Skip to content

Latest commit

 

History

History
489 lines (463 loc) · 31.9 KB

File metadata and controls

489 lines (463 loc) · 31.9 KB

Apigee X Foundations

This blueprint creates all the resources necessary to set up Apigee X on Google Cloud.

Apigee can be exposed to clients using Regional Internal Application Load Balancer, Global External Application Load Balancer or both. When using the Regional Internal Application Load Balancer, used self-managed certificates (including self-signed certificates generated in this same module). When using the Global External Application Load Balancer Google-managed certificates or self-managed certificates (including self-signed certificates generated in this same module). When using Cross-region Internal Application Load Balancer a certificate manager needs to be used and it needs to be created in the same project as Apigee.

Find below a few examples of different Apigee architectures that can be created using this module.

Examples

Apigee X in service project with shared VPC peered and exposed with Global External Application LB and Regional Internal Application LB

Diagram

module "apigee-x-foundations" {
  source = "./fabric/blueprints/apigee/apigee-x-foundations"
  project_config = {
    billing_account_id = var.billing_account_id
    parent             = var.folder_id
    name               = var.project_id
    iam = {
      "roles/apigee.admin" = ["group:[email protected]"]
    }
    shared_vpc_service_config = {
      host_project = "my-host-project"
    }
  }
  apigee_config = {
    addons_config = {
      api_security = true
    }
    organization = {
      analytics_region           = "europe-west1"
      api_consumer_data_location = "europe-west1"
      api_consumer_data_encryption_key_config = {
        auto_create = true
      }
      database_encryption_key_config = {
        auto_create = true
      }
      billing_type = "PAYG"
    }
    envgroups = {
      apis = [
        "apis.external.myorg.com",
        "apis.internal.myorg.com"
      ]
    }
    environments = {
      apis = {
        envgroups = ["apis"]
      }
    }
    instances = {
      europe-west1 = {
        external                      = true
        runtime_ip_cidr_range         = "10.0.0.0/22"
        troubleshooting_ip_cidr_range = "192.168.0.0/18"
        environments                  = ["apis"]
      }
    }
    endpoint_attachments = {
      endpoint-backend-ew1 = {
        region             = "europe-west1"
        service_attachment = "projects/a58971796302e0142p-tp/regions/europe-west4/serviceAttachments/my-service-attachment-ew1"
      }
    }
  }
  network_config = {
    shared_vpc = {
      name = "my-shared-vpc"
      subnets = {
        europe-west1 = "projects/my-host-project/regions/europe-west4/subnetworks/my-subnet-ew1"
      }
      subnets_psc = {
        europe-west1 = "projects/my-host-project/regions/europe-west4/subnetworks/my-subnet-psc-ew1"
      }
    }
  }
  ext_lb_config = {
    ssl_certificates = {
      create_configs = {
        default = {
          certificate = "PEM-Encoded certificate string"
          private_key = "PEM-Encoded private key string"
        }
      }
    }
  }
  int_lb_config = {
    ssl_certificates = {
      create_configs = {
        default = {
          certificate = "PEM-Encoded certificate string"
          private_key = "PEM-Encoded private key string"
        }
      }
    }
  }
}
# tftest modules=7 resources=42

Apigee X in service project with local VPC peered and exposed using Global LB and Internal Cross-region Application LB

Diagram

module "apigee-x-foundations" {
  source = "./fabric/blueprints/apigee/apigee-x-foundations"
  project_config = {
    billing_account_id = "1234-5678-0000"
    parent             = "folders/123456789"
    name               = "my-project"
    iam = {
      "roles/apigee.admin" = ["group:[email protected]"]
    }
    shared_vpc_service_config = {
      host_project = "my-host-project"
    }
  }
  apigee_config = {
    addons_config = {
      api_security = true
    }
    organization = {
      analytics_region = "europe-west1"
      billing_type     = "PAYG"
    }
    envgroups = {
      apis = [
        "apis.external.myorg.com",
        "apis.internal.myorg.com"
      ]
    }
    environments = {
      apis = {
        envgroups = ["apis"]
        type      = "COMPREHENSIVE"
      }
    }
    instances = {
      europe-west1 = {
        runtime_ip_cidr_range         = "10.0.0.0/22"
        troubleshooting_ip_cidr_range = "192.168.0.0/28"
        environments                  = ["apis"]
      }
      europe-west4 = {
        runtime_ip_cidr_range         = "10.0.4.0/22"
        troubleshooting_ip_cidr_range = "192.168.0.16/28"
        environments                  = ["apis"]
      }
    }
    endpoint_attachments = {
      endpoint-backend-ew1 = {
        region             = "europe-west1"
        service_attachment = "projects/a58971796302e0142p-tp/regions/europe-west1/serviceAttachments/my-service-attachment-ew1"
        dns_names = [
          "backend.myorg.com"
        ]
      }
      endpoint-backend-ew4 = {
        region             = "europe-west1"
        service_attachment = "projects/a58971796302e0142p-tp/regions/europe-west4/serviceAttachments/my-service-attachment-ew4"
        dns_names = [
          "backend.myorg.com"
        ]
      }
    }
  }
  network_config = {
    shared_vpc = {
      name = "my-shared-vpc"
      subnets = {
        europe-west1 = "projects/my-host-project/regions/europe-west4/subnetworks/my-subnet-eu1"
        europe-west4 = "projects/my-host-project/regions/europe-west4/subnetworks/my-subnet-eu4"
      }
      subnets_psc = {
        europe-west1 = "projects/my-host-project/regions/europe-west4/subnetworks/my-subnet-psc-eu1"
        europe-west4 = "projects/my-host-project/regions/europe-west4/subnetworks/my-subnet-psc-eu4"
      }
    }
    apigee_vpc = {
      auto_create = true
    }
  }
  ext_lb_config = {
    ssl_certificates = {
      create_configs = {
        default = {
          certificate = "PEM-Encoded certificate string"
          private_key = "PEM-Encoded private key string"
        }
      }
    }
  }
  int_cross_region_lb_config = {
    certificate_manager_certificates = [
      "projects/myprj/locations/global/certificates/certificate"
    ]
  }
}
# tftest modules=7 resources=50

Apigee X in service project with peering disabled and exposed using Global LB

Diagram

module "apigee-x-foundations" {
  source = "./fabric/blueprints/apigee/apigee-x-foundations"
  project_config = {
    billing_account_id = "1234-5678-0000"
    parent             = "folders/123456789"
    name               = "my-project"
    iam = {
      "roles/apigee.admin" = ["group:[email protected]"]
    }
    shared_vpc_service_config = {
      host_project = "my-host-project"
    }
  }
  apigee_config = {
    addons_config = {
      api_security = true
    }
    organization = {
      analytics_region    = "europe-west1"
      disable_vpc_peering = true
    }
    envgroups = {
      apis = [
        "apis.external.myorg.com"
      ]
    }
    environments = {
      apis = {
        envgroups = ["apis"]
      }
    }
    instances = {
      europe-west1 = {
        runtime_ip_cidr_range         = "10.0.0.0/22"
        troubleshooting_ip_cidr_range = "192.168.0.0/18"
        environments                  = ["apis"]
      }
    }
    endpoint_attachments = {
      endpoint-backend-ew1 = {
        region             = "europe-west1"
        service_attachment = "projects/a58971796302e0142p-tp/regions/europe-west4/serviceAttachments/my-service-attachment-ew1"
      }
    }
    disable_vpc_peering = true
  }
  network_config = {
    shared_vpc = {
      name = "my-shared-vpc"
      subnets = {
        europe-west1 = "projects/my-host-project/regions/europe-west4/subnetworks/my-subnet-ew1"
      }
      subnets_psc = {
        europe-west1 = "projects/my-host-project/regions/europe-west4/subnetworks/my-subnet-psc-ew1"
      }
    }
  }
  ext_lb_config = {
    ssl_certificates = {
      create_configs = {
        default = {
          certificate = "PEM-Encoded certificate string"
          private_key = "PEM-Encoded private key string"
        }
      }
    }
  }
}
# tftest modules=4 resources=28

Apigee X in standalone project with peering enabled and exposed with Regional Internal LB

Diagram

module "apigee-x-foundations" {
  source = "./fabric/blueprints/apigee/apigee-x-foundations"
  project_config = {
    billing_account_id = "1234-5678-0000"
    parent             = "folders/123456789"
    name               = "my-project"
    iam = {
      "roles/apigee.admin" = ["group:[email protected]"]
    }
  }
  apigee_config = {
    addons_config = {
      api_security = true
    }
    organization = {
      analytics_region = "europe-west1"
    }
    envgroups = {
      apis = [
        "apis.internal.myorg.com"
      ]
    }
    environments = {
      apis = {
        envgroups = ["apis"]
      }
    }
    instances = {
      europe-west1 = {
        runtime_ip_cidr_range         = "172.16.0.0/22"
        troubleshooting_ip_cidr_range = "192.168.0.0/18"
        environments                  = ["apis"]
      }
    }
    endpoint_attachments = {
      endpoint-backend-ew1 = {
        region             = "europe-west1"
        service_attachment = "projects/a58971796302e0142p-tp/regions/europe-west4/serviceAttachments/my-service-attachment-ew1"
        dns_names = [
          "backend.myorg.com"
        ]
      }
    }
  }
  network_config = {
    apigee_vpc = {
      subnets = {
        europe-west1 = {
          ip_cidr_range = "10.0.0.0/29"
        }
      }
      subnets_proxy_only = {
        europe-west1 = {
          ip_cidr_range = "10.1.0.0/26"
        }
      }
      subnets_psc = {
        europe-west1 = {
          ip_cidr_range = "10.0.1.0/29"
        }
      }
    }
  }
  int_lb_config = {
    ssl_certificates = {
      create_configs = {
        default = {
          certificate = "PEM-Encoded certificate string"
          private_key = "PEM-Encoded private key string"
        }
      }
    }
  }
}
# tftest modules=6 resources=40

Apigee X in standalone project with peering disabled and exposed using Global External Application LB

Diagram

module "apigee-x-foundations" {
  source = "./fabric/blueprints/apigee/apigee-x-foundations"
  project_config = {
    billing_account_id = "1234-5678-0000"
    parent             = "folders/123456789"
    name               = "my-project"
    iam = {
      "roles/apigee.admin" = ["group:[email protected]"]
    }
  }
  apigee_config = {
    addons_config = {
      api_security = true
    }
    organization = {
      analytics_region    = "europe-west1"
      disable_vpc_peering = true
    }
    envgroups = {
      apis = [
        "apis.external.myorg.com",
        "apis.internal.myorg.com"
      ]
    }
    environments = {
      apis = {
        envgroups = ["apis"]
      }
    }
    instances = {
      europe-west1 = {
        environments = ["apis"]
      }
    }
    endpoint_attachments = {
      endpoint-backend-ew1 = {
        region             = "europe-west1"
        service_attachment = "projects/a58971796302e0142p-tp/regions/europe-west4/serviceAttachments/my-service-attachment-ew1"
      }
    }
    disable_vpc_peering = true
  }
  network_config = {
    apigee_vpc = {
      auto_create = true
      subnets = {
        europe-west1 = {
          ip_cidr_range = "10.0.0.0/29"
        }
      }
      subnets_psc = {
        europe-west1 = {
          ip_cidr_range = "10.0.1.0/29"
        }
      }
    }
  }
  ext_lb_config = {
    ssl_certificates = {
      create_configs = {
        default = {
          certificate = "PEM-Encoded certificate string"
          private_key = "PEM-Encoded private key string"
        }
      }
    }
  }
  enable_monitoring = true
}
# tftest modules=6 resources=47

Files

name description modules resources
apigee.tf None apigee
dns.tf None
kms.tf None kms random_id
main.tf Module-level locals and resources. net-vpc · project
monitoring.tf None cloud-function-v2
northbound.tf None net-lb-app-ext · net-lb-app-int · net-lb-app-int-cross-region google_compute_region_network_endpoint_group · google_compute_security_policy
outputs.tf Module outputs.
variables.tf Module variables.

Variables

name description type required default producer
apigee_config Apigee configuration. object({…})
project_config Project configuration. object({…})
enable_monitoring Boolean flag indicating whether an custom metric to monitor instances should be created in Cloud monitoring. bool false
ext_lb_config External application load balancer configuration. object({…}) null
int_cross_region_lb_config Internal application load balancer configuration. object({…}) null
int_lb_config Internal application load balancer configuration. object({…}) null
network_config Network configuration. object({…}) {}

Outputs

name description sensitive consumers
endpoint_attachment_hosts Endpoint attachment hosts.
ext_lb_ip_address External IP address.
instance_service_attachments Instance service attachments.
int_cross_region_lb_ip_addresses Internal IP addresses.
int_lb_ip_addresses Internal IP addresses.
project_id Project.