Manual Infrastructure Deployment

Deployment Order

#	Resource name	Source	Modules used
1	Terraform Backend	codemie-terraform-gcp-remote-backend	–
2	VPC NAT BastionHost GKE cluster Google Service Accounts KMS key Postgresql	codemie-terraform-gcp-platform	• terraform-google-modules/service-accounts • terraform-google-modules/kms • terraform-google-modules/network • terraform-google-modules/cloud-nat • terraform-google-modules/kubernetes-engine • terraform-google-modules/bastion-host • terraform-google-modules/cloud-dns • TerraformFoundation/sql-db/google/private_service_access • TerraformFoundation/sql-db/google/postgresql

Terraform Backend Resources Deployment

This step covers the creation of Google Storage Bucket to store Terraform states.

To create a bucket, follow the steps below:

Clone the git repository with the project codemie-terraform-gcp-remote-backend:

git clone git@gitbud.epam.com:epm-cdme/codemie-terraform-gcp-remote-backend.git
cd codemie-terraform-gcp-remote-backend

Review and change, if needed, the input variables for Terraform run in the codemie-terraform-gcp-remote-backend/variables.tf file.
Initialize the backend and apply the changes:

terraform init
terraform plan
terraform apply

The created bucket will be used for all subsequent infrastructure deployments.

Main GCP Resources Deployment

This step will cover the following topics:

Create the GKE Cluster
Create the Google Service Account to access the Vertex AI services
Create the NAT
Create the GCP KMS key to encrypt and decrypt sensitive data in the AI/Run application
Create the BastionHost to connect to private cluster

To accomplish the tasks outlined above, follow these steps:

Clone the git repository with the project codemie-terraform-gcp-platform:

git clone https://gitbud.epam.com/epm-cdme/codemie-terraform-gcp-platform.git
cd codemie-terraform-gcp-platform

Set remote backend in versions.tf:

backend "gcs" {
    bucket = "bucket-name-you-created"
    prefix = "prefix-for-state"
}

Review the input variables for Terraform run in the codemie-terraform-gcp-platform/variables.tf file and create a terraform.tfvars in the repo to change default variable values in a key-value format. For example:

project_id = "gcp-project-id"
platform_name = "codemie"
bastion_members = ["group:email","user:another-email"]
dns_name = "domain-com"
dns_domain = "domain.com."
extra_authorized_networks = [
  {
    cidr_block   = "x.x.x.x/x"
    display_name = "GlobalProtectRegion1"
  },
  {
    cidr_block   = "x.x.x.x/x"
    display_name = "GlobalProtectRegion2"
  }
] # Add if you want to access GKE cluster from your workstation, otherwise GKE API will be accessible only from bastion VM
private_cluster = false
create_private_dns_zone = false
...

info

Ensure you have carefully reviewed all variables and replaced mock values with yours. To see all possible values, please consult the file terraform.tfvars.example or variables.tf.

Additional information about Terraform modules can be found in appropriate official documentation. For example:

Initialize the backend and apply the changes:

terraform init
terraform plan
terraform apply

This concludes GCP infrastructure deployment.

Bastion Host Connection and Setup Guide (Optional)

warning

Required only if you are deploying a completely private cluster with a private DNS domain. Otherwise, you can access GKE API and CodeMie application without bastion.

The Bastion Host enables secure access to your Kubernetes cluster inside a private network.

You can connect in two ways:

SSH Connection: For deploying and managing workloads in Kubernetes with command-line tools
RDP Connection: For interacting with application UIs that are only accessible within the VPC using private DNS

SSH Connection

Use SSH to deploy and manage cluster resources.

How to connect:

SSH into the Bastion Host

Use the SSH command provided as a Terraform output (bastion_ssh_command):

# Use the command from Terraform outputs
# Parameter: bastion_ssh_command

Change the Root Password

info

The "root" user and a new password will be used later to connect via RDP connection.

sudo -s
passwd

Clone the Deployment Repository

git clone https://gitbud.epam.com/epm-cdme/codemie-helm-charts.git

Get Kubernetes Credentials

Fetch GKE credentials using the Terraform output (get_credentials_command):

# Use the command from Terraform outputs
# Parameter: get_kubectl_credentials_for_private_cluster

RDP Connection: Access Private Application UIs

Some applications are exposed internally via private DNS and are not accessible from outside the VPC. Use RDP through the Bastion Host to access these UIs.

How to connect:

Set Up RDP Port Forwarding

Use the command from Terraform output (bastion_rdp_command). This will forward port 3389 to your local machine:

# Use the command from Terraform outputs
# Parameter: bastion_rdp_command

Connect via Remote Desktop Client

Open your preferred RDP client and connect to localhost:3389.

Useful Tips
- Run Google Chrome as root:
```
/usr/bin/google-chrome --no-sandbox
```
- Paste commands into terminal: Use Shift-Ctrl-V

Next Steps

After successful deployment, proceed to Components Deployment to install AI/Run CodeMie application components.

Deployment Order​

Terraform Backend Resources Deployment​

Main GCP Resources Deployment​

Bastion Host Connection and Setup Guide (Optional)​

SSH Connection​

RDP Connection: Access Private Application UIs​

Next Steps​