pulumi-gcp

IAC modules for GCP (Pulumi)

I am using Pulumi to manage IAC configs for Google Cloud resources, so please setup pulumi first. Make sure gcloud CLI is installed too.

Project Structure

Library modules (lib)

Contains the reusable library modules (written in Jsonnet) to provision resources to GCP.

Infra Projects (infra)

Contains different Pulumi Programs, grouping co-dependent resources in one program. Pulumi Program is the executable code that Pulumi can deploy in different envs, called stacks. In subsequent steps, all provisioning simply uses a stack called prod (environment name).

Prerequisites

1. Have a GCP account.
2. Enable following services on GCP:
   • serviceusage.googleapis.com
   • storage-component.googleapis.com
   • compute.googleapis.com
   • container.googleapis.com
   • logging.googleapis.com
   • monitoring.googleapis.com
   • sqladmin.googleapis.com
   • networkconnectivity.googleapis.com
   • secretmanager.googleapis.com
   • artifactregistry.googleapis.com
3. A GCP Bucket to store Pulumi state files. Refer to this doc on how-to create. The bucket should not be public.

Provisioning Steps

Preparation

1. Once Pulumi is installed, setup GCP with pulumi:

gcloud auth application-default login
gcloud config set project $GCP_PROJECT
pulumi login gs://$BUCKET_NAME

2. Update the GCP metadata in all Pulumi programs. Open up Pulumi.prod.yaml file in all the projects under ./infra subfolder in your code editor. It'll roughly look like below (and update the CHANGEME values):

config:
  gcp:project: "" # CHANGEME: GCP Project ID
  project: whisper
  env: "prod"
  region: "" # CHANGEME: GCP Region <--- region where you want to provision, like 'europe-north1'
  shortRegion: "" # CHANGEME: GCP Short Region <--- eurn1 for 'europe-north1' region

High-level Infra

1. Provision the Network resources (subnets) with init-network-k8s:

cd infra/init-network-k8s
pulumi up -s prod --diff

2. Provision the K8s cluster, node pool and External Secret with k8s-cluster:

cd infra/k8s-cluster
pulumi up -s prod --diff

3. Provision the Artifact Registry repository with docker-repos:

cd infra/docker-repos
pulumi up -s prod --diff

4. Provision the Postgres DB for Whisper notes app (and an encrypted secret in Secret Manager to store the database credentials) with whisper-notes-db:

cd infra/whisper-notes-db
pulumi up -s prod --diff

Kubernetes Infra setup

1. Install necessary tools like:
   • Export k8s-related metrics, like Kube state/node/pods, to GCP Managed-Prometheus (code)
   • Create Self-signed certificate issuer using cert-manager (code)
   • Enable HTTPS listener on the ALB using Gateway and a self-signed certificate for your domain (code)
   • Support GitOps to auto-deploy services using ArgoCD (code)
2. Update the desired domain in configs for ingress and argocd tools. Search for string CHANGEME using your code editor and replace as-per the instructions.
3. Provision all the above tools with k8s-tools pulumi program:

cd infra/k8s-tools
pulumi up -s prod --diff

Next steps

Once all the provisioning steps are successful, it's time to configure DNS for public-facing frontend and API gateway. In your DNS nameserver provider (like Cloudflare), point A record to the IP address of gateway. To get the External address, use:

kubectl get gateway

For runtime configs related to applications, refer to k8s services.