform-automation-tasks 296 | params: 297 | unpack: true 298 | - get: configuration 299 | trigger: true 300 | passed: [terraforming-gcp] 301 | - get: pcf-automation-source 302 | - get: env-state-gcp 303 | passed: [terraforming-gcp] 304 | - &interpolate 305 | task: interpolate-config 306 | file: pcf-automation-source/tasks/interpolate.yml 307 | input_mapping: 308 | config: configuration 309 | terraform-output: env-state-gcp 310 | output_mapping: 311 | interpolated-config: configuration-interpolated 312 | params: 313 | ENV_NAME: ((pas.env_name)) 314 | PIVNET_API_TOKEN: ((pivnet-api-token)) 315 | GCP_AUTH_JSON: ((gcp.gcp_service_account)) 316 | OM_USERNAME: ((opsman.username)) 317 | OM_PASSWORD: ((opsman.password)) 318 | OM_DECRYPTION_PASSPHRASE: ((opsman.decryption-passphrase)) 319 | CLOUD_CONTROLLER_ENCRYPT_KEY: ((pas.cloud_controller_encrypt_key)) 320 | MYSQL_EMAIL: ((pas.mysql_email)) 321 | CREDHUB_KEY_ENCRYPTION_PASSWORD: ((pas.credhub_key_encryption_password)) 322 | - task: download-opsman-image 323 | image: platform-automation-image 324 | file: platform-automation-tasks/tasks/download-product.yml 325 | params: 326 | CONFIG_FILE: ((pas.env_name))/download-product-configs/opsman.yml 327 | VARS_FILES: config/((pas.env_name))/download-product-configs/vars.yml 328 | input_mapping: 329 | config: configuration-interpolated 330 | - put: opsman-image 331 | params: 332 | file: downloaded-product/* 333 | 334 | - name: fetch-pas 335 | serial: true 336 | public: false 337 | plan: 338 | - aggregate: 339 | - get: platform-automation-image 340 | params: 341 | unpack: true 342 | - get: platform-automation-tasks 343 | params: 344 | unpack: true 345 | - get: configuration 346 | trigger: true 347 | passed: [terraforming-gcp] 348 | - get: pcf-automation-source 349 | - get: env-state-gcp 350 | passed: [terraforming-gcp] 351 | - <<: *interpolate 352 | - task: download-stemcell 353 | image: platform-automation-image 354 | file: platform-automation-tasks/tasks/download-product.yml 355 | params: 356 | CONFIG_FILE: ((pas.env_name))/download-product-configs/pas.yml 357 | VARS_FILES: config/((pas.env_name))/download-product-configs/vars.yml 358 | input_mapping: 359 | config: configuration-interpolated 360 | - aggregate: 361 | - put: pas-product 362 | params: 363 | file: downloaded-product/*.pivotal 364 | 365 | - name: fetch-stemcell-170 366 | serial: true 367 | public: false 368 | plan: 369 | - aggregate: 370 | - get: platform-automation-image 371 | params: 372 | unpack: true 373 | - get: platform-automation-tasks 374 | params: 375 | unpack: true 376 | - get: configuration 377 | trigger: true 378 | passed: [terraforming-gcp] 379 | - get: pcf-automation-source 380 | - get: env-state-gcp 381 | passed: [terraforming-gcp] 382 | - <<: *interpolate 383 | - task: download-stemcell 384 | image: platform-automation-image 385 | file: platform-automation-tasks/tasks/download-product.yml 386 | params: 387 | CONFIG_FILE: ((pas.env_name))/download-product-configs/stemcell-170.yml 388 | VARS_FILES: config/((pas.env_name))/download-product-configs/vars.yml 389 | input_mapping: 390 | config: configuration-interpolated 391 | - aggregate: 392 | - put: stemcell-170 393 | params: 394 | file: downloaded-product/*.tgz 395 | 396 | - name: fetch-stemcell-250 397 | serial: true 398 | public: false 399 | plan: 400 | - aggregate: 401 | - get: platform-automation-image 402 | params: 403 | unpack: true 404 | - get: platform-automation-tasks 405 | params: 406 | unpack: true 407 | - get: configuration 408 | trigger: true 409 | passed: [terraforming-gcp] 410 | - get: pcf-automation-source 411 | - get: env-state-gcp 412 | passed: [terraforming-gcp] 413 | - <<: *interpolate 414 | - task: download-stemcell 415 | image: platform-automation-image 416 | file: platform-automation-tasks/tasks/download-product.yml 417 | params: 418 | CONFIG_FILE: ((pas.env_name))/download-product-configs/stemcell-250.yml 419 | VARS_FILES: config/((pas.env_name))/download-product-configs/vars.yml 420 | input_mapping: 421 | config: configuration-interpolated 422 | - aggregate: 423 | - put: stemcell-250 424 | params: 425 | file: downloaded-product/*.tgz 426 | 427 | - name: fetch-healthwatch 428 | serial: true 429 | public: false 430 | plan: 431 | - aggregate: 432 | - get: platform-automation-image 433 | params: 434 | unpack: true 435 | - get: platform-automation-tasks 436 | params: 437 | unpack: true 438 | - get: configuration 439 | trigger: true 440 | passed: [terraforming-gcp] 441 | - get: pcf-automation-source 442 | - get: env-state-gcp 443 | passed: [terraforming-gcp] 444 | - <<: *interpolate 445 | - task: download-healthwatch-product-and-stemcell 446 | image: platform-automation-image 447 | file: platform-automation-tasks/tasks/download-product.yml 448 | params: 449 | CONFIG_FILE: ((pas.env_name))/download-product-configs/healthwatch.yml 450 | VARS_FILES: config/((pas.env_name))/download-product-configs/vars.yml 451 | input_mapping: 452 | config: configuration-interpolated 453 | - aggregate: 454 | - put: healthwatch-product 455 | params: 456 | file: downloaded-product/*.pivotal 457 | 458 | - name: fetch-metrics 459 | serial: true 460 | public: false 461 | plan: 462 | - aggregate: 463 | - get: platform-automation-image 464 | params: 465 | unpack: true 466 | - get: platform-automation-tasks 467 | params: 468 | unpack: true 469 | - get: configuration 470 | trigger: true 471 | passed: [terraforming-gcp] 472 | - get: pcf-automation-source 473 | - get: env-state-gcp 474 | passed: [terraforming-gcp] 475 | - <<: *interpolate 476 | - task: download-metrics-product-and-stemcell 477 | image: platform-automation-image 478 | file: platform-automation-tasks/tasks/download-product.yml 479 | params: 480 | CONFIG_FILE: ((pas.env_name))/download-product-configs/metrics.yml 481 | VARS_FILES: config/((pas.env_name))/download-product-configs/vars.yml 482 | input_mapping: 483 | config: configuration-interpolated 484 | - aggregate: 485 | - put: metrics-product 486 | params: 487 | file: downloaded-product/*.pivotal 488 | 489 | - name: fetch-mysql 490 | serial: true 491 | public: false 492 | plan: 493 | - aggregate: 494 | - get: platform-automation-image 495 | params: 496 | unpack: true 497 | - get: platform-automation-tasks 498 | params: 499 | unpack: true 500 | - get: configuration 501 | trigger: true 502 | passed: [terraforming-gcp] 503 | - get: pcf-automation-source 504 | - get: env-state-gcp 505 | passed: [terraforming-gcp] 506 | - <<: *interpolate 507 | - task: download-mysql-product-and-stemcell 508 | image: platform-automation-image 509 | file: platform-automation-tasks/tasks/download-product.yml 510 | params: 511 | CONFIG_FILE: ((pas.env_name))/download-product-configs/mysql.yml 512 | VARS_FILES: config/((pas.env_name))/download-product-configs/vars.yml 513 | input_mapping: 514 | config: configuration-interpolated 515 | - aggregate: 516 | - put: mysql-product 517 | params: 518 | file: downloaded-product/*.pivotal 519 | 520 | # INSTALL JOBS 521 | 522 | - name: install-opsman 523 | serial: true 524 | serial_groups: 525 | - upgrade 526 | public: false 527 | plan: 528 | - aggregate: 529 | - get: platform-automation-image 530 | params: 531 | unpack: true 532 | - get: one-time-trigger 533 | trigger: true 534 | - get: platform-automation-tasks 535 | params: 536 | unpack: true 537 | - get: opsman-image 538 | passed: [fetch-opsman] 539 | - get: configuration 540 | - get: state 541 | - get: pcf-automation-source 542 | - get: env-state-gcp 543 | - <<: *interpolate 544 | - task: create-vm 545 | image: platform-automation-image 546 | file: platform-automation-tasks/tasks/create-vm.yml 547 | input_mapping: 548 | image: opsman-image 549 | state: state 550 | config: configuration-interpolated 551 | params: 552 | VARS_FILES: config/((pas.env_name))/config/opsman-vars.yml 553 | STATE_FILE: ((pas.env_name))/state/state.yml 554 | OPSMAN_CONFIG_FILE: ((pas.env_name))/config/opsman.yml 555 | ensure: &make-state-commit 556 | do: 557 | - task: make-commit 558 | image: platform-automation-image 559 | file: platform-automation-tasks/tasks/make-git-commit.yml 560 | input_mapping: 561 | repository: state 562 | file-source: generated-state 563 | output_mapping: 564 | repository-commit: state-commit 565 | params: 566 | FILE_SOURCE_PATH: state.yml 567 | FILE_DESTINATION_PATH: ((pas.env_name))/state/state.yml 568 | GIT_AUTHOR_EMAIL: "pcf-pipeline-bot@example.com" 569 | GIT_AUTHOR_NAME: "PCF Automation Bot" 570 | COMMIT_MESSAGE: 'Update state file' 571 | - put: state 572 | params: 573 | repository: state-commit 574 | merge: true 575 | - &skip_ssl 576 | task: skip_ssl_validation 577 | image: platform-automation-image 578 | input_mapping: 579 | env: configuration-interpolated 580 | output_mapping: 581 | env-modified: configuration-interpolated 582 | params: 583 | ENV_FILE: ((pas.env_name))/env/env.yml 584 | config: 585 | platform: linux 586 | inputs: 587 | - name: env 588 | outputs: 589 | - name: env-modified 590 | run: 591 | path: /bin/sh 592 | args: 593 | - -c 594 | - | 595 | set -eux 596 | cp -a env/* env-modified 597 | printf '\n%s' "skip-ssl-validation: true" >> env-modified/$ENV_FILE 598 | - task: configure-authentication 599 | image: platform-automation-image 600 | file: platform-automation-tasks/tasks/configure-authentication.yml 601 | attempts: 10 602 | input_mapping: 603 | env: configuration-interpolated 604 | config: configuration-interpolated 605 | params: 606 | ENV_FILE: ((pas.env_name))/env/env.yml 607 | AUTH_CONFIG_FILE: ((pas.env_name))/config/auth.yml 608 | - task: configure-director 609 | image: platform-automation-image 610 | file: platform-automation-tasks/tasks/configure-director.yml 611 | input_mapping: 612 | config: configuration-interpolated 613 | env: configuration-interpolated 614 | params: 615 | ENV_FILE: ((pas.env_name))/env/env.yml 616 | DIRECTOR_CONFIG_FILE: ((pas.env_name))/config/director.yml 617 | VARS_FILES: config/((pas.env_name))/config/director-vars.yml 618 | - task: apply-director-changes 619 | image: platform-automation-image 620 | file: platform-automation-tasks/tasks/apply-director-changes.yml 621 | input_mapping: 622 | env: configuration-interpolated 623 | params: 624 | ENV_FILE: ((pas.env_name))/env/env.yml 625 | - task: update-ssl-certificate 626 | image: platform-automation-image 627 | file: pcf-automation-source/tasks/update-ssl-certificate.yml 628 | input_mapping: 629 | terraform-output: env-state-gcp 630 | env: configuration-interpolated 631 | params: 632 | ENV_FILE: ((pas.env_name))/env/env.yml 633 | # UPGRADE 634 | 635 | - name: export-installation 636 | serial: true 637 | serial_groups: 638 | - upgrade 639 | public: false 640 | plan: 641 | - aggregate: 642 | - get: platform-automation-image 643 | params: 644 | unpack: true 645 | - get: platform-automation-tasks 646 | params: 647 | unpack: true 648 | - get: configuration 649 | trigger: true 650 | passed: 651 | - fetch-opsman 652 | - get: pcf-automation-source 653 | - get: env-state-gcp 654 | - get: one-time-trigger 655 | passed: 656 | - install-opsman 657 | - <<: *interpolate 658 | - task: export-installation 659 | image: platform-automation-image 660 | file: platform-automation-tasks/tasks/export-installation.yml 661 | input_mapping: 662 | env: configuration-interpolated 663 | params: 664 | ENV_FILE: ((pas.env_name))/env/env.yml 665 | - put: installation 666 | params: 667 | file: installation/*.zip 668 | 669 | - name: upgrade-opsman 670 | serial: true 671 | serial_groups: 672 | - upgrade 673 | public: false 674 | plan: 675 | - aggregate: 676 | - get: platform-automation-image 677 | params: 678 | unpack: true 679 | - get: platform-automation-tasks 680 | params: 681 | unpack: true 682 | - get: opsman-image 683 | - get: configuration 684 | trigger: true 685 | passed: [ export-installation ] 686 | - get: installation 687 | - get: state 688 | - get: pcf-automation-source 689 | - get: env-state-gcp 690 | - <<: *interpolate 691 | - <<: *skip_ssl 692 | - task: upgrade-opsman 693 | image: platform-automation-image 694 | file: platform-automation-tasks/tasks/upgrade-opsman.yml 695 | input_mapping: 696 | image: opsman-image 697 | state: state 698 | config: configuration-interpolated 699 | env: configuration-interpolated 700 | vars: configuration-interpolated 701 | installation: installation 702 | params: 703 | ENV_FILE: ((pas.env_name))/env/env.yml 704 | VARS_FILES: config/((pas.env_name))/config/opsman-vars.yml 705 | STATE_FILE: ((pas.env_name))/state/state.yml 706 | OPSMAN_CONFIG_FILE: ((pas.env_name))/config/opsman.yml 707 | ensure: *make-state-commit 708 | - task: apply-director-changes 709 | image: platform-automation-image 710 | file: platform-automation-tasks/tasks/apply-director-changes.yml 711 | input_mapping: 712 | env: configuration-interpolated 713 | params: 714 | ENV_FILE: ((pas.env_name))/env/env.yml 715 | - task: update-ssl-certificate 716 | image: platform-automation-image 717 | file: pcf-automation-source/tasks/update-ssl-certificate.yml 718 | input_mapping: 719 | terraform-output: env-state-gcp 720 | env: configuration-interpolated 721 | params: 722 | ENV_FILE: ((pas.env_name))/env/env.yml 723 | 724 | - name: upload-stemcell-170 725 | serial: true 726 | serial_groups: 727 | - upgrade 728 | public: false 729 | plan: 730 | - aggregate: 731 | - get: platform-automation-image 732 | params: 733 | unpack: true 734 | - get: platform-automation-tasks 735 | params: 736 | unpack: true 737 | - get: stemcell-170 738 | - get: configuration 739 | trigger: true 740 | passed: 741 | - upgrade-opsman 742 | - fetch-stemcell-170 743 | - get: pcf-automation-source 744 | - get: env-state-gcp 745 | - <<: *interpolate 746 | - task: upload-stemcell 747 | image: platform-automation-image 748 | file: platform-automation-tasks/tasks/upload-stemcell.yml 749 | input_mapping: 750 | env: configuration-interpolated 751 | stemcell: stemcell-170 752 | params: 753 | ENV_FILE: ((pas.env_name))/env/env.yml 754 | 755 | - name: upload-stemcell-250 756 | serial: true 757 | serial_groups: 758 | - upgrade 759 | public: false 760 | plan: 761 | - aggregate: 762 | - get: platform-automation-image 763 | params: 764 | unpack: true 765 | - get: platform-automation-tasks 766 | params: 767 | unpack: true 768 | - get: stemcell-250 769 | - get: configuration 770 | trigger: true 771 | passed: 772 | - upload-stemcell-170 773 | - fetch-stemcell-250 774 | - get: pcf-automation-source 775 | - get: env-state-gcp 776 | - <<: *interpolate 777 | - task: upload-stemcell 778 | image: platform-automation-image 779 | file: platform-automation-tasks/tasks/upload-stemcell.yml 780 | input_mapping: 781 | env: configuration-interpolated 782 | stemcell: stemcell-250 783 | params: 784 | ENV_FILE: ((pas.env_name))/env/env.yml 785 | 786 | - name: upload-stage-configure-pas 787 | serial: true 788 | serial_groups: 789 | - upgrade 790 | public: false 791 | plan: 792 | - aggregate: 793 | - get: platform-automation-image 794 | params: 795 | unpack: true 796 | - get: platform-automation-tasks 797 | params: 798 | unpack: true 799 | - get: pas-product 800 | - get: configuration 801 | trigger: true 802 | passed: 803 | - upload-stemcell-250 804 | - fetch-pas 805 | - get: pcf-automation-source 806 | - get: env-state-gcp 807 | - <<: *interpolate 808 | - task: upload-product 809 | image: platform-automation-image 810 | file: platform-automation-tasks/tasks/upload-product.yml 811 | input_mapping: 812 | product: pas-product 813 | env: configuration-interpolated 814 | params: 815 | ENV_FILE: ((pas.env_name))/env/env.yml 816 | - task: stage-product 817 | image: platform-automation-image 818 | file: platform-automation-tasks/tasks/stage-product.yml 819 | input_mapping: 820 | product: pas-product 821 | env: configuration-interpolated 822 | params: 823 | ENV_FILE: ((pas.env_name))/env/env.yml 824 | - task: configure-product 825 | image: platform-automation-image 826 | file: platform-automation-tasks/tasks/configure-product.yml 827 | input_mapping: 828 | config: configuration-interpolated 829 | env: configuration-interpolated 830 | params: 831 | CONFIG_FILE: ((pas.env_name))/config/cf.yml 832 | VARS_FILES: config/((pas.env_name))/config/cf-vars.yml 833 | ENV_FILE: ((pas.env_name))/env/env.yml 834 | 835 | - name: upload-stage-configure-healthwatch 836 | serial: true 837 | serial_groups: 838 | - upgrade 839 | public: false 840 | plan: 841 | - aggregate: 842 | - get: platform-automation-image 843 | params: 844 | unpack: true 845 | - get: platform-automation-tasks 846 | params: 847 | unpack: true 848 | - get: healthwatch-product 849 | - get: configuration 850 | trigger: true 851 | passed: 852 | - upload-stage-configure-pas 853 | - fetch-healthwatch 854 | - get: pcf-automation-source 855 | - get: env-state-gcp 856 | - <<: *interpolate 857 | - task: upload-product 858 | image: platform-automation-image 859 | file: platform-automation-tasks/tasks/upload-product.yml 860 | input_mapping: 861 | product: healthwatch-product 862 | env: configuration-interpolated 863 | params: 864 | ENV_FILE: ((pas.env_name))/env/env.yml 865 | - task: stage-product 866 | image: platform-automation-image 867 | file: platform-automation-tasks/tasks/stage-product.yml 868 | input_mapping: 869 | product: healthwatch-product 870 | env: configuration-interpolated 871 | params: 872 | ENV_FILE: ((pas.env_name))/env/env.yml 873 | - task: configure-product 874 | image: platform-automation-image 875 | file: platform-automation-tasks/tasks/configure-product.yml 876 | input_mapping: 877 | config: configuration-interpolated 878 | env: configuration-interpolated 879 | params: 880 | CONFIG_FILE: ((pas.env_name))/config/healthwatch.yml 881 | ENV_FILE: ((pas.env_name))/env/env.yml 882 | 883 | - name: upload-stage-configure-metrics 884 | serial: true 885 | serial_groups: 886 | - upgrade 887 | public: false 888 | plan: 889 | - aggregate: 890 | - get: platform-automation-image 891 | params: 892 | unpack: true 893 | - get: platform-automation-tasks 894 | params: 895 | unpack: true 896 | - get: metrics-product 897 | - get: configuration 898 | trigger: true 899 | passed: 900 | - upload-stage-configure-healthwatch 901 | - fetch-metrics 902 | - get: pcf-automation-source 903 | - get: env-state-gcp 904 | - <<: *interpolate 905 | - task: upload-product 906 | image: platform-automation-image 907 | file: platform-automation-tasks/tasks/upload-product.yml 908 | input_mapping: 909 | product: metrics-product 910 | env: configuration-interpolated 911 | params: 912 | ENV_FILE: ((pas.env_name))/env/env.yml 913 | - task: stage-product 914 | image: platform-automation-image 915 | file: platform-automation-tasks/tasks/stage-product.yml 916 | input_mapping: 917 | product: metrics-product 918 | env: configuration-interpolated 919 | params: 920 | ENV_FILE: ((pas.env_name))/env/env.yml 921 | - task: configure-product 922 | image: platform-automation-image 923 | file: platform-automation-tasks/tasks/configure-product.yml 924 | input_mapping: 925 | config: configuration-interpolated 926 | env: configuration-interpolated 927 | params: 928 | CONFIG_FILE: ((pas.env_name))/config/metrics.yml 929 | ENV_FILE: ((pas.env_name))/env/env.yml 930 | 931 | - name: upload-stage-configure-mysql 932 | serial: true 933 | serial_groups: 934 | - upgrade 935 | public: false 936 | plan: 937 | - aggregate: 938 | - get: platform-automation-image 939 | params: 940 | unpack: true 941 | - get: platform-automation-tasks 942 | params: 943 | unpack: true 944 | - get: mysql-product 945 | - get: configuration 946 | trigger: true 947 | passed: 948 | - upload-stage-configure-metrics 949 | - fetch-mysql 950 | - get: pcf-automation-source 951 | - get: env-state-gcp 952 | - <<: *interpolate 953 | - task: upload-product 954 | image: platform-automation-image 955 | file: platform-automation-tasks/tasks/upload-product.yml 956 | input_mapping: 957 | product: mysql-product 958 | env: configuration-interpolated 959 | params: 960 | ENV_FILE: ((pas.env_name))/env/env.yml 961 | - task: stage-product 962 | image: platform-automation-image 963 | file: platform-automation-tasks/tasks/stage-product.yml 964 | input_mapping: 965 | product: mysql-product 966 | env: configuration-interpolated 967 | params: 968 | ENV_FILE: ((pas.env_name))/env/env.yml 969 | - task: configure-product 970 | image: platform-automation-image 971 | file: platform-automation-tasks/tasks/configure-product.yml 972 | input_mapping: 973 | config: configuration-interpolated 974 | env: configuration-interpolated 975 | params: 976 | CONFIG_FILE: ((pas.env_name))/config/mysql.yml 977 | VARS_FILES: config/((pas.env_name))/config/mysql-vars.yml 978 | ENV_FILE: ((pas.env_name))/env/env.yml 979 | 980 | - name: apply-product-changes 981 | serial: true 982 | serial_groups: 983 | - upgrade 984 | public: false 985 | plan: 986 | - aggregate: 987 | - get: platform-automation-image 988 | params: 989 | unpack: true 990 | - get: platform-automation-tasks 991 | params: 992 | unpack: true 993 | - get: configuration 994 | trigger: true 995 | passed: [ upload-stage-configure-mysql ] 996 | - get: pcf-automation-source 997 | - get: env-state-gcp 998 | - <<: *interpolate 999 | - task: apply-product-changes 1000 | image: platform-automation-image 1001 | file: platform-automation-tasks/tasks/apply-changes.yml 1002 | input_mapping: 1003 | env: configuration-interpolated 1004 | params: 1005 | ENV_FILE: ((pas.env_name))/env/env.yml 1006 | 1007 | # DESTROY 1008 | 1009 | - name: destroy-installation 1010 | serial: true 1011 | public: false 1012 | plan: 1013 | - aggregate: 1014 | - get: pcf-automation-source 1015 | trigger: false 1016 | - get: platform-automation-image 1017 | params: 1018 | unpack: true 1019 | - get: platform-automation-tasks 1020 | params: 1021 | unpack: true 1022 | - get: configuration 1023 | - get: state 1024 | - get: env-state-gcp 1025 | - <<: *interpolate 1026 | - task: delete-installation 1027 | image: platform-automation-image 1028 | file: platform-automation-tasks/tasks/delete-installation.yml 1029 | input_mapping: 1030 | env: configuration-interpolated 1031 | params: 1032 | ENV_FILE: ((pas.env_name))/env/env.yml 1033 | - task: delete-vm 1034 | image: platform-automation-image 1035 | file: platform-automation-tasks/tasks/delete-vm.yml 1036 | input_mapping: 1037 | state: state 1038 | config: configuration-interpolated 1039 | params: 1040 | VARS_FILES: config/((pas.env_name))/config/opsman-vars.yml 1041 | STATE_FILE: ((pas.env_name))/state/state.yml 1042 | OPSMAN_CONFIG_FILE: ((pas.env_name))/config/opsman.yml 1043 | 1044 | - name: destroy-terraform 1045 | serial: true 1046 | public: false 1047 | plan: 1048 | - aggregate: 1049 | - get: configuration 1050 | trigger: true 1051 | passed: 1052 | - destroy-installation 1053 | - get: state 1054 | - put: env-state-gcp 1055 | params: 1056 | terraform_source: configuration/((pas.env_name))/terraforming-gcp/terraforming-pas 1057 | override_files: 1058 | - configuration/((pas.env_name))/terraform_override_files/dns_override.tf 1059 | - configuration/((pas.env_name))/terraform_override_files/acme_override.tf 1060 | - configuration/((pas.env_name))/terraform_override_files/output_override.tf 1061 | delete_on_failure: true 1062 | env_name: ((pas.env_name)) 1063 | action: destroy 1064 | get_params: 1065 | action: destroy 1066 | - task: delete-config 1067 | input_mapping: 1068 | config: configuration 1069 | state: state 1070 | params: 1071 | ENV_NAME: ((pas.env_name)) 1072 | GIT_AUTHOR_EMAIL: "pcf-pipeline-bot@banck.net" 1073 | GIT_AUTHOR_NAME: "PCF Automation Bot" 1074 | COMMIT_MESSAGE: 'Delete Environment' 1075 | config: 1076 | platform: linux 1077 | image_resource: 1078 | type: docker-image 1079 | source: 1080 | repository: alpine/git 1081 | inputs: 1082 | - name: config 1083 | - name: state 1084 | outputs: 1085 | - name: config-commit 1086 | - name: state-commit 1087 | run: 1088 | path: /bin/sh 1089 | args: 1090 | - -c 1091 | - | 1092 | set -eux 1093 | git config --global user.email "$GIT_AUTHOR_EMAIL" 1094 | git config --global user.name "$GIT_AUTHOR_NAME" 1095 | git clone config config-commit 1096 | rm -rf config-commit/$ENV_NAME 1097 | cd config-commit 1098 | git add -A 1099 | git diff-index --quiet HEAD || git commit -m "$COMMIT_MESSAGE" 1100 | cd .. 1101 | git clone state state-commit 1102 | rm -rf state-commit/$ENV_NAME 1103 | cd state-commit 1104 | git add -A 1105 | git diff-index --quiet HEAD || git commit -m "$COMMIT_MESSAGE" 1106 | - put: configuration 1107 | params: 1108 | repository: config-commit 1109 | merge: true 1110 | - put: state 1111 | params: 1112 | repository: state-commit 1113 | merge: true 1114 | 1115 | groups: 1116 | - name: prepare 1117 | jobs: 1118 | - terraforming-gcp 1119 | - bootstrap-configuration 1120 | - fetch-platform-automation 1121 | - name: fetch 1122 | jobs: 1123 | - fetch-opsman 1124 | - fetch-stemcell-170 1125 | - fetch-stemcell-250 1126 | - fetch-pas 1127 | - fetch-healthwatch 1128 | - fetch-metrics 1129 | - fetch-mysql 1130 | - name: install 1131 | jobs: 1132 | - install-opsman 1133 | - name: upgrade 1134 | jobs: 1135 | - export-installation 1136 | - upgrade-opsman 1137 | - upload-stemcell-170 1138 | - upload-stemcell-250 1139 | - upload-stage-configure-pas 1140 | - upload-stage-configure-healthwatch 1141 | - upload-stage-configure-metrics 1142 | - upload-stage-configure-mysql 1143 | - apply-product-changes 1144 | 1145 | - name: destroy 1146 | jobs: 1147 | - destroy-terraform 1148 | - destroy-installation 1149 | -------------------------------------------------------------------------------- /tasks/interpolate.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | image_resource: 4 | type: docker-image 5 | source: 6 | repository: hairyhenderson/gomplate 7 | tag: alpine 8 | inputs: 9 | - name: terraform-output 10 | # - This must be an initialized git repository. 11 | # - Note that any changes present in this input 12 | # will be committed along with the file copied in 13 | # by this task. 14 | - name: config 15 | # - This is the input folder containing the file to be committed. 16 | # Typically, this will from some other task 17 | # with an output that needs to be persisted. 18 | outputs: 19 | - name: interpolated-config 20 | 21 | params: 22 | ENV_NAME: 23 | PIVNET_API_TOKEN: 24 | GCP_AUTH_JSON: 25 | OM_USERNAME: 26 | OM_PASSWORD: 27 | OM_DECRYPTION_PASSPHRASE: 28 | CLOUD_CONTROLLER_ENCRYPT_KEY: 29 | MYSQL_EMAIL: 30 | CREDHUB_KEY_ENCRYPTION_PASSWORD: 31 | run: 32 | path: /bin/sh 33 | args: 34 | - -c 35 | - | 36 | set -eu 37 | mkdir -p interpolated-config/$ENV_NAME/config 38 | mkdir -p interpolated-config/$ENV_NAME/env 39 | mkdir -p interpolated-config/$ENV_NAME/download-product-configs 40 | /bin/gomplate --input-dir config/$ENV_NAME/config -d data=file://$(pwd)/terraform-output/metadata?type=application/json --output-dir interpolated-config/$ENV_NAME/config --verbose 41 | /bin/gomplate -i $'gcp_auth_json: |\n{{env.Getenv "GCP_AUTH_JSON" | strings.Indent 2 }}' -o interpolated-config/$ENV_NAME/config/director-vars.yml --verbose 42 | /bin/gomplate -i $'gcp_auth_json: |\n{{env.Getenv "GCP_AUTH_JSON" | strings.Indent 2 }}' -o interpolated-config/$ENV_NAME/config/opsman-vars.yml --verbose 43 | /bin/gomplate -i $'mysql_email: {{env.Getenv "MYSQL_EMAIL"}}\ngcp_auth_json: |\n{{env.Getenv "GCP_AUTH_JSON" | strings.Indent 2 }}' -o interpolated-config/$ENV_NAME/config/mysql-vars.yml --verbose 44 | /bin/gomplate -i $'cloud_controller_encrypt_key: {{env.Getenv "CLOUD_CONTROLLER_ENCRYPT_KEY"}}\nmysql_email: {{env.Getenv "MYSQL_EMAIL"}}\ncredhub_key_encryption_password: {{env.Getenv "CREDHUB_KEY_ENCRYPTION_PASSWORD"}}' -o interpolated-config/$ENV_NAME/config/cf-vars.yml --verbose 45 | /bin/gomplate --input-dir config/$ENV_NAME/download-product-configs -d data=file://$(pwd)/terraform-output/metadata?type=application/json --output-dir interpolated-config/$ENV_NAME/download-product-configs --verbose 46 | /bin/gomplate -i 'pivnet-api-token: {{env.Getenv "PIVNET_API_TOKEN" }}' -o interpolated-config/$ENV_NAME/download-product-configs/vars.yml --verbose 47 | /bin/gomplate -f config/$ENV_NAME/env/env.yml -d data=file://$(pwd)/terraform-output/metadata?type=application/json -o interpolated-config/$ENV_NAME/env/env.yml --verbose 48 | -------------------------------------------------------------------------------- /tasks/make-git-commit.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | inputs: 5 | - name: repository 6 | # - This must be an initialized git repository. 7 | # - Note that any changes present in this input 8 | # will be committed along with the file copied in 9 | # by this task. 10 | - name: file-source 11 | # - This is the input folder containing the file to be committed. 12 | # Typically, this will from some other task 13 | # with an output that needs to be persisted. 14 | outputs: 15 | - name: repository-commit 16 | 17 | params: 18 | FILE_SOURCE_PATHS: 19 | # - Required 20 | # - Filepath to be copied into the git repo 21 | # before a commit is created 22 | # - Relative to the root of the `file-source` input 23 | FILE_DESTINATION_DIRECTORY: 24 | # - Required 25 | # - Filepath to write the file specified by FILE_SOURCE_PATH 26 | # - Relative to the root of the `repository` input 27 | GIT_AUTHOR_NAME: 28 | # - Required 29 | # - Used directly by git to configure the human-readable 30 | # name in the `author` field of the commit 31 | GIT_AUTHOR_EMAIL: 32 | # - Required 33 | # - Used directly by git to configure the email address 34 | # in the `author` field of the commit 35 | COMMIT_MESSAGE: 36 | # - Required 37 | # - Specify a commit message to be used 38 | # for all commits made by this task. 39 | 40 | run: 41 | path: bash 42 | args: 43 | - "-c" 44 | - | 45 | cat /var/version && echo "" 46 | set -eu 47 | git config --global user.email "$GIT_AUTHOR_EMAIL" 48 | git config --global user.name "$GIT_AUTHOR_NAME" 49 | 50 | git clone repository repository-commit 51 | 52 | for fsp in ${FILE_SOURCE_PATHS} 53 | do 54 | cp file-source/"${fsp}" repository-commit/"$FILE_DESTINATION_DIRECTORY" 55 | done 56 | 57 | cd repository-commit 58 | git add -A 59 | git commit -m "$COMMIT_MESSAGE" --allow-empty 60 | -------------------------------------------------------------------------------- /tasks/update-ssl-certificate.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | inputs: 5 | - name: env # contains the env file with target OpsMan Information 6 | - name: terraform-output 7 | params: 8 | ENV_FILE: env.yml 9 | # - Filepath of the env config YAML 10 | # - The path is relative to root of the `env` input 11 | 12 | run: 13 | path: bash 14 | args: 15 | - "-c" 16 | - | 17 | set -eu 18 | cat /var/version && echo "" 19 | curl -L -s -o jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 20 | chmod +x jq 21 | om --env env/"${ENV_FILE}" update-ssl-certificate --certificate-pem "$(./jq -r .opsman_ssl_cert terraform-output/metadata)" --private-key-pem "$(./jq -r .opsman_ssl_private_key terraform-output/metadata)" 22 | export OPSMAN_DOMAIN="$(./jq -r .ops_manager_dns terraform-output/metadata)" 23 | timeout 120 /bin/sh -c -- 'while ! echo | openssl s_client -connect $OPSMAN_DOMAIN:443 -servername $OPSMAN_DOMAIN -verify_return_error -verify 3 >/dev/null 2>/dev/null;do sleep 15;done' 24 | echo | openssl s_client -connect $OPSMAN_DOMAIN:443 -servername $OPSMAN_DOMAIN 2>/dev/null | openssl x509 -noout -subject -dates -------------------------------------------------------------------------------- /templates/config/auth.yml: -------------------------------------------------------------------------------- 1 | --- 2 | username: {{env.Getenv "OM_USERNAME" }} 3 | password: {{env.Getenv "OM_PASSWORD" }} 4 | decryption-passphrase: {{env.Getenv "OM_DECRYPTION_PASSPHRASE" }} 5 | -------------------------------------------------------------------------------- /templates/config/cf.yml: -------------------------------------------------------------------------------- 1 | product-name: cf 2 | product-properties: 3 | .cloud_controller.allow_app_ssh_access: 4 | value: true 5 | .cloud_controller.apps_domain: 6 | value: {{ (ds "data").apps_domain }} 7 | .cloud_controller.default_app_memory: 8 | value: 1024 9 | .cloud_controller.default_app_ssh_access: 10 | value: true 11 | .cloud_controller.default_disk_quota_app: 12 | value: 1024 13 | .cloud_controller.default_quota_max_number_services: 14 | value: 100 15 | .cloud_controller.default_quota_memory_limit_mb: 16 | value: 10240 17 | .cloud_controller.enable_custom_buildpacks: 18 | value: true 19 | .cloud_controller.encrypt_key: 20 | value: 21 | secret: ((cloud_controller_encrypt_key)) 22 | .cloud_controller.max_disk_quota_app: 23 | value: 2048 24 | .cloud_controller.max_file_size: 25 | value: 1024 26 | .cloud_controller.security_event_logging_enabled: 27 | value: true 28 | .cloud_controller.staging_timeout_in_seconds: 29 | value: 900 30 | .cloud_controller.system_domain: 31 | value: {{ (ds "data").sys_domain }} 32 | .diego_brain.starting_container_count_maximum: 33 | value: 200 34 | .ha_proxy.skip_cert_verify: 35 | value: false 36 | .mysql.cli_history: 37 | value: true 38 | .mysql.max_connections: 39 | value: 3500 40 | .mysql.prevent_node_auto_rejoin: 41 | value: false 42 | .mysql.remote_admin_access: 43 | value: false 44 | .mysql_monitor.poll_frequency: 45 | value: 30 46 | .mysql_monitor.recipient_email: 47 | value: ((mysql_email)) 48 | .mysql_monitor.write_read_delay: 49 | value: 20 50 | .mysql_proxy.shutdown_delay: 51 | value: 30 52 | .mysql_proxy.startup_delay: 53 | value: 0 54 | .nfs_server.blobstore_internal_access_rules: 55 | value: allow 10.0.0.0/8;,allow 172.16.0.0/12;,allow 192.168.0.0/16; 56 | .properties.autoscale_api_disable_connection_pooling: 57 | value: false 58 | .properties.autoscale_api_instance_count: 59 | value: 1 60 | .properties.autoscale_enable_verbose_logging: 61 | value: false 62 | .properties.autoscale_instance_count: 63 | value: 3 64 | .properties.autoscale_metric_bucket_count: 65 | value: 120 66 | .properties.autoscale_scaling_interval_in_seconds: 67 | value: 35 68 | .properties.cc_api_rate_limit: 69 | selected_option: disable 70 | value: disable 71 | .properties.cc_logging_level: 72 | value: info 73 | .properties.ccdb_connection_validation_timeout: 74 | value: 3600 75 | .properties.ccdb_read_timeout: 76 | value: 3600 77 | .properties.cf_networking_database_connection_timeout: 78 | value: 120 79 | .properties.cf_networking_enable_space_developer_self_service: 80 | value: true 81 | .properties.cf_networking_internal_domain: 82 | value: apps.internal 83 | .properties.cloud_controller_default_health_check_timeout: 84 | value: 60 85 | .properties.cloud_controller_temporary_disable_deployments: 86 | value: false 87 | .properties.container_networking: 88 | selected_option: enable 89 | value: enable 90 | .properties.container_networking_interface_plugin: 91 | selected_option: silk 92 | value: silk 93 | .properties.container_networking_interface_plugin.silk.enable_log_traffic: 94 | value: false 95 | .properties.container_networking_interface_plugin.silk.enable_policy_enforcement: 96 | value: true 97 | .properties.container_networking_interface_plugin.silk.iptables_accepted_udp_logs_per_sec: 98 | value: 100 99 | .properties.container_networking_interface_plugin.silk.iptables_denied_logs_per_sec: 100 | value: 1 101 | .properties.container_networking_interface_plugin.silk.network_mtu: 102 | value: 1454 103 | .properties.container_networking_interface_plugin.silk.vtep_port: 104 | value: 4789 105 | .properties.credhub_database: 106 | selected_option: internal_mysql 107 | value: internal_mysql 108 | .properties.credhub_hsm_provider_client_certificate: 109 | value: 110 | cert_pem: "" 111 | private_key_pem: "" 112 | .properties.credhub_hsm_provider_partition_password: 113 | value: 114 | secret: "" 115 | .properties.credhub_key_encryption_passwords: 116 | value: 117 | - key: 118 | secret: ((credhub_key_encryption_password)) 119 | name: default 120 | primary: true 121 | provider: internal 122 | .properties.diego_database_max_open_connections: 123 | value: 100 124 | .properties.diego_log_timestamp_format: 125 | selected_option: rfc3339 126 | value: rfc3339 127 | .properties.enable_smb_volume_driver: 128 | value: false 129 | .properties.enable_tls_to_internal_pxc: 130 | value: true 131 | .properties.experimental_dynamic_egress_enforcement: 132 | value: true 133 | .properties.garden_disk_cleanup: 134 | selected_option: reserved 135 | value: reserved 136 | .properties.gorouter_ssl_ciphers: 137 | value: ECDHE-RSA-AES128-GCM-SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 138 | .properties.haproxy_client_cert_validation: 139 | selected_option: none 140 | value: none 141 | .properties.haproxy_forward_tls: 142 | selected_option: disable 143 | value: disable 144 | .properties.haproxy_hsts_support: 145 | selected_option: disable 146 | value: disable 147 | .properties.haproxy_max_buffer_size: 148 | value: 16384 149 | .properties.haproxy_ssl_ciphers: 150 | value: DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384 151 | .properties.istio: 152 | selected_option: enable 153 | value: enable 154 | .properties.istio_frontend_tls_keypairs: 155 | value: 156 | - certificate: 157 | cert_pem: | 158 | {{ (ds "data").mesh_ssl_cert | strings.Indent 10 }} 159 | private_key_pem: | 160 | {{ (ds "data").mesh_ssl_private_key | strings.Indent 10 }} 161 | name: istio-cert 162 | .properties.locket_database_max_open_connections: 163 | value: 200 164 | .properties.metric_registrar_blacklisted_tags: 165 | value: deployment,job,index,id 166 | .properties.metric_registrar_enabled: 167 | value: true 168 | .properties.metric_registrar_scrape_interval_in_seconds: 169 | value: 35 170 | .properties.mysql_activity_logging: 171 | selected_option: enable 172 | value: enable 173 | .properties.mysql_activity_logging.enable.audit_logging_events: 174 | value: connect,query 175 | .properties.networking_poe_ssl_certs: 176 | value: 177 | - certificate: 178 | cert_pem: | 179 | {{ (ds "data").ssl_cert | strings.Indent 10 }} 180 | private_key_pem: | 181 | {{ (ds "data").ssl_private_key | strings.Indent 10 }} 182 | name: router-cert 183 | .properties.networkpolicyserver_database_max_open_connections: 184 | value: 200 185 | .properties.networkpolicyserverinternal_database_max_open_connections: 186 | value: 200 187 | .properties.nfs_volume_driver: 188 | selected_option: enable 189 | value: enable 190 | .properties.nfs_volume_driver.enable.ldap_service_account_password: 191 | value: 192 | secret: "" 193 | .properties.push_apps_manager_app_poll_interval: 194 | value: 10 195 | .properties.push_apps_manager_currency_lookup: 196 | value: '{ "usd": "$", "eur": "€" }' 197 | .properties.push_apps_manager_display_plan_prices: 198 | value: false 199 | .properties.push_apps_manager_enable_invitations: 200 | value: true 201 | .properties.push_apps_manager_poll_interval: 202 | value: 30 203 | .properties.route_integrity: 204 | selected_option: tls_verify 205 | value: tls_verify 206 | .properties.route_services: 207 | selected_option: enable 208 | value: enable 209 | .properties.route_services.enable.ignore_ssl_cert_verification: 210 | value: false 211 | .properties.router_backend_max_conn: 212 | value: 500 213 | .properties.router_client_cert_validation: 214 | selected_option: request 215 | value: request 216 | .properties.router_enable_proxy: 217 | value: false 218 | .properties.router_keepalive_connections: 219 | selected_option: enable 220 | value: enable 221 | .properties.routing_disable_http: 222 | value: false 223 | .properties.routing_log_client_ips: 224 | selected_option: log_client_ips 225 | value: log_client_ips 226 | .properties.routing_minimum_tls_version: 227 | selected_option: tls_v1_2 228 | value: tls_v1_2 229 | .properties.routing_tls_termination: 230 | selected_option: load_balancer 231 | value: load_balancer 232 | .properties.saml_signature_algorithm: 233 | value: SHA256 234 | .properties.secure_service_instance_credentials: 235 | value: true 236 | .properties.security_acknowledgement: 237 | value: X 238 | .properties.silk_database_max_open_connections: 239 | value: 200 240 | .properties.smoke_tests: 241 | selected_option: on_demand 242 | value: on_demand 243 | .properties.smtp_auth_mechanism: 244 | value: plain 245 | .properties.smtp_credentials: 246 | value: 247 | identity: "" 248 | password: "" 249 | .properties.smtp_enable_starttls_auto: 250 | value: false 251 | .properties.stack_migration_acknowledgement: 252 | value: X 253 | .properties.syslog_drop_debug: 254 | value: true 255 | .properties.syslog_metrics_to_syslog_enabled: 256 | value: true 257 | .properties.syslog_tls: 258 | selected_option: disabled 259 | value: disabled 260 | .properties.syslog_use_tcp_for_file_forwarding_local_transport: 261 | value: false 262 | .properties.system_blobstore: 263 | selected_option: internal 264 | value: internal 265 | .properties.system_blobstore_ccdroplet_max_staged_droplets_stored: 266 | value: 2 267 | .properties.system_blobstore_ccpackage_max_valid_packages_stored: 268 | value: 2 269 | .properties.system_database: 270 | selected_option: internal_pxc 271 | value: internal_pxc 272 | .properties.tcp_routing: 273 | selected_option: disable 274 | value: disable 275 | .properties.uaa: 276 | selected_option: internal 277 | value: internal 278 | .properties.uaa.internal.password_expires_after_months: 279 | value: 0 280 | .properties.uaa.internal.password_max_retry: 281 | value: 5 282 | .properties.uaa.internal.password_min_length: 283 | value: 0 284 | .properties.uaa.internal.password_min_lowercase: 285 | value: 0 286 | .properties.uaa.internal.password_min_numeric: 287 | value: 0 288 | .properties.uaa.internal.password_min_special: 289 | value: 0 290 | .properties.uaa.internal.password_min_uppercase: 291 | value: 0 292 | .properties.uaa_database: 293 | selected_option: internal_mysql 294 | value: internal_mysql 295 | .properties.uaa_session_cookie_max_age: 296 | value: 28800 297 | .properties.uaa_session_idle_timeout: 298 | value: 1800 299 | .router.disable_insecure_cookies: 300 | value: false 301 | .router.drain_wait: 302 | value: 20 303 | .router.enable_isolated_routing: 304 | value: false 305 | .router.enable_write_access_logs: 306 | value: true 307 | .router.enable_zipkin: 308 | value: true 309 | .router.frontend_idle_timeout: 310 | value: 900 311 | .router.lb_healthy_threshold: 312 | value: 20 313 | .router.request_timeout_in_seconds: 314 | value: 900 315 | .uaa.apps_manager_access_token_lifetime: 316 | value: 3600 317 | .uaa.cf_cli_access_token_lifetime: 318 | value: 7200 319 | .uaa.cf_cli_refresh_token_lifetime: 320 | value: 1209600 321 | .uaa.customize_password_label: 322 | value: Password 323 | .uaa.customize_username_label: 324 | value: Email 325 | .uaa.proxy_ips_regex: 326 | value: 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3} 327 | .uaa.service_provider_key_credentials: 328 | value: 329 | cert_pem: | 330 | {{ (ds "data").ssl_cert | strings.Indent 8 }} 331 | private_key_pem: | 332 | {{ (ds "data").ssl_private_key | strings.Indent 8 }} 333 | .uaa.service_provider_key_password: 334 | value: 335 | secret: "" 336 | network-properties: 337 | network: 338 | name: {{ (ds "data").pas_subnet_name }} 339 | other_availability_zones: 340 | - name: {{ index (ds "data").azs 0 }} 341 | - name: {{ index (ds "data").azs 1 }} 342 | - name: {{ index (ds "data").azs 2 }} 343 | singleton_availability_zone: 344 | name: {{ index (ds "data").azs 0 }} 345 | resource-config: 346 | backup_restore: 347 | instances: automatic 348 | persistent_disk: 349 | size_mb: automatic 350 | instance_type: 351 | id: automatic 352 | internet_connected: true 353 | clock_global: 354 | instances: automatic 355 | instance_type: 356 | id: automatic 357 | internet_connected: true 358 | cloud_controller: 359 | instances: automatic 360 | instance_type: 361 | id: automatic 362 | internet_connected: true 363 | cloud_controller_worker: 364 | instances: automatic 365 | instance_type: 366 | id: automatic 367 | internet_connected: true 368 | credhub: 369 | instances: automatic 370 | instance_type: 371 | id: automatic 372 | internet_connected: true 373 | diego_brain: 374 | instances: automatic 375 | instance_type: 376 | id: automatic 377 | internet_connected: true 378 | elb_names: 379 | - tcp:{{ (ds "data").ssh_lb_name }} 380 | diego_cell: 381 | instances: automatic 382 | instance_type: 383 | id: automatic 384 | internet_connected: true 385 | diego_database: 386 | instances: automatic 387 | instance_type: 388 | id: automatic 389 | internet_connected: true 390 | doppler: 391 | instances: automatic 392 | instance_type: 393 | id: automatic 394 | internet_connected: true 395 | ha_proxy: 396 | instances: automatic 397 | instance_type: 398 | id: automatic 399 | internet_connected: true 400 | istio_control: 401 | instances: automatic 402 | instance_type: 403 | id: automatic 404 | internet_connected: true 405 | istio_router: 406 | instances: automatic 407 | instance_type: 408 | id: automatic 409 | internet_connected: true 410 | elb_names: 411 | - http:{{ (ds "data").http_mesh_lb_backend_name }} 412 | loggregator_trafficcontroller: 413 | instances: automatic 414 | instance_type: 415 | id: automatic 416 | internet_connected: true 417 | mysql: 418 | instances: automatic 419 | persistent_disk: 420 | size_mb: automatic 421 | instance_type: 422 | id: automatic 423 | internet_connected: true 424 | mysql_monitor: 425 | instances: automatic 426 | instance_type: 427 | id: automatic 428 | internet_connected: true 429 | mysql_proxy: 430 | instances: automatic 431 | instance_type: 432 | id: automatic 433 | internet_connected: true 434 | nats: 435 | instances: automatic 436 | instance_type: 437 | id: automatic 438 | internet_connected: true 439 | nfs_server: 440 | instances: automatic 441 | persistent_disk: 442 | size_mb: automatic 443 | instance_type: 444 | id: automatic 445 | internet_connected: true 446 | route_syncer: 447 | instances: automatic 448 | instance_type: 449 | id: automatic 450 | internet_connected: true 451 | router: 452 | instances: automatic 453 | instance_type: 454 | id: automatic 455 | internet_connected: true 456 | elb_names: 457 | - tcp:{{ (ds "data").ws_router_pool }} 458 | - http:{{ (ds "data").http_lb_backend_name }} 459 | syslog_adapter: 460 | instances: automatic 461 | instance_type: 462 | id: automatic 463 | internet_connected: true 464 | syslog_scheduler: 465 | instances: automatic 466 | instance_type: 467 | id: automatic 468 | internet_connected: true 469 | tcp_router: 470 | instances: 0 471 | persistent_disk: 472 | size_mb: automatic 473 | instance_type: 474 | id: automatic 475 | internet_connected: true 476 | uaa: 477 | instances: automatic 478 | instance_type: 479 | id: automatic 480 | internet_connected: true 481 | errand-config: 482 | deploy-autoscaler: 483 | post-deploy-state: true 484 | deploy-notifications: 485 | post-deploy-state: true 486 | deploy-notifications-ui: 487 | post-deploy-state: true 488 | metric_registrar_smoke_test: 489 | post-deploy-state: false 490 | nfsbrokerpush: 491 | post-deploy-state: true 492 | push-apps-manager: 493 | post-deploy-state: true 494 | push-usage-service: 495 | post-deploy-state: true 496 | smbbrokerpush: 497 | post-deploy-state: false 498 | smoke_tests: 499 | post-deploy-state: true 500 | test-autoscaling: 501 | post-deploy-state: true 502 | -------------------------------------------------------------------------------- /templates/config/director.yml: -------------------------------------------------------------------------------- 1 | az-configuration: 2 | - name: {{ index (ds "data").azs 0 }} 3 | - name: {{ index (ds "data").azs 1 }} 4 | - name: {{ index (ds "data").azs 2 }} 5 | network-assignment: 6 | network: 7 | name: {{ (ds "data").management_subnet_name }} 8 | other_availability_zones: [] 9 | singleton_availability_zone: 10 | name: {{ index (ds "data").azs 0 }} 11 | networks-configuration: 12 | icmp_checks_enabled: false 13 | networks: 14 | - name: {{ (ds "data").management_subnet_name }} 15 | subnets: 16 | - iaas_identifier: {{ (ds "data").network_name }}/{{ (ds "data").management_subnet_name }}/{{ (ds "data").region }} 17 | cidr: {{ (ds "data").infrastructure_subnet_cidr }} 18 | dns: 169.254.169.254 19 | gateway: {{ (ds "data").management_subnet_gateway }} 20 | reserved_ip_ranges: {{ (ds "data").subnet_mgmt_reserved }} 21 | availability_zone_names: 22 | - {{ index (ds "data").azs 0 }} 23 | - {{ index (ds "data").azs 1 }} 24 | - {{ index (ds "data").azs 2 }} 25 | - name: {{ (ds "data").pas_subnet_name }} 26 | subnets: 27 | - iaas_identifier: {{ (ds "data").network_name }}/{{ (ds "data").pas_subnet_name }}/{{ (ds "data").region }} 28 | cidr: {{ (ds "data").pas_subnet_cidr }} 29 | dns: 169.254.169.254 30 | gateway: {{ (ds "data").pas_subnet_gateway }} 31 | reserved_ip_ranges: {{ (ds "data").subnet_pas_reserved }} 32 | availability_zone_names: 33 | - {{ index (ds "data").azs 0 }} 34 | - {{ index (ds "data").azs 1 }} 35 | - {{ index (ds "data").azs 2 }} 36 | - name: {{ (ds "data").services_subnet_name }} 37 | subnets: 38 | - iaas_identifier: {{ (ds "data").network_name }}/{{ (ds "data").services_subnet_name }}/{{ (ds "data").region }} 39 | cidr: {{ (ds "data").services_subnet_cidr }} 40 | dns: 169.254.169.254 41 | gateway: {{ (ds "data").services_subnet_gateway }} 42 | reserved_ip_ranges: {{ (ds "data").subnet_pas_svc_reserved }} 43 | availability_zone_names: 44 | - {{ index (ds "data").azs 0 }} 45 | - {{ index (ds "data").azs 1 }} 46 | - {{ index (ds "data").azs 2 }} 47 | properties-configuration: 48 | director_configuration: 49 | allow_legacy_agents: true 50 | blobstore_type: local 51 | bosh_recreate_on_next_deploy: false 52 | bosh_recreate_persistent_disks_on_next_deploy: false 53 | database_type: internal 54 | director_worker_count: 5 55 | encryption: 56 | keys: [] 57 | providers: [] 58 | hm_emailer_options: 59 | enabled: false 60 | hm_pager_duty_options: 61 | enabled: false 62 | identification_tags: {} 63 | keep_unreachable_vms: false 64 | local_blobstore_options: 65 | tls_enabled: true 66 | ntp_servers_string: 169.254.169.254 67 | post_deploy_enabled: false 68 | resurrector_enabled: false 69 | retry_bosh_deploys: false 70 | skip_director_drain: true 71 | dns_configuration: 72 | excluded_recursors: [] 73 | handlers: [] 74 | iaas_configuration: 75 | additional_cloud_properties: {} 76 | default_deployment_tag: {{ (ds "data").vm_tag }} 77 | project: {{ (ds "data").project }} 78 | auth_json: ((gcp_auth_json)) 79 | security_configuration: 80 | generate_vm_passwords: true 81 | opsmanager_root_ca_trusted_certs: true 82 | syslog_configuration: 83 | enabled: false 84 | resource-configuration: 85 | compilation: 86 | instances: automatic 87 | instance_type: 88 | id: automatic 89 | internet_connected: true 90 | director: 91 | instances: automatic 92 | persistent_disk: 93 | size_mb: automatic 94 | instance_type: 95 | id: automatic 96 | internet_connected: true 97 | vmextensions-configuration: [] 98 | -------------------------------------------------------------------------------- /templates/config/healthwatch.yml: -------------------------------------------------------------------------------- 1 | product-name: p-healthwatch 2 | product-properties: 3 | .healthwatch-forwarder.boshhealth_instance_count: 4 | value: 1 5 | .healthwatch-forwarder.boshtasks_instance_count: 6 | value: 2 7 | .healthwatch-forwarder.canary_instance_count: 8 | value: 2 9 | .healthwatch-forwarder.cli_instance_count: 10 | value: 2 11 | .healthwatch-forwarder.health_check_az: 12 | value: {{ index (ds "data").azs 0 }} 13 | .healthwatch-forwarder.ingestor_instance_count: 14 | value: 4 15 | .healthwatch-forwarder.opsman_instance_count: 16 | value: 2 17 | .healthwatch-forwarder.publish_to_eva: 18 | value: true 19 | .healthwatch-forwarder.worker_instance_count: 20 | value: 4 21 | .mysql.skip_name_resolve: 22 | value: true 23 | .properties.boshtasks: 24 | selected_option: disable 25 | value: disable 26 | .properties.indicators_selector: 27 | selected_option: inactive 28 | value: "No" 29 | .properties.opsman: 30 | selected_option: enable 31 | value: enable 32 | .properties.opsman.enable.url: 33 | value: https://{{ (ds "data").ops_manager_dns }} 34 | .properties.syslog_selector: 35 | selected_option: inactive 36 | value: "No" 37 | network-properties: 38 | network: 39 | name: {{ (ds "data").services_subnet_name }} 40 | other_availability_zones: 41 | - name: {{ index (ds "data").azs 0 }} 42 | - name: {{ index (ds "data").azs 1 }} 43 | - name: {{ index (ds "data").azs 2 }} 44 | singleton_availability_zone: 45 | name: {{ index (ds "data").azs 0 }} 46 | service_network: 47 | name: {{ (ds "data").services_subnet_name }} 48 | resource-config: 49 | healthwatch-forwarder: 50 | instances: automatic 51 | persistent_disk: 52 | size_mb: automatic 53 | instance_type: 54 | id: automatic 55 | internet_connected: true 56 | mysql: 57 | instances: automatic 58 | persistent_disk: 59 | size_mb: automatic 60 | instance_type: 61 | id: automatic 62 | internet_connected: true 63 | redis: 64 | instances: automatic 65 | persistent_disk: 66 | size_mb: automatic 67 | instance_type: 68 | id: automatic 69 | internet_connected: true 70 | errand-config: 71 | delete-space: 72 | pre-delete-state: true 73 | push-apps: 74 | post-deploy-state: true 75 | smoke-tests: 76 | post-deploy-state: true 77 | 78 | -------------------------------------------------------------------------------- /templates/config/metrics.yml: -------------------------------------------------------------------------------- 1 | product-name: apmPostgres 2 | product-properties: 3 | .errand-runner.ingestor_instance_count: 4 | value: 1 5 | .errand-runner.logs_queue_instance_count: 6 | value: 1 7 | .errand-runner.logs_queue_max_retention_percentage: 8 | value: 85 9 | .errand-runner.logs_queue_retention_percentage_interval: 10 | value: 1h 11 | .errand-runner.logs_retention_window: 12 | value: 14 13 | .errand-runner.metrics_queue_instance_count: 14 | value: 1 15 | .errand-runner.metrics_retention_window: 16 | value: 14 17 | .errand-runner.push_apps_log_level: 18 | value: error 19 | .errand-runner.server_instance_count: 20 | value: 1 21 | network-properties: 22 | network: 23 | name: {{ (ds "data").services_subnet_name }} 24 | other_availability_zones: 25 | - name: {{ index (ds "data").azs 0 }} 26 | - name: {{ index (ds "data").azs 1 }} 27 | - name: {{ index (ds "data").azs 2 }} 28 | singleton_availability_zone: 29 | name: {{ index (ds "data").azs 0 }} 30 | resource-config: 31 | errand-runner: 32 | instances: automatic 33 | persistent_disk: 34 | size_mb: automatic 35 | instance_type: 36 | id: automatic 37 | internet_connected: true 38 | mysql: 39 | instances: automatic 40 | persistent_disk: 41 | size_mb: automatic 42 | instance_type: 43 | id: automatic 44 | internet_connected: true 45 | postgres: 46 | instances: automatic 47 | persistent_disk: 48 | size_mb: automatic 49 | instance_type: 50 | id: automatic 51 | internet_connected: true 52 | redis: 53 | instances: automatic 54 | persistent_disk: 55 | size_mb: automatic 56 | instance_type: 57 | id: automatic 58 | internet_connected: true 59 | errand-config: 60 | delete-prior-space: 61 | post-deploy-state: true 62 | delete-space: 63 | pre-delete-state: true 64 | migrate-route: 65 | post-deploy-state: true 66 | push-apps: 67 | post-deploy-state: true 68 | smoke-tests: 69 | post-deploy-state: true 70 | 71 | -------------------------------------------------------------------------------- /templates/config/mysql.yml: -------------------------------------------------------------------------------- 1 | product-name: pivotal-mysql 2 | product-properties: 3 | .properties.allow_lower_case_table_names_via_config_param: 4 | value: false 5 | .properties.audit_logging_enabled: 6 | value: false 7 | .properties.backups_selector: 8 | selected_option: gcs 9 | value: GCS 10 | .properties.backups_selector.gcs.bucket_name: 11 | value: mysql 12 | .properties.backups_selector.gcs.cron_schedule: 13 | value: 0 */8 * * * 14 | .properties.backups_selector.gcs.enable_email_alerts: 15 | value: false 16 | .properties.backups_selector.gcs.project_id: 17 | value: {{ (ds "data").project }} 18 | .properties.backups_selector.gcs.service_account_json: 19 | value: 20 | secret: ((gcp_auth_json)) 21 | .properties.canary_instances: 22 | value: 0 23 | .properties.deprecated_bindings_string: 24 | value: X 25 | .properties.enable_lower_case_table_names: 26 | value: false 27 | .properties.enable_read_only_admin: 28 | value: false 29 | .properties.enable_secure_binding_credentials: 30 | value: true 31 | .properties.enable_tls_selector: 32 | selected_option: disabled 33 | value: disabled 34 | .properties.global_recipient_email: 35 | value: ((mysql_email)) 36 | .properties.global_service_instance_limit: 37 | value: 50 38 | .properties.local_infile: 39 | value: false 40 | .properties.mysql_metrics_frequency: 41 | value: 30 42 | .properties.plan1_selector: 43 | selected_option: single_node 44 | value: single_node 45 | .properties.plan1_selector.single_node.access_dropdown: 46 | value: enable 47 | .properties.plan1_selector.single_node.az_multi_select: 48 | value: 49 | - {{ index (ds "data").azs 0 }} 50 | .properties.plan1_selector.single_node.description: 51 | value: This plan provides a small dedicated MySQL instance. 52 | .properties.plan1_selector.single_node.instance_limit: 53 | value: 30 54 | .properties.plan1_selector.single_node.name: 55 | value: db-small 56 | .properties.plan1_selector.single_node.paid_plan: 57 | value: false 58 | .properties.plan2_selector: 59 | selected_option: leader_follower 60 | value: leader_follower 61 | .properties.plan2_selector.leader_follower.access_dropdown: 62 | value: enable 63 | .properties.plan2_selector.leader_follower.az_multi_select: 64 | value: 65 | - {{ index (ds "data").azs 0 }} 66 | - {{ index (ds "data").azs 1 }} 67 | .properties.plan2_selector.leader_follower.description: 68 | value: This plan provides a medium dedicated MySQL Leader Follower instance. 69 | .properties.plan2_selector.leader_follower.instance_limit: 70 | value: 30 71 | .properties.plan2_selector.leader_follower.name: 72 | value: db-medium 73 | .properties.plan2_selector.leader_follower.paid_plan: 74 | value: false 75 | .properties.plan3_selector: 76 | selected_option: galera 77 | value: galera 78 | .properties.plan3_selector.galera.access_dropdown: 79 | value: enable 80 | .properties.plan3_selector.galera.az_multi_select: 81 | value: 82 | - {{ index (ds "data").azs 0 }} 83 | - {{ index (ds "data").azs 1 }} 84 | - {{ index (ds "data").azs 2 }} 85 | .properties.plan3_selector.galera.description: 86 | value: This plan provides a large dedicated MySQL Cluster. 87 | .properties.plan3_selector.galera.instance_limit: 88 | value: 5 89 | .properties.plan3_selector.galera.jumpbox_vm_type: 90 | value: large 91 | .properties.plan3_selector.galera.name: 92 | value: db-large 93 | .properties.plan3_selector.galera.paid_plan: 94 | value: false 95 | .properties.plan3_selector.galera.vm_type: 96 | value: large 97 | .properties.plan4_selector: 98 | selected_option: inactive 99 | value: Inactive 100 | .properties.plan5_selector: 101 | selected_option: inactive 102 | value: Inactive 103 | .properties.plan6_selector: 104 | selected_option: inactive 105 | value: Inactive 106 | .properties.plan7_selector: 107 | selected_option: inactive 108 | value: Inactive 109 | .properties.plan8_selector: 110 | selected_option: inactive 111 | value: Inactive 112 | .properties.plan9_selector: 113 | selected_option: inactive 114 | value: Inactive 115 | .properties.request_timeout: 116 | value: 120 117 | .properties.simultaneous_upgrades: 118 | value: 1 119 | .properties.syslog_migration_selector: 120 | selected_option: disabled 121 | value: disabled 122 | .properties.userstat: 123 | value: false 124 | .properties.wait_timeout: 125 | value: 28800 126 | network-properties: 127 | network: 128 | name: {{ (ds "data").services_subnet_name }} 129 | other_availability_zones: 130 | - name: {{ index (ds "data").azs 0 }} 131 | - name: {{ index (ds "data").azs 1 }} 132 | - name: {{ index (ds "data").azs 2 }} 133 | service_network: 134 | name: {{ (ds "data").services_subnet_name }} 135 | singleton_availability_zone: 136 | name: {{ index (ds "data").azs 0 }} 137 | resource-config: 138 | dedicated-mysql-broker: 139 | instances: automatic 140 | instance_type: 141 | id: automatic 142 | internet_connected: true 143 | errand-config: 144 | delete-all-service-instances-and-deregister-broker: 145 | pre-delete-state: true 146 | register-broker: 147 | post-deploy-state: true 148 | smoke-tests: 149 | post-deploy-state: true 150 | upgrade-all-service-instances: 151 | post-deploy-state: true 152 | validate-before-upgrade-instances: 153 | post-deploy-state: true 154 | 155 | -------------------------------------------------------------------------------- /templates/config/opsman.yml: -------------------------------------------------------------------------------- 1 | ---{{ $tag := split (ds "data").vm_tag "-"}}{{ $env_name := index $tag 0 }} 2 | opsman-configuration: 3 | gcp: 4 | gcp_service_account: ((gcp_auth_json)) 5 | project: {{ (ds "data").project }} 6 | region: {{ (ds "data").region }} 7 | zone: {{ index (ds "data").azs 0 }} 8 | vm_name: {{ $env_name }}-opsman 9 | # For SharedVPC: projects/[HOST_PROJECT_ID]/regions/[REGION]/subnetworks/[SUBNET] 10 | vpc_subnet: {{ (ds "data").management_subnet_name }} 11 | tags: ops-manager,{{ $env_name }}-ops-manager-external 12 | # This CPU, Memory and disk size demonstrated here 13 | # match the defaults, and needn't be included if these are the desired values 14 | custom_cpu: 2 15 | custom_memory: 8 16 | boot_disk_size: 100 17 | # At least one IP address (public or private) needs to be assigned to the VM. 18 | public_ip: {{ (ds "data").ops_manager_public_ip }} 19 | -------------------------------------------------------------------------------- /templates/download-product-configs/healthwatch.yml: -------------------------------------------------------------------------------- 1 | --- 2 | pivnet-api-token: ((pivnet-api-token)) 3 | pivnet-file-glob: "p-healthwatch*pivotal" 4 | pivnet-product-slug: p-healthwatch 5 | product-version: 1.5.2 -------------------------------------------------------------------------------- /templates/download-product-configs/metrics.yml: -------------------------------------------------------------------------------- 1 | --- 2 | pivnet-api-token: ((pivnet-api-token)) 3 | pivnet-file-glob: "apm-*pivotal" 4 | pivnet-product-slug: apm 5 | product-version: 1.6.1 -------------------------------------------------------------------------------- /templates/download-product-configs/mysql.yml: -------------------------------------------------------------------------------- 1 | --- 2 | pivnet-api-token: ((pivnet-api-token)) 3 | pivnet-file-glob: "pivotal-mysql-*pivotal" 4 | pivnet-product-slug: pivotal-mysql 5 | product-version: 2.5.4 -------------------------------------------------------------------------------- /templates/download-product-configs/opsman.yml: -------------------------------------------------------------------------------- 1 | --- 2 | pivnet-api-token: ((pivnet-api-token)) 3 | pivnet-file-glob: "ops-manager-gcp-*.yml" 4 | pivnet-product-slug: ops-manager 5 | product-version: 2.5.2 6 | -------------------------------------------------------------------------------- /templates/download-product-configs/pas.yml: -------------------------------------------------------------------------------- 1 | --- 2 | pivnet-api-token: ((pivnet-api-token)) 3 | pivnet-file-glob: "cf-*pivotal" 4 | pivnet-product-slug: elastic-runtime 5 | product-version: 2.5.2 6 | -------------------------------------------------------------------------------- /templates/download-product-configs/stemcell-170.yml: -------------------------------------------------------------------------------- 1 | --- 2 | pivnet-api-token: ((pivnet-api-token)) 3 | pivnet-file-glob: "light-bosh-stemcell-*-google-kvm-ubuntu-xenial-go_agent.tgz" 4 | pivnet-product-slug: stemcells-ubuntu-xenial 5 | product-version-regex: ^170\..*$ -------------------------------------------------------------------------------- /templates/download-product-configs/stemcell-250.yml: -------------------------------------------------------------------------------- 1 | --- 2 | pivnet-api-token: ((pivnet-api-token)) 3 | pivnet-file-glob: "light-bosh-stemcell-*-google-kvm-ubuntu-xenial-go_agent.tgz" 4 | pivnet-product-slug: stemcells-ubuntu-xenial 5 | product-version-regex: ^250\..*$ -------------------------------------------------------------------------------- /templates/env/env.yml: -------------------------------------------------------------------------------- 1 | --- 2 | target: {{ (ds "data").ops_manager_dns }} 3 | connect-timeout: 30 # default 5 4 | request-timeout: 1800 # default 1800 5 | username: {{env.Getenv "OM_USERNAME" }} 6 | password: {{env.Getenv "OM_PASSWORD" }} 7 | # decryption-passphrase is optional, 8 | # except for use with `import-installation`. 9 | # OpsMan depends on the passphrase 10 | # to decrypt the imported installation. 11 | # For other commands, providing this key allows 12 | # decryption of the OpsMan VM after reboot, 13 | # which would otherwise need to be done manually. 14 | decryption-passphrase: {{env.Getenv "OM_DECRYPTION_PASSPHRASE" }} 15 | -------------------------------------------------------------------------------- /terraform_override_files/acme_override.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | subdomains = ["*.apps", "*.sys", "*.login.sys", "*.uaa.sys"] 3 | mesh_subdomains = ["*.mesh.apps"] 4 | } 5 | 6 | variable "email" { 7 | type = "string" 8 | } 9 | 10 | provider "acme" { 11 | server_url = "https://acme-v02.api.letsencrypt.org/directory" 12 | } 13 | 14 | resource "tls_private_key" "pas_private_key" { 15 | algorithm = "RSA" 16 | } 17 | 18 | resource "acme_registration" "reg" { 19 | account_key_pem = "${tls_private_key.pas_private_key.private_key_pem}" 20 | email_address = "${var.email}" 21 | } 22 | 23 | resource "null_resource" "dns-propagation-wait" { 24 | provisioner "local-exec" { 25 | command = "sleep 30" 26 | } 27 | triggers { 28 | sys_domain = "${module.pas.sys_domain}" 29 | apps_domain = "${module.pas.apps_domain}" 30 | tcp_domain = "${module.pas.tcp_domain}" 31 | mesh_domain = "${module.pas.mesh_domain}" 32 | ops_manager_domain = "${module.ops_manager.ops_manager_dns}" 33 | } 34 | } 35 | 36 | ## CF certificate 37 | 38 | resource "acme_certificate" "pas-certificate" { 39 | account_key_pem = "${acme_registration.reg.account_key_pem}" 40 | common_name = "${var.env_name}.${var.dns_suffix}" 41 | subject_alternative_names = "${formatlist("%s.${var.env_name}.${var.dns_suffix}", local.subdomains)}" 42 | depends_on = ["google_dns_record_set.nameserver","null_resource.dns-propagation-wait"] 43 | dns_challenge { 44 | provider = "gcloud" 45 | config { 46 | GCE_PROJECT = "${var.project}" 47 | GCE_SERVICE_ACCOUNT = "${var.service_account_key}" 48 | GCE_PROPAGATION_TIMEOUT = "600" 49 | } 50 | } 51 | } 52 | 53 | output "ssl_cert" { 54 | sensitive = true 55 | value = <