GCP Compute Foundational IAC

Challenge

The customer, a large financial media company, operates a hybrid cloud environment comprised of on-premise data centers and multiple cloud providers. Rearc worked with the customer's internal cloud team, which strives to empower their application developer teams to rapidly deploy both containerized as well as VM based workloads in ANY cloud provider by providing a simple menu item of foundational compute capabilities and platforms they can choose from. This insulates developer teams from having to deal with idiosyncrasies of individual cloud compute platforms. These foundational capabilities include platforms like managed Kubernetes and cloud VMs for non-containerized workloads. The objective was to present those options as easy-to-consume, Infrastructure-as-code (IAC) modules to encourage proper, fast and secure adoption. To achieve this state, it was also necessary to provision the proper underlying networking and machine image primitives. This was also done using modular IAC.

Solution

Rearc partnered with the customer and identified use-cases for compute workloads. Rearc then leveraged Terraform in a "module library pattern" to implement and document the various flavors of GCP compute platform options that satisfied those use-cases. As a preliminary step, similar modules were created and executed for components like VPC and GCP machine images to provide the necessary primitives to achieve the higher level objective. The modules are consumed by Jenkins as the CI/CD platform to deploy compute infrastructure in GCP for Internet-facing as well as internal applications.

Outcome

With Rearc’s assistance, the customer has enriched their IAC module registry with multiple modular components that are used to create compute platforms like VMs, instance groups and Kubernetes clusters in GCP projects. Application developer teams leverage these platforms to deploy their applications in GCP. These components include:

• Virtual Network Module for deploying purpose-built global VPCs in GCP projects. The same module can be used to restrict a VPC to regional routing mode if required. The module also provides the option to share the VPC across multiple GCP projects. The module provides submodules to manage subnets, routes, NAT and Internet gateway as well as firewalling.
• Machine Image Module to create gold machine images from approved marketplace images. These gold images are then employed by internal customers to either deploy VMs or Instance groups for their workloads or as Kubernetes worker nodes. They also serve as a base for creating customized application machine images by some internal customers. The module uses customer-provided packer templates as input to the image creation process and also provides the capability to copy the same image across multiple regions as well as share to other customer projects, thus adopting the "central builder pattern" for enforcing policy compliance.
• Kubernetes Module for deploying GKE clusters and associated components. This module deploys regional GKE clusters with multiple redundant zonal node Instance Groups as the node pool. The Kubernetes API endpoint is private and is exposed to the customer's internal networks via an Nginx reverse proxy instance group front-ended by a cloud load balancer and an ACL. As is common with managed Kubernetes, the customer VPC is peered with the Google VPC that contains the managed control plane while the node pool is deployed in the customer VPC. The module deploys the entire solution end-to-end and contains multiple optional sub-modules like ingress controller, kube state metrics, t-shirt sizing, HPA to account for specific use-cases.