Forem: Pradeep Bhadani

Run your own Jupyter Notebook on the Cloud

Pradeep Bhadani — Mon, 11 May 2020 07:56:30 +0000

Originally published at pbhadani.com

Jupyter Notebook is an open-source web-based application that allows data scientists to build end-to-end Machine Learning pipeline starting from Data exploration, visualization, data transformation, feature extraction, and manage ML model lifecycle.

In this video, I explain the installation process of the Jupyter Notebook on the choice of hardware on the Cloud, particularly the Google Cloud Platform(GCP).

Hope you enjoy the video tutorial.

Summary

This video explains how to install Jupyter Notebook on Google Cloud Platform(GCP) in less than 10mins.
Below are the steps and commands performed in the video:

Step 0 (Optional)

Generate the public/private SSH keypair.

ssh-keygen -t rsa -b 4096 -C jupyter_demo -f jupyter_demo

Step 1

Create the Virtual Machine using Google Cloud Console UI, gcloud commands or with automation tools like Terraform.

Step 2

Install the software packages.

sudo apt-get update
sudo apt install python3-pip
pip3 install jupyter
echo "export PATH=$PATH:~/.local/bin" >> ~/.bashrc
source ~/.bashrc
jupyter notebook --no-browser

Step 3

Access the Jupyter Notebook.
Run the following command to create the SSH tunnel.

ssh -i private_key -N -f -L 8888:localhost:8888 username@your_remote_host_name

Once the tunnel is setup, open the browser, go to localhost:8888 and provide the token generated in Step 2.

Congratulations!!! Jupyter Notebook is now accessible from the local workstation.

Please subscribe to the YouTube channel for the updates.

If you have feedback or questions, please reach out to me on LinkedIn or Twitter

Create a Network on Google Cloud Platform (GCP)

Pradeep Bhadani — Thu, 23 Apr 2020 22:10:03 +0000

Network is a fundamental resource for creating Infrastructure on the Cloud like VM Instances, Google Kubernetes Engine (GKE), etc.

In this video, I explain the Network option available on the Google Cloud Platform(GCP) and how to create them using Google Cloud Console UI.

Hope you enjoy the video tutorial.

Please subscribe to the YouTube channel for the updates.

If you have feedback or questions, please reach out to me on LinkedIn or Twitter

Create a GKE Cluster (Workload Identity enabled) using Terraform

Pradeep Bhadani — Fri, 06 Mar 2020 21:50:05 +0000

Originally published at pbhadani.com

In this blog, I will show how Terraform can be used to create a Google Kubernetes Engine (GKE) cluster.

Goal

Create a GKE Cluster which has Workload Identity feature enabled using Terraform.

Prerequisites

This post assumes the following:

We already have a GCP Project and a GCS Bucket (we will use this to store Terraform State file) created.
Google Kubernetes Engine API is enabled in the GCP Project.
Google Cloud SDK (gcloud), kubectl and Terraform is setup on your workstation. If you don't have, then refer to my previous blogs - Getting started with Terraform and Getting started with Google Cloud SDK.

Source Code

Full code is available on GitHub.

Note: This is not a production-ready codebase.

Create a GKE Cluster

Step 1: Create a Unix directory for the Terraform project.

  mkdir ~/terraform-gke-example
  cd ~/terraform-gke-example

Step 2: Create Terraform configuration file which defines GKE and Google provider.

  vi gke.tf

This file has following content

  # Specify the GCP Provider
  provider "google-beta" {
    project = var.project_id
    region  = var.region
    version = "~> 3.10"
    alias   = "gb3"
  }

  # Create a GKE cluster
  resource "google_container_cluster" "my_k8s_cluster" {
    provider           = google-beta.gb3
    name               = "my-k8s-cluster"
    location           = var.region
    initial_node_count = 1

    master_auth {
      username = ""
      password = ""
    }

    # Enable Workload Identity
    workload_identity_config {
      identity_namespace = "${var.project_id}.svc.id.goog"
    }

    node_config {
      machine_type = var.machine_type
      oauth_scopes = [
        "https://www.googleapis.com/auth/logging.write",
        "https://www.googleapis.com/auth/monitoring",
      ]

      metadata = {
        "disable-legacy-endpoints" = "true"
      }

      workload_metadata_config {
        node_metadata = "GKE_METADATA_SERVER"
      }

      labels = { # Update: Replace with desired labels
        "environment" = "test"
        "team"        = "devops"
      }
    }
  }

Note: workload_identity_config & workload_metadata_config block enables Workload Identity.

Step 3: Define Terraform variables.

  vi variables.tf

This file looks like:

  variable "project_id" {
    description = "Google Project ID."
    type        = string
  }

  variable "region" {
    description = "Google Cloud region"
    type        = string
    default     = "europe-west2"
  }

  variable "machine_type" {
    description = "Google VM Instance type."
    type        = string
  }

Note: We are defining a default value for region. This means if a value is not supplied for this variable, Terraform will use europe-west2 as its value.

Step 4: Create a tfvars file.

  vi terraform.tfvars

  project_id   = ""                     # Put GCP Project ID.
  machine_type = "n1-standard-1"        # Put the desired VM Instance type.

Step 5: Set the remote state.

  vi backend.tf

  terraform {
    backend "gcs" {
      bucket = "my-tfstate-bucket"    # GCS bucket name to store terraform tfstate
      prefix = "gke-cluster"          # Update to desired prefix name. Prefix name should be unique for each Terraform project having same remote state bucket.
    }
  }

Step 6: File structure looks like below

  cntekio:~ terraform-gke-example$ tree
  .
  ├── backend.tf
  ├── gke.tf
  ├── terraform.tfvars
  └── variables.tf

  0 directories, 4 files

Step 7: Now, initialize the terraform project.

  terraform init

Output

  Initializing the backend...

  Successfully configured the backend "gcs"! Terraform will automatically
  use this backend unless the backend configuration changes.

  Initializing provider plugins...
  - Checking for available provider plugins...
  - Downloading plugin for provider "google-beta" (terraform-providers/google-beta) 3.10.0...

  Terraform has been successfully initialized!

  You may now begin working with Terraform. Try running "terraform plan" to see
  any changes that are required for your infrastructure. All Terraform commands
  should now work.

  If you ever set or change modules or backend configuration for Terraform,
  rerun this command to reinitialize your working directory. If you forget, other
  commands will detect it and remind you to do so if necessary.

Note: terraform init downloads all the required provider and plugins.

Step 8: Let's see the execution plan.

  terraform plan --out 1.plan

Output

  Refreshing Terraform state in-memory prior to plan...
  The refreshed state will be used to calculate this plan, but will not be
  persisted to local or remote state storage.

  ------------------------------------------------------------------------

  An execution plan has been generated and is shown below.
  Resource actions are indicated with the following symbols:
    + create

  Terraform will perform the following actions:

    # google_container_cluster.my_k8s_cluster will be created
    + resource "google_container_cluster" "my_k8s_cluster" {
        + additional_zones            = (known after apply)
        + cluster_ipv4_cidr           = (known after apply)
        + default_max_pods_per_node   = (known after apply)
        + enable_binary_authorization = false
        + enable_intranode_visibility = false
        + enable_kubernetes_alpha     = false
        + enable_legacy_abac          = false
        + enable_shielded_nodes       = false
        + enable_tpu                  = false
        + endpoint                    = (known after apply)
        + id                          = (known after apply)
        + initial_node_count          = 1
        + instance_group_urls         = (known after apply)
        + label_fingerprint           = (known after apply)
        + location                    = "europe-west2"
        + logging_service             = "logging.googleapis.com/kubernetes"
        + master_version              = (known after apply)
        + monitoring_service          = "monitoring.googleapis.com/kubernetes"
        + name                        = "my-k8s-cluster"
        + network                     = "default"
        + node_locations              = (known after apply)
        + node_version                = (known after apply)
        + operation                   = (known after apply)
        + project                     = (known after apply)
        + region                      = (known after apply)
        + services_ipv4_cidr          = (known after apply)
        + subnetwork                  = (known after apply)
        + tpu_ipv4_cidr_block         = (known after apply)
        + zone                        = (known after apply)

        + addons_config {
            + cloudrun_config {
                + disabled = (known after apply)
              }

            + horizontal_pod_autoscaling {
                + disabled = (known after apply)
              }

            + http_load_balancing {
                + disabled = (known after apply)
              }

            + istio_config {
                + auth     = (known after apply)
                + disabled = (known after apply)
              }

            + kubernetes_dashboard {
                + disabled = (known after apply)
              }

            + network_policy_config {
                + disabled = (known after apply)
              }
          }

        + authenticator_groups_config {
            + security_group = (known after apply)
          }

        + cluster_autoscaling {
            + autoscaling_profile = (known after apply)
            + enabled             = (known after apply)

            + auto_provisioning_defaults {
                + oauth_scopes    = (known after apply)
                + service_account = (known after apply)
              }

            + resource_limits {
                + maximum       = (known after apply)
                + minimum       = (known after apply)
                + resource_type = (known after apply)
              }
          }

        + database_encryption {
            + key_name = (known after apply)
            + state    = (known after apply)
          }

        + master_auth {
            + client_certificate     = (known after apply)
            + client_key             = (sensitive value)
            + cluster_ca_certificate = (known after apply)

            + client_certificate_config {
                + issue_client_certificate = (known after apply)
              }
          }

        + network_policy {
            + enabled  = (known after apply)
            + provider = (known after apply)
          }

        + node_config {
            + disk_size_gb      = (known after apply)
            + disk_type         = (known after apply)
            + guest_accelerator = (known after apply)
            + image_type        = (known after apply)
            + labels            = {
                + "environment" = "test"
                + "team"        = "devops"
              }
            + local_ssd_count   = (known after apply)
            + machine_type      = "n1-standard-1"
            + metadata          = {
                + "disable-legacy-endpoints" = "true"
              }
            + oauth_scopes      = [
                + "https://www.googleapis.com/auth/logging.write",
                + "https://www.googleapis.com/auth/monitoring",
              ]
            + preemptible       = false
            + service_account   = (known after apply)
            + taint             = (known after apply)

            + shielded_instance_config {
                + enable_integrity_monitoring = (known after apply)
                + enable_secure_boot          = (known after apply)
              }

            + workload_metadata_config {
                + node_metadata = "GKE_METADATA_SERVER"
              }
          }

        + node_pool {
            + initial_node_count  = (known after apply)
            + instance_group_urls = (known after apply)
            + max_pods_per_node   = (known after apply)
            + name                = (known after apply)
            + name_prefix         = (known after apply)
            + node_count          = (known after apply)
            + node_locations      = (known after apply)
            + version             = (known after apply)

            + autoscaling {
                + max_node_count = (known after apply)
                + min_node_count = (known after apply)
              }

            + management {
                + auto_repair  = (known after apply)
                + auto_upgrade = (known after apply)
              }

            + node_config {
                + boot_disk_kms_key = (known after apply)
                + disk_size_gb      = (known after apply)
                + disk_type         = (known after apply)
                + guest_accelerator = (known after apply)
                + image_type        = (known after apply)
                + labels            = (known after apply)
                + local_ssd_count   = (known after apply)
                + machine_type      = (known after apply)
                + metadata          = (known after apply)
                + min_cpu_platform  = (known after apply)
                + oauth_scopes      = (known after apply)
                + preemptible       = (known after apply)
                + service_account   = (known after apply)
                + tags              = (known after apply)
                + taint             = (known after apply)

                + sandbox_config {
                    + sandbox_type = (known after apply)
                  }

                + shielded_instance_config {
                    + enable_integrity_monitoring = (known after apply)
                    + enable_secure_boot          = (known after apply)
                  }

                + workload_metadata_config {
                    + node_metadata = (known after apply)
                  }
              }

            + upgrade_settings {
                + max_surge       = (known after apply)
                + max_unavailable = (known after apply)
              }
          }

        + release_channel {
            + channel = (known after apply)
          }

        + workload_identity_config {
            + identity_namespace = "workshop-demo-adqw12.svc.id.goog"
          }
      }
    Plan: 1 to add, 0 to change, 0 to destroy.
  ------------------------------------------------------------------------
  This plan was saved to: 1.plan

  To perform exactly these actions, run the following command to apply:
      terraform apply "1.plan"

Note: terraform plan output shows that this code is going to a GKE cluster.
--out 1.plan flag tells terraform to save the plan in a file.

Step 9: The execution plan looks good, so let's move ahead and apply this plan.

  terraform apply 1.plan

Output

  google_container_cluster.my_k8s_cluster: Creating...
  google_container_cluster.my_k8s_cluster: Still creating... [10s elapsed]
  google_container_cluster.my_k8s_cluster: Still creating... [1m10s elapsed]
  google_container_cluster.my_k8s_cluster: Still creating... [2m10s elapsed]
  google_container_cluster.my_k8s_cluster: Still creating... [3m20s elapsed]
  google_container_cluster.my_k8s_cluster: Creation complete after 3m23s [id=projects/workshop-demo-adqw12/locations/europe-west2/clusters/my-k8s-cluster]

  Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Note: Creating a GKE cluster could take 4-7mins.

Step 10: Let's connect with GKE cluster.

  gcloud container clusters get-credentials my-k8s-cluster --region europe-west2 --project workshop-demo-adqw12

Output

  Fetching cluster endpoint and auth data.
  kubeconfig entry generated for my-k8s-cluster.

Step 11: Now, run kubectl version command to check server version.

  kubectl version

Output

  Client Version: version.Info{Major:"1", Minor:"14+", GitVersion:"v1.14.10-dispatcher", GitCommit:"f5757a1dee5a89cc5e29cd7159076648bf21a02b", GitTreeState:"clean", BuildDate:"2020-02-06T03:31:35Z", GoVersion:"go1.12.12b4", Compiler:"gc", Platform:"darwin/amd64"}
  Server Version: version.Info{Major:"1", Minor:"14+", GitVersion:"v1.14.10-gke.17", GitCommit:"bdceba0734835c6cb1acbd1c447caf17d8613b44", GitTreeState:"clean", BuildDate:"2020-01-17T23:10:13Z", GoVersion:"go1.12.12b4", Compiler:"gc", Platform:"linux/amd64"}

Step 12: Now, we will move to Google Cloud Platform Console to view GKE cluster properties.

Step 13: Once we no longer need this infrastructure, we can cleanup to reduce costs.

  terraform destroy

Output

    google_container_cluster.my_k8s_cluster: Refreshing state... [id=projects/workshop-demo-adqw12/locations/europe-west2/clusters/my-k8s-cluster]

    An execution plan has been generated and is shown below.
    Resource actions are indicated with the following symbols:
      - destroy

    Terraform will perform the following actions:

      # google_container_cluster.my_k8s_cluster will be destroyed
      - resource "google_container_cluster" "my_k8s_cluster" {
          - additional_zones            = [] -> null
          - cluster_ipv4_cidr           = "10.0.0.0/14" -> null
          - default_max_pods_per_node   = 110 -> null
          - enable_binary_authorization = false -> null
          - enable_intranode_visibility = false -> null
          - enable_kubernetes_alpha     = false -> null
          - enable_legacy_abac          = false -> null
          - enable_shielded_nodes       = false -> null
          - enable_tpu                  = false -> null
          - endpoint                    = "34.89.124.93" -> null
          - id                          = "projects/workshop-demo-adqw12/locations/europe-west2/clusters/my-k8s-cluster" -> null
          - initial_node_count          = 1 -> null
          - instance_group_urls         = [
              - "https://www.googleapis.com/compute/beta/projects/workshop-demo-adqw12/zones/europe-west2-c/instanceGroups/gke-my-k8s-cluster-default-pool-7dc4a362-grp",
              - "https://www.googleapis.com/compute/beta/projects/workshop-demo-adqw12/zones/europe-west2-b/instanceGroups/gke-my-k8s-cluster-default-pool-0538b086-grp",
              - "https://www.googleapis.com/compute/beta/projects/workshop-demo-adqw12/zones/europe-west2-a/instanceGroups/gke-my-k8s-cluster-default-pool-858715ad-grp",
            ] -> null
          - label_fingerprint           = "a9dc16a7" -> null
          - location                    = "europe-west2" -> null
          - logging_service             = "logging.googleapis.com/kubernetes" -> null
          - master_version              = "1.14.10-gke.17" -> null
          - monitoring_service          = "monitoring.googleapis.com/kubernetes" -> null
          - name                        = "my-k8s-cluster" -> null
          - network                     = "projects/workshop-demo-adqw12/global/networks/default" -> null
          - node_locations              = [
              - "europe-west2-a",
              - "europe-west2-b",
              - "europe-west2-c",
            ] -> null
          - node_version                = "1.14.10-gke.17" -> null
          - project                     = "workshop-demo-adqw12" -> null
          - resource_labels             = {} -> null
          - services_ipv4_cidr          = "10.3.240.0/20" -> null
          - subnetwork                  = "projects/workshop-demo-adqw12/regions/europe-west2/subnetworks/default" -> null

          - addons_config {

              - network_policy_config {
                  - disabled = true -> null
                }
            }

          - cluster_autoscaling {
              - autoscaling_profile = "BALANCED" -> null
              - enabled             = false -> null
            }

          - database_encryption {
              - state = "DECRYPTED" -> null
            }

          - master_auth {
              - cluster_ca_certificate = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURERENDQWZTZ0F3SUJBZ0lSQVBmNzJzWRGZhd25uQUYvZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" -> null

              - client_certificate_config {
                  - issue_client_certificate = false -> null
                }
            }

          - network_policy {
              - enabled  = false -> null
              - provider = "PROVIDER_UNSPECIFIED" -> null
            }

          - node_config {
              - disk_size_gb      = 100 -> null
              - disk_type         = "pd-standard" -> null
              - guest_accelerator = [] -> null
              - image_type        = "COS" -> null
              - labels            = {
                  - "environment" = "test"
                  - "team"        = "devops"
                } -> null
              - local_ssd_count   = 0 -> null
              - machine_type      = "n1-standard-1" -> null
              - metadata          = {
                  - "disable-legacy-endpoints" = "true"
                } -> null
              - oauth_scopes      = [
                  - "https://www.googleapis.com/auth/logging.write",
                  - "https://www.googleapis.com/auth/monitoring",
                ] -> null
              - preemptible       = false -> null
              - service_account   = "default" -> null
              - tags              = [] -> null
              - taint             = [] -> null

              - shielded_instance_config {
                  - enable_integrity_monitoring = true -> null
                  - enable_secure_boot          = false -> null
                }

              - workload_metadata_config {
                  - node_metadata = "GKE_METADATA_SERVER" -> null
                }
            }

          - node_pool {
              - initial_node_count  = 1 -> null
              - instance_group_urls = [
                  - "https://www.googleapis.com/compute/v1/projects/workshop-demo-adqw12/zones/europe-west2-c/instanceGroupManagers/gke-my-k8s-cluster-default-pool-7dc4a362-grp",
                  - "https://www.googleapis.com/compute/v1/projects/workshop-demo-adqw12/zones/europe-west2-b/instanceGroupManagers/gke-my-k8s-cluster-default-pool-0538b086-grp",
                  - "https://www.googleapis.com/compute/v1/projects/workshop-demo-adqw12/zones/europe-west2-a/instanceGroupManagers/gke-my-k8s-cluster-default-pool-858715ad-grp",
                ] -> null
              - max_pods_per_node   = 0 -> null
              - name                = "default-pool" -> null
              - node_count          = 1 -> null
              - node_locations      = [
                  - "europe-west2-a",
                  - "europe-west2-b",
                  - "europe-west2-c",
                ] -> null
              - version             = "1.14.10-gke.17" -> null

              - management {
                  - auto_repair  = false -> null
                  - auto_upgrade = true -> null
                }

              - node_config {
                  - disk_size_gb      = 100 -> null
                  - disk_type         = "pd-standard" -> null
                  - guest_accelerator = [] -> null
                  - image_type        = "COS" -> null
                  - labels            = {
                      - "environment" = "test"
                      - "team"        = "devops"
                    } -> null
                  - local_ssd_count   = 0 -> null
                  - machine_type      = "n1-standard-1" -> null
                  - metadata          = {
                      - "disable-legacy-endpoints" = "true"
                    } -> null
                  - oauth_scopes      = [
                      - "https://www.googleapis.com/auth/logging.write",
                      - "https://www.googleapis.com/auth/monitoring",
                    ] -> null
                  - preemptible       = false -> null
                  - service_account   = "default" -> null
                  - tags              = [] -> null
                  - taint             = [] -> null

                  - shielded_instance_config {
                      - enable_integrity_monitoring = true -> null
                      - enable_secure_boot          = false -> null
                    }

                  - workload_metadata_config {
                      - node_metadata = "GKE_METADATA_SERVER" -> null
                    }
                }
            }

          - release_channel {
              - channel = "UNSPECIFIED" -> null
            }

          - workload_identity_config {
              - identity_namespace = "workshop-demo-adqw12.svc.id.goog" -> null
            }
        }

    Plan: 0 to add, 0 to change, 1 to destroy.

    Do you really want to destroy all resources?
      Terraform will destroy all your managed infrastructure, as shown above.
      There is no undo. Only 'yes' will be accepted to confirm.

      Enter a value: yes

    google_container_cluster.my_k8s_cluster: Destroying... [id=projects/workshop-demo-adqw12/locations/europe-west2/clusters/my-k8s-cluster]
    google_container_cluster.my_k8s_cluster: Still destroying... [id=projects/workshop-demo-adqw12/locations/europe-west2/clusters/my-k8s-cluster, 10s elapsed]
    google_container_cluster.my_k8s_cluster: Still destroying... [id=projects/workshop-demo-adqw12/locations/europe-west2/clusters/my-k8s-cluster, 1m10s elapsed]
    google_container_cluster.my_k8s_cluster: Still destroying... [id=projects/workshop-demo-adqw12/locations/europe-west2/clusters/my-k8s-cluster, 2m40s elapsed]
    google_container_cluster.my_k8s_cluster: Destruction complete after 2m41s

    Destroy complete! Resources: 1 destroyed.

Hope this blog helps you build GKE Cluster Terraform.

If you have a feedback or questions, please reach out to me on LinkedIn or Twitter

How I passed Google Cloud Professional Cloud Architect Certificate

Pradeep Bhadani — Fri, 14 Feb 2020 17:13:03 +0000

Originally published at pbhadani.com

I recently passed my Google Cloud Certified Professional Cloud Architect exam and many people asked for the preparation path I took for this exam. So, I thought of putting things together in a blog that can help others.

Exam Overview

At the time of writing this blog, Professional Cloud Architect exam is of 2-hrs in duration and 50 questions.
There is no official passing score published by Google so at the end of the exam it only provides Pass/Fail as a result. However, it is assumed that roughly 80% is required to pass the exam based on various blogs and training providers.

I would suggest reading the official certification guide before starting to prepare for the exam.

How I prepared?

There are no prerequisites for this exam. But I did the Associate Cloud Engineer exam before I took the Professional one. Also, I have been working with GCP Services for more than 3-years which also helped me.

To be honest, getting this certificate is not an easy task and requires good preparation. I will share some key points which helped me pass the exam:

Courses: There are many courses that are structured to gain the knowledge that covers the exam topics. Therefore, following a course helps to learn GCP in a structured way. I decided to do the Coursera Courses - Architecting with Google Compute Engine Specialization and Preparing for the Google Cloud Professional Cloud Architect Exam. Many blogs and online communities also suggested to do the Linux Academy Course but due to time constraints, I could not go through much.
Hands-On Labs: Hands-on Labs which comes with the Coursera course help greatly in understanding and implementing the concepts and GCP services. I would suggest putting a great focus on Hands-on labs.
Play with GCP: Addition to hands-on labs, I played with different GCP services to get a deeper knowledge.
Case Studies: There were questions from case studies (roughly 25%) and understanding the case studies before exam saves a good time in the exam.
Practice Tests: Google provides a small practice test that help to get an understanding of your readiness. Above mentioned Linux Academy course also offers a practice test. After finishing the courses and labs, I took practice tests and I was able to get 90-95% consistently.
Industry experience: I have been working with Cloud technologies like AWS and GCP and that helped greatly in understanding the scenario-based questions and choosing the best option for a particular situation.

Last, I suggest getting a deep understanding of core concepts like Google Networking, Cloud IAM, BigQuery, Storage, Kubernetes, and App Engine. Exam questions are not limited to the above topics, but understanding core concepts gives good confidence.

I wish all the best to everyone preparing for this exam and would be glad to hear about your experience.

My LinkedIn and Twitter.

Let Google do Secret Management

Pradeep Bhadani — Wed, 29 Jan 2020 23:20:00 +0000

Originally published at pbhadani.com

Updated on August 15, 2022

In this post, I will talk about Google's Secret Manager service and show how easy is to manage passwords/tokens in GCP.

Problem

Managing secrets and sharing secrets(like database passwords, tokens, etc..) is a hard problem and failing to secure tokens can lead to some serious issues.

An example scenario - When an application is being developed, it might need to connect to a database or need some certificates or need tokens(for example, Slack token) to make API calls. It is not a good practice to put these secret keys in Source code as they live their forever and visible to all people who have access to the source code. Sometimes, developers keep these keys in a separate local file (added to .gitignore) and share these keys using different methods like Slack chat, Email, etc.. This approach is still not good as secret tokens are in plain text and scattered between team members. How do you manage a situation when a team member moves to a different team or different place? It is difficult to rotate keys and share it again with all the required team members.

You can read more about why secret keys should live separate than code at 12factor.net

Solution

The solution to this problem is Secret Management tools like Hashicorp Vault, Berglas, Google Secret Manager, AWS Secret Manager, etc.
One of the popular tools out there is Hashicorp Vault but a team has to setup and manage the own infrastructure.

In this post, we will learn about Google managed secret management solution - Secret Manager and see how easy is to store and retrieve keys and passwords.

What is Secret Manager?

Google Secret Manager is a recent addition to Google Cloud Platform which can store API Keys, passwords, certificates, sensitive strings, etc...
You can read the Google Secret Manager's release notes here and pricing here.

Google Secret Manager's access control is integrated with Cloud IAM and a project owner can control who can read the secrets.

roles/secretmanager.admin : This role gives full access to administer the Secret. A person(or service account) with this role can perform CRUD(Create, Read, Update and Delete) operations on the Secrets.

roles/secretmanager.secretAccessor : This role provides access to read the Secret. A person(or service account) with this role can read the secret value store like API key.

roles/secretmanager.viewer: This role provides access to view the metadata of the Secret. A person(or service account) with this role can read the secret metadata but not the value stored.

Now that we are familiar with Google Secret Manager, let's interact with this service.

Interacting with Secret Manager

Prerequisites

This post assumes the following:

We already have a GCP Project with the Project Owner role.
Google Cloud SDK (gcloud) is setup on your workstation. If you don't have, then refer to my previous blogs - Getting started with Google Cloud SDK.

Note: You can also use Google Cloud Shell to run the gcloud commands.

Enabling the Secret API

To interact with Google Secret Manager, we need to enable this API.

Run the following command to enable this API.

$ gcloud services enable secretmanager.googleapis.com --project=workshop-demo-23345

Output

Operation "operations/acf.xxxxxxf-xxxx-xxxx-xxxx-xxxxxxx" finished successfully.

Create a Secret

Run the following gcloud command to create a secret.

gcloud secrets create demo-secret --replication-policy="automatic"

Output

Created secret [demo-secret].

Note:

This has created an empty secret that can hold multiple secret versions (actual sensitive information).
In this example, we used --replication-policy as automatic but can be user-managed to specify the location you want to put your secret in.

Add values to Secret

Secret Version contains the actual sensitive value.

echo "my_super_secret_string" | gcloud secrets versions add 'demo-secret' --data-file=-

Output

Created version [1] of the secret [demo-secret].

Adding another version or updating the secret value

echo "secret_update" | gcloud secrets versions add 'demo-secret' --data-file=-

Output

Created version [2] of the secret [demo-secret].

Read the Secret value

We can access the latest or specific secret version

Access the latest secret version

gcloud secrets versions access latest --secret='demo-secret'

Output

secret_update

Access specific secret version

gcloud secrets versions access 1 --secret='demo-secret'

Output

my_super_secret_string

Note: Never print the secret value in an application.

We can similarly, use the gcloud command or client libraries within the application to fetch the secret value when required instead of putting in source code or in some kind of property file.

Conclusion

Google Secret Manager enables developers to store and share the API Keys, passwords, etc in an easy fashion without having to manage tools like Vault, etc...

If you have feedback or questions, please reach out to me on LinkedIn or Twitter

Deploy Web Server on Google Compute Engine (GCE) with Terraform

Pradeep Bhadani — Mon, 13 Jan 2020 21:26:08 +0000

Originally published at pbhadani.com

In this blog, I will show how to deploy a Web Server (Nginx) using Terraform on Google Compute Engine(GCE).
There are many ways to deploy Nginx server on GCP (like on GKE, App Engine, GCE etc.) but for this post I will use GCE to illustrate its usage.

Photo by Markus Spiske on Unsplash

Goal

Deploy a Web Server on Google Compute Engine (GCE) using Terraform.

What we will explore?

Deploying a Google Compute VM Instance using Terraform.
Use of Compute Instance startup script.
Rendering a template in terraform.

Prerequisites

This post assumes the following:

We already have a GCP Project with a network. By default, every GCP Project comes with a default network.
Google Cloud SDK (gcloud) and Terraform is setup on your workstation. If you don't have, then refer to my previous blogs - Getting started with Terraform and Getting started with Google Cloud SDK.

Create a Compute VM Instance

Step 1: Create a unix directory for the Terraform project.

  mkdir ~/terraform-webserver
  cd ~/terraform-webserver

Step 2: Define Terraform Google Provider.

    vi provider.tf

This file has the following content

    # Specify the GCP Provider
    provider "google" {
      project = var.project_id
      region  = var.region
    }

Step 3: Write below terraform code to create a Google Compute VM Instance.

    vi vm.tf

To use the latest `debian` disk, we can use the data source

    data "google_compute_image" "debian" {
      family  = "ubuntu-1804-lts"
      project = "gce-uefi-images"
    }

    # Creates a GCP VM Instance.
    resource "google_compute_instance" "vm" {
      name         = var.name
      machine_type = var.machine_type
      zone         = var.zone
      tags         = ["http-server"]
      labels       = var.labels

      boot_disk {
        initialize_params {
          image = data.google_compute_image.debian.self_link
        }
      }

      network_interface {
        network = "default"
        access_config {
          // Ephemeral IP
        }
      }

      metadata_startup_script = data.template_file.nginx.rendered
    }

Note: To allow HTTP connection to VM instance, we put http-server tag on the VM as tags = ["http-server"].

Step 4: Now, let's define a template file which has script to install Nginx server and create a simple webpage index.html

    mkdir template
    vi template/install_nginx.tpl

    #!/bin/bash
    set -e
    echo "*****    Installing Nginx    *****"
    apt update
    apt install -y nginx
    ufw allow '${ufw_allow_nginx}'
    systemctl enable nginx
    systemctl restart nginx

    echo "*****   Installation Complteted!!   *****"

    echo "Welcome to Google Compute VM Instance deployed using Terraform!!!" > /var/www/html

    echo "*****   Startup script completes!!    *****"

Note: We pass the value of '${ufw_allow_nginx}' from terraform code during template rendering.

Step 5: Let's, render the above template.

    vi vm.tf

Append the following code.

    data "template_file" "nginx" {
      template = "${file("${path.module}/template/install_nginx.tpl")}"

      vars = {
        ufw_allow_nginx = "Nginx HTTP"
      }
    }

Step 6: Once the instance comes up, we want to know its public IP so that we can browse the webpage. To do this, we can use terraform outputs.

  vi outputs.tf

  output "webserver_ip" {
    value = google_compute_instance.vm.network_interface.0.access_config.0.nat_ip
  }

Step 7: Now, define all the variables in a file.

    vi variables.tf

    variable "project_id" {
      description = "Google Cloud Platform (GCP) Project ID."
      type        = string
    }

    variable "region" {
      description = "GCP region name."
      type        = string
      default     = "europe-west1"
    }

    variable "zone" {
      description = "GCP zone name."
      type        = string
      default     = "europe-west1-b"
    }

    variable "name" {
      description = "Web server name."
      type        = string
      default     = "my-webserver"
    }

    variable "machine_type" {
      description = "GCP VM instance machine type."
      type        = string
      default     = "f1-micro"
    }

    variable "labels" {
      description = "List of labels to attach to the VM instance."
      type        = map
    }

Step 8: Define require variables value in tfvars file.

    vi terraform.tfvars

      project_id = "gcp-project-id"
      labels     = {
        "environment" = "test"
        "team"        = "devops"
        "application" = "webserver"
      }

Step 9: We now have all the required terraform configuration. So, let's initialize the terraform project.

  terraform init

Output

  Initializing the backend...

  Initializing provider plugins...
  - Checking for available provider plugins...
  - Downloading plugin for provider "google" (hashicorp/google) 3.4.0...
  - Downloading plugin for provider "template" (hashicorp/template) 2.1.2...

  The following providers do not have any version constraints in configuration,
  so the latest version was installed.

  To prevent automatic upgrades to new major versions that may contain breaking
  changes, it is recommended to add version = "..." constraints to the
  corresponding provider blocks in configuration, with the constraint strings
  suggested below.

  * provider.google: version = "~> 3.4"
  * provider.template: version = "~> 2.1"

  Terraform has been successfully initialized!

  You may now begin working with Terraform. Try running "terraform plan" to see
  any changes that are required for your infrastructure. All Terraform commands
  should now work.

  If you ever set or change modules or backend configuration for Terraform,
  rerun this command to reinitialize your working directory. If you forget, other
  commands will detect it and remind you to do so if necessary.

Step 10: After successful initialization, run plan and save plan in a file.

  terraform plan --out 1.plan

Output

  Refreshing Terraform state in-memory prior to plan...
  The refreshed state will be used to calculate this plan, but will not be
  persisted to local or remote state storage.

  data.template_file.nginx: Refreshing state...
  data.google_compute_image.debian: Refreshing state...

  ------------------------------------------------------------------------

  An execution plan has been generated and is shown below.
  Resource actions are indicated with the following symbols:
    + create

  Terraform will perform the following actions:

    # google_compute_instance.vm will be created
    + resource "google_compute_instance" "vm" {
        + can_ip_forward          = false
        + cpu_platform            = (known after apply)
        + deletion_protection     = false
        + guest_accelerator       = (known after apply)
        + id                      = (known after apply)
        + instance_id             = (known after apply)
        + label_fingerprint       = (known after apply)
        + labels                  = {
            + "application" = "webserver"
            + "environment" = "test"
            + "team"        = "devops"
          }
        + machine_type            = "f1-micro"
        + metadata_fingerprint    = (known after apply)
        + metadata_startup_script = "#!/bin/bash\nset -e\necho \"*****    Installing Nginx    *****\"\napt update\napt install -y nginx\nufw allow 'Nginx HTTP'\nsystemctl enable nginx\nsystemctl restart nginx\n \necho \"*****   Installation Complteted!!   *****\"\n \necho \"Welcome to Google Compute VM Instance deployed using Terraform!!!\" > /var/www/html/index.html\n \necho \"*****   Startup script completes!!    *****\"\n"
        + min_cpu_platform        = (known after apply)
        + name                    = "my-webserver"
        + project                 = (known after apply)
        + self_link               = (known after apply)
        + tags                    = [
            + "http-server",
          ]
        + tags_fingerprint        = (known after apply)
        + zone                    = "europe-west1-b"

        + boot_disk {
            + auto_delete                = true
            + device_name                = (known after apply)
            + disk_encryption_key_sha256 = (known after apply)
            + kms_key_self_link          = (known after apply)
            + mode                       = "READ_WRITE"
            + source                     = (known after apply)

            + initialize_params {
                + image  = "https://www.googleapis.com/compute/v1/projects/gce-uefi-images/global/images/ubuntu-1804-bionic-v20191113"
                + labels = (known after apply)
                + size   = (known after apply)
                + type   = (known after apply)
              }
          }

        + network_interface {
            + name               = (known after apply)
            + network            = "default"
            + network_ip         = (known after apply)
            + subnetwork         = (known after apply)
            + subnetwork_project = (known after apply)

            + access_config {
                + nat_ip       = (known after apply)
                + network_tier = (known after apply)
              }
          }

        + scheduling {
            + automatic_restart   = (known after apply)
            + on_host_maintenance = (known after apply)
            + preemptible         = (known after apply)

            + node_affinities {
                + key      = (known after apply)
                + operator = (known after apply)
                + values   = (known after apply)
              }
          }
      }

  Plan: 1 to add, 0 to change, 0 to destroy.

  ------------------------------------------------------------------------

  This plan was saved to: 1.plan

  To perform exactly these actions, run the following command to apply:
      terraform apply "1.plan"

Step 11: Plan shows to create a VM instance and use install_nginx.tpl as startup script. So, let's go ahead and apply the plan.

  terraform apply 1.plan

Output

  google_compute_instance.vm: Creating...
  google_compute_instance.vm: Still creating... [10s elapsed]
  google_compute_instance.vm: Creation complete after 15s [id=projects/workshop-demo-34293/zones/europe-west1-b/instances/my-webserver]

  Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

  The state of your infrastructure has been saved to the path
  below. This state is required to modify and destroy your
  infrastructure, so keep it safe. To inspect the complete state
  use the `terraform show` command.

  State path: terraform.tfstate

  Outputs:

  webserver_ip = 35.240.104.9

Step 12: Now if you navigate to Google Console and navigate to Compute Engine --> VM Instance, you will see an instance coming up. Once the instance is up successfully, browse the webserver_ip. In this case, go to http://35.240.104.9

Step 13: For cleanup, run terraform destroy.

  terraform destroy

Output

  data.template_file.nginx: Refreshing state...
  data.google_compute_image.debian: Refreshing state...
  google_compute_instance.vm: Refreshing state... [id=projects/workshop-demo-34293/zones/europe-west1-b/instances/my-webserver]

  An execution plan has been generated and is shown below.
  Resource actions are indicated with the following symbols:
    - destroy

  Terraform will perform the following actions:

    # google_compute_instance.vm will be destroyed
    - resource "google_compute_instance" "vm" {
        - can_ip_forward          = false -> null
        - cpu_platform            = "Intel Haswell" -> null
        - deletion_protection     = false -> null
        - enable_display          = false -> null
        - guest_accelerator       = [] -> null
        - id                      = "projects/workshop-demo-34293/zones/europe-west1-b/instances/my-webserver" -> null
        - instance_id             = "3519528545052665512" -> null
        - label_fingerprint       = "k3pYoTAUZq4=" -> null
        - labels                  = {
            - "application" = "webserver"
            - "environment" = "test"
            - "team"        = "devops"
          } -> null
        - machine_type            = "f1-micro" -> null
        - metadata                = {} -> null
        - metadata_fingerprint    = "mE2Cwt2znPk=" -> null
        - metadata_startup_script = "#!/bin/bash\nset -e\necho \"*****    Installing Nginx    *****\"\napt update\napt install -y nginx\nufw allow 'Nginx HTTP'\nsystemctl enable nginx\nsystemctl restart nginx\n\necho \"*****   Installation Complteted!!   *****\"\n\necho \"Welcome to Google Compute VM Instance deployed using Terraform!!!\" > /var/www/html/index.html\n\necho \"*****   Startup script completes!!    *****\"\n" -> null
        - name                    = "my-webserver" -> null
        - project                 = "workshop-demo-34293" -> null
        - self_link               = "https://www.googleapis.com/compute/v1/projects/workshop-demo-34293/zones/europe-west1-b/instances/my-webserver" -> null
        - tags                    = [
            - "http-server",
          ] -> null
        - tags_fingerprint        = "FYLDgkTKlA4=" -> null
        - zone                    = "europe-west1-b" -> null

        - boot_disk {
            - auto_delete = true -> null
            - device_name = "persistent-disk-0" -> null
            - mode        = "READ_WRITE" -> null
            - source      = "https://www.googleapis.com/compute/v1/projects/workshop-demo-34293/zones/europe-west1-b/disks/my-webserver" -> null

            - initialize_params {
                - image  = "https://www.googleapis.com/compute/v1/projects/gce-uefi-images/global/images/ubuntu-1804-bionic-v20191113" -> null
                - labels = {} -> null
                - size   = 10 -> null
                - type   = "pd-standard" -> null
              }
          }

        - network_interface {
            - name               = "nic0" -> null
            - network            = "https://www.googleapis.com/compute/v1/projects/workshop-demo-34293/global/networks/default" -> null
            - network_ip         = "10.132.0.13" -> null
            - subnetwork         = "https://www.googleapis.com/compute/v1/projects/workshop-demo-34293/regions/europe-west1/subnetworks/default" -> null
            - subnetwork_project = "workshop-demo-34293" -> null

            - access_config {
                - nat_ip       = "35.240.104.9" -> null
                - network_tier = "PREMIUM" -> null
              }
          }

        - scheduling {
            - automatic_restart   = true -> null
            - on_host_maintenance = "MIGRATE" -> null
            - preemptible         = false -> null
          }

        - shielded_instance_config {
            - enable_integrity_monitoring = true -> null
            - enable_secure_boot          = false -> null
            - enable_vtpm                 = true -> null
          }
      }

  Plan: 0 to add, 0 to change, 1 to destroy.

  Do you really want to destroy all resources?
    Terraform will destroy all your managed infrastructure, as shown above.
    There is no undo. Only 'yes' will be accepted to confirm.

    Enter a value: yes

  google_compute_instance.vm: Destroying... [id=projects/workshop-demo-34293/zones/europe-west1-b/instances/my-webserver]
  google_compute_instance.vm: Still destroying... [id=projects/workshop-demo-34293/zones/europe-west1-b/instances/my-webserver, 10s elapsed]
  google_compute_instance.vm: Still destroying... [id=projects/workshop-demo-34293/zones/europe-west1-b/instances/my-webserver, 20s elapsed]

  google_compute_instance.vm: Still destroying... [id=projects/workshop-demo-34293/zones/europe-west1-b/instances/my-webserver, 2m30s elapsed]
  google_compute_instance.vm: Destruction complete after 2m36s

  Destroy complete! Resources: 1 destroyed.

Hope this blog gives you familiarity with google_compute_instance and Terraform template rendering.

Complete source code can be found here.

If you have feedback or questions, please reach out to me on LinkedIn or Twitter

Create first GCP resource with Terraform

Pradeep Bhadani — Thu, 09 Jan 2020 18:50:57 +0000

Originally published at pbhadani.com

Welcome to my post and Happy New year!

Let's create our first GCP resource using Terraform in this post.

Photo by Markus Spiske on Unsplash

Goal

Create a Google Cloud Storage(GCS) Bucket using Terraform.

Prerequisites

This post assumes the following:

We already have a GCP Project and a GCS Bucket (we will use this to store Terraform State file) created.
Google Cloud SDK (gcloud) and Terraform is setup on your workstation. If you don't have, then refer to my previous blogs - Getting started with Terraform and Getting started with Google Cloud SDK.

Create a Google Cloud Storage(GCS) Bucket with Terraform

Step 1: Create a unix directory for the Terraform project.

  mkdir ~/terraform-gcs-example
  cd ~/terraform-gcs-example

Step 2: Create Terraform configuration file which defines GCS bucket and provider.

  vi bucket.tf

This file has following content

  # Specify the GCP Provider
  provider "google" {
    project = var.project_id
    region  = var.region
  }

  # Create a GCS Bucket
  resource "google_storage_bucket" "my_bucket" {
    name     = var.bucket_name
    location = var.region
  }

Step 3: Define Terraform variables.

  vi variables.tf

This file looks like:

  variable "project_id" {
    description = "Google Project ID."
    type        = string
  }

  variable "bucket_name" {
    description = "GCS Bucket name. Value should be unique ."
    type        = string
  }

  variable "region" {
    description = "Google Cloud region"
    type        = string
    default     = "europe-west2"
  }

**Note:** We are defining a `default` value for `region`. This means if a value is not supplied for this variable, Terraform will use `europe-west2` as its value.

Step 4: Create a tfvars file.

  vi terraform.tfvars

  project_id  = ""                   # Put your GCP Project ID.
  bucket_name = "my-bucket-48693"    # Put the desired GCS Bucket name.

Step 5: Set the remote state.

  vi backend.tf

  terraform {
    backend "gcs" {
      bucket = "my-tfstate-bucket"   # GCS bucket name to store terraform tfstate
      prefix = "first-app"           # Update to desired prefix name. Prefix name should be unique for each Terraform project having same remote state bucket.
      }
  }

Step 6: File structure looks like below

  cntekio:~ terraform-gcs-example$ tree
  .
  ├── backend.tf
  ├── bucket.tf
  ├── terraform.tfvars
  └── variables.tf

  0 directories, 4 files

Step 7: Now, initialize the terraform project.

  terraform init

Output

  Initializing the backend...

  Successfully configured the backend "gcs"! Terraform will automatically
  use this backend unless the backend configuration changes.

  Initializing provider plugins...
  - Checking for available provider plugins...
  - Downloading plugin for provider "google" (hashicorp/google) 3.3.0...

  The following providers do not have any version constraints in configuration,
  so the latest version was installed.

  To prevent automatic upgrades to new major versions that may contain breaking
  changes, it is recommended to add version = "..." constraints to the
  corresponding provider blocks in configuration, with the constraint strings
  suggested below.

  * provider.google: version = "~> 3.3"

  Terraform has been successfully initialized!

  You may now begin working with Terraform. Try running "terraform plan" to see
  any changes that are required for your infrastructure. All Terraform commands
  should now work.

  If you ever set or change modules or backend configuration for Terraform,
  rerun this command to reinitialize your working directory. If you forget, other
  commands will detect it and remind you to do so if necessary.

Note: terraform init downloads all the required provider and plugins.

Step 8: Let's see the execution plan.

  terraform plan --out 1.plan

Output

  Refreshing Terraform state in-memory prior to plan...
  The refreshed state will be used to calculate this plan, but will not be
  persisted to local or remote state storage.
  ------------------------------------------------------------------------

  An execution plan has been generated and is shown below.
  Resource actions are indicated with the following symbols:
    + create

  Terraform will perform the following actions:

    # google_storage_bucket.my_bucket will be created
    + resource "google_storage_bucket" "my_bucket" {
        + bucket_policy_only = (known after apply)
        + force_destroy      = false
        + id                 = (known after apply)
        + location           = "EUROPE-WEST2"
        + name               = "my-bucket-48693"
        + project            = (known after apply)
        + self_link          = (known after apply)
        + storage_class      = "STANDARD"
        + url                = (known after apply)
      }

  Plan: 1 to add, 0 to change, 0 to destroy.

  ------------------------------------------------------------------------

  This plan was saved to: 1.plan

  To perform exactly these actions, run the following command to apply:
      terraform apply "1.plan"

Note: terraform plan output shows that this code is going to create one GCS bucket.
--out 1.plan flag tells terraform to save the plan in a file.

Step 9: The execution plan looks good, so let's move ahead and apply this plan.

  terraform apply 1.plan

Output

  google_storage_bucket.my_bucket: Creating...
  google_storage_bucket.my_bucket: Creation complete after 3s [id=my-bucket-48693]

  Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Step 10: Once we no longer need this infrastructure, we can cleanup to reduce costs.

  terraform destroy

Output

  google_storage_bucket.my_bucket: Refreshing state... [id=my-bucket-48693]

  An execution plan has been generated and is shown below.
  Resource actions are indicated with the following symbols:
    - destroy

  Terraform will perform the following actions:

    # google_storage_bucket.my_bucket will be destroyed
    - resource "google_storage_bucket" "my_bucket" {
        - bucket_policy_only = false -> null
        - force_destroy      = false -> null
        - id                 = "my-bucket-48693" -> null
        - labels             = {} -> null
        - location           = "EUROPE-WEST2" -> null
        - name               = "my-bucket-48693" -> null
        - project            = "my-project-id" -> null
        - requester_pays     = false -> null
        - self_link          = "https://www.googleapis.com/storage/v1/b/my-bucket-48693" -> null
        - storage_class      = "STANDARD" -> null
        - url                = "gs://my-bucket-48693" -> null
      }

  Plan: 0 to add, 0 to change, 1 to destroy.

  Do you really want to destroy all resources?
    Terraform will destroy all your managed infrastructure, as shown above.
    There is no undo. Only 'yes' will be accepted to confirm.

    Enter a value: yes

  google_storage_bucket.my_bucket: Destroying... [id=my-bucket-48693]
  google_storage_bucket.my_bucket: Destruction complete after 6s

  Destroy complete! Resources: 1 destroyed.

Hope this blog helps you get started with creating GCP resources using Terraform

If you have a feedback or questions, please reach out to me on LinkedIn or Twitter

Enabling GKE Workload Identity

Pradeep Bhadani — Sat, 21 Dec 2019 16:33:00 +0000

Originally published at pbhadani.com

In this blog, I will talk about the GKE Workload Identity feature and why to use this feature.

Photo by [chuttersnap](https://unsplash.com/@chuttersnap) on [Unsplash](https://unsplash.com)

What's the Problem?

An application running on GKE must authenticate to use Google Services such as Google Cloud Storage (GCS), Cloud SQL, BigQuery, etc.
Authentication can be done by providing a service account key JSON file to an application using Kubernetes Secret space or a different method such as Vault.
But in these approaches, service account key JSON (which has 10years of a lifetime) must be stored in plain text within the pod or base64 encoded in Kubernetes secret space.
Also, the key rotation process must be in a place that is not a fun process.

We can avoid using the service account key by attaching a service account to Kubernetes Node but then all the pods running on the Node gets the same permission which is not an ideal thing to do.

Goal?

We want to assign a service account to a Pod so we can isolate permissions for different pods.

Hurray, we have Workload Identity feature available in beta which solves this problem on GKE.

So, What is Workload Identity?

As per Google documentation, "Workload Identity is the recommended way to access Google Cloud services from within GKE due to its improved security properties and manageability."

GKE Workload identity allows us to attach the service account to the Kubernetes pod and remove the hassle to manage the service account credentials JSON file within the pod or cluster.

Let's use Workload Identity in a GKE cluster

Prerequisites

If you have not setup gcloud on your workstation, then refer my previous blog to get it up and running quickly.

Alternatively, you can use Google Cloud Shell to run the commands.
Make sure you are a Project Editor or Project Owner or have enough permissions to run the below commands.

Setup a GKE Cluster

Follow the below step to create a new GKE Cluster and enable Workload Identity.

Step 1: Enable the Cloud IAM API.

Step 2: Install and configure gke-gcloud-auth-plugin.

gke-gcloud-auth-plugin is the new Kubectl authentication plugin for GKE. Please read the documentation for more details.

Install plugin

gcloud components install gke-gcloud-auth-plugin

Note: If gcloud CLI component manager is disabled, use the yum or apt package to install this plugin.
For Debian:

sudo apt-get install google-cloud-sdk-gke-gcloud-auth-plugin

Configure plugin

echo "export USE_GKE_GCLOUD_AUTH_PLUGIN=True" >> ~/.bashrc
source ~/.bashrc

Step 3: Set GCP defaults.

Set GCP Project

  export GCP_PROJECT_ID=<YOUR_GCP_PROJECT_ID>

  gcloud config set project $GCP_PROJECT_ID

Set default region and zone

  gcloud config set compute/region europe-west1

  gcloud config set compute/zone europe-west1-b

Step 4: Make sure you have kubectl command installed.

   sudo apt-get install kubectl

Run following to verify

   kubectl help

Note: Please refer documentation: External package managers

Step 5: Create a new Google Service Account (GSA).

  gcloud iam service-accounts create workload-identity-test

Notes:
You can use the existing service account.
Permission Required: iam.serviceAccounts.create on the GCP Project.

Step 6: Add permissions to the Google Service Account required by an application. For example, roles/storage.objectViewer

  gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
  --member serviceAccount:workload-identity-test@${GCP_PROJECT_ID}.iam.gserviceaccount.com \
  --role roles/storage.objectViewer

Step 7: Setup a GKE cluster with Workload Identity enabled.

  export GKE_CLUSTER_NAME=gke-wi

  gcloud container clusters create $GKE_CLUSTER_NAME \
  --cluster-version=1.24 \
  --workload-pool=$GCP_PROJECT_ID.svc.id.goog

Notes:
GKE Cluster could take 5-10mins to become fully functional.
Permission required: container.clusters.create on the GCP Project.

Step 8: Configure kubectl command on your terminal.

  gcloud container clusters get-credentials $GKE_CLUSTER_NAME

Notes:
This will populate ~/.kube/config file.
Permission Required: container.clusters.get on the GCP Project.

Step 9: (Optional) Create a Kubernetes namespace if you don't want to use default namespace.

  kubectl create namespace newspace

Step 10: Create Kubernetes Service Account (KSA).

  kubectl create serviceaccount \
 --namespace newspace \
 workload-identity-test-ksa

Step 11: Bind the Google Service Account (GSA) and Kubernetes Service Account (KSA), so that KSA can use the permissions granted to GSA.

  gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:${GCP_PROJECT_ID}.svc.id.goog[newspace/workload-identity-test-ksa]" \
  workload-identity-test@${GCP_PROJECT_ID}.iam.gserviceaccount.com

Step 12: Add annotation

  kubectl annotate serviceaccount \
  --namespace newspace \
  workload-identity-test-ksa \
  iam.gke.io/gcp-service-account=workload-identity-test@${GCP_PROJECT_ID}.iam.gserviceaccount.com

Step 13: Create a Pod with the KSA created to verify.

  kubectl run --rm -it test-pod \
  --image google/cloud-sdk:slim \
  --namespace newspace \
  --overrides='{ "spec": { "serviceAccount": "workload-identity-test-ksa" }  }' sh

Running above command will login to Pod and provides its bash shell.
Now run below command to see which service account this pod is configured with.

  gcloud auth list

This should print the GSA name.

                           Credentialed Accounts
    ACTIVE  ACCOUNT
    *       workload-identity-test@workshop-demo-namwcb.iam.gserviceaccount.com

Cleanup

Don't forget to cleanup the resources, once you no longer need it.

Run the following commands:

Step 1: Delete the GKE cluster.

  gcloud container clusters delete $GKE_CLUSTER_NAME

Step 2: Delete the Google Service Account (GSA).

  gcloud iam service-accounts delete workload-identity-test@${GCP_PROJECT_ID}.iam.gserviceaccount.com

Below is the terminal recording:

Hope this blog helps you get familiar with Workload Identity and securely deploy apps on GKE.

If you have feedback or questions, please reach out to me on LinkedIn or Twitter

Getting started with Google Cloud SDK

Pradeep Bhadani — Sun, 08 Dec 2019 19:19:00 +0000

Originally published at pbhadani.com

Learn to setup Google Cloud SDK on your workstation and some operations in this step-by-step guide.

What is Cloud SDK?

The Cloud SDK is a collection of tools to interact with the Google Cloud Platform (GCP). It includes bq, kubectl, gcloud and gsutil command-line tools that can interact with various GCP Services using CLI or in automation scripts.
Examples:

Create/manage a Google Cloud Storage (GCS) bucket.
Create/manage Google Compute Engine (GCE) instance.
Create/manage Google Datalab.
Create a BigQuery Dataset.
Submit a job to BigQuery.
Create/manage firewall rules.

Let's get it up and running

Google provides a script to download and install the Cloud SDK quickly and interactively.

Install Google Cloud SDK

1. Run the following command in your terminal.

  $> curl https://sdk.cloud.google.com | bash

This will download the Cloud SDK package and run the installation script.

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100   443  100   443    0     0   3475      0 --:--:-- --:--:-- --:--:--  3488
  Downloading Google Cloud SDK install script: https://dl.google.com/dl/cloudsdk/channels/rapid/install_google_cloud_sdk.bash
  ######################################################################## 100.0%
  Running install script from: /tmp/tmp.GZI3OtObH9/install_google_cloud_sdk.bash
  which curl
  curl -# -f https://dl.google.com/dl/cloudsdk/channels/rapid/google-cloud-sdk.tar.gz
  ######################################################################## 100.0%

2. Provide the directory path on prompt

  Installation directory (this will create a google-cloud-sdk subdirectory) (/home/vagrant):

3. Once you provide the directory, the script will prompt for reporting. Choose one of the options.

  Welcome to the Google Cloud SDK!

  To help improve the quality of this product, we collect anonymized usage data and anonymized stacktraces when crashes are encountered; additional information is available at <https://cloud.google.com/sdk/usage-statistics>. This data is handled in accordance with our privacy policy <https://policies.google.com/privacy>. You may choose to opt in this collection now (by choosing 'Y' at the below prompt), or at any time in the future by running the following command:

  gcloud config set disable_usage_reporting false

  Do you want to help improve the Google Cloud SDK (y/N)?

4. This will start installing the package and ask to update the $PATH and enable the auto-complete feature.

  This will install all the core command line tools necessary for working with the Google Cloud Platform.

  Your current Cloud SDK version is: 272.0.0
  Installing components from version: 272.0.0

  ┌────────────────────────────────────────────────────────────────────────────┐
  │                    These components will be installed.                     │
  ├─────────────────────────────────────────────────────┬────────────┬─────────┤
  │                         Name                        │  Version   │   Size  │
  ├─────────────────────────────────────────────────────┼────────────┼─────────┤
  │ BigQuery Command Line Tool                          │     2.0.50 │ < 1 MiB │
  │ BigQuery Command Line Tool (Platform Specific)      │     2.0.50 │ < 1 MiB │
  │ Cloud SDK Core Libraries (Platform Specific)        │ 2019.11.08 │ < 1 MiB │
  │ Cloud Storage Command Line Tool                     │       4.46 │ 3.6 MiB │
  │ Cloud Storage Command Line Tool (Platform Specific) │       4.46 │ < 1 MiB │
  │ Default set of gcloud commands                      │            │         │
  │ gcloud cli dependencies                             │ 2018.08.03 │ 8.6 MiB │
  └─────────────────────────────────────────────────────┴────────────┴─────────┘

  For the latest full release notes, please visit:
    https://cloud.google.com/sdk/release_notes

  ╔════════════════════════════════════════════════════════════╗
  ╠═ Creating update staging area                             ═╣
  ╠════════════════════════════════════════════════════════════╣
  ╠═ Installing: BigQuery Command Line Tool                   ═╣
  ╠════════════════════════════════════════════════════════════╣
  ╠═ Installing: BigQuery Command Line Tool (Platform Spec... ═╣
  ╠════════════════════════════════════════════════════════════╣
  ╠═ Installing: Cloud SDK Core Libraries (Platform Specific) ═╣
  ╠════════════════════════════════════════════════════════════╣
  ╠═ Installing: Cloud Storage Command Line Tool              ═╣
  ╠════════════════════════════════════════════════════════════╣
  ╠═ Installing: Cloud Storage Command Line Tool (Platform... ═╣
  ╠════════════════════════════════════════════════════════════╣
  ╠═ Installing: Default set of gcloud commands               ═╣
  ╠════════════════════════════════════════════════════════════╣
  ╠═ Installing: gcloud cli dependencies                      ═╣
  ╠════════════════════════════════════════════════════════════╣
  ╠═ Creating backup and activating new installation          ═╣
  ╚════════════════════════════════════════════════════════════╝

  Performing post processing steps...done.

  Update done!

  Modify profile to update your $PATH and enable shell command
  completion?

  Do you want to continue (Y/n)? Y

5. Provide the bashrc path.

The Google Cloud SDK installer will now prompt you to update an rc file to bring the Google Cloud CLIs into your environment.

Enter a path to an rc file to update, or leave blank to use
[/home/vagrant/.bashrc]:

6. Now, open a new terminal or reload the current session by running below command.

  $> exec -l $SHELL

7. Verify installation.

  $> gcloud version

This should list the current version of gcloud utility.

  Google Cloud SDK 272.0.0
  bq 2.0.50
  core 2019.11.16
  gsutil 4.46

8. The above script only install core packages and all we can list all the available packages.

  $> gcloud components list

  Your current Cloud SDK version is: 272.0.0
  The latest available version is: 272.0.0

  ┌────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
  │                                                 Components                                                 │
  ├───────────────┬──────────────────────────────────────────────────────┬──────────────────────────┬──────────┤
  │     Status    │                         Name                         │            ID            │   Size   │
  ├───────────────┼──────────────────────────────────────────────────────┼──────────────────────────┼──────────┤
  │ Not Installed │ App Engine Go Extensions                             │ app-engine-go            │  4.9 MiB │
  │ Not Installed │ Appctl                                               │ appctl                   │ 21.0 MiB │
  │ Not Installed │ Cloud Bigtable Command Line Tool                     │ cbt                      │  7.5 MiB │
  │ Not Installed │ Cloud Bigtable Emulator                              │ bigtable                 │  6.6 MiB │
  │ Not Installed │ Cloud Datalab Command Line Tool                      │ datalab                  │  < 1 MiB │
  │ Not Installed │ Cloud Datastore Emulator                             │ cloud-datastore-emulator │ 18.4 MiB │
  │ Not Installed │ Cloud Firestore Emulator                             │ cloud-firestore-emulator │ 40.0 MiB │
  │ Not Installed │ Cloud Pub/Sub Emulator                               │ pubsub-emulator          │ 34.9 MiB │
  │ Not Installed │ Cloud SQL Proxy                                      │ cloud_sql_proxy          │  3.8 MiB │
  │ Not Installed │ Emulator Reverse Proxy                               │ emulator-reverse-proxy   │ 14.5 MiB │
  │ Not Installed │ Google Cloud Build Local Builder                     │ cloud-build-local        │  6.0 MiB │
  │ Not Installed │ Google Container Registry's Docker credential helper │ docker-credential-gcr    │  1.8 MiB │
  │ Not Installed │ Skaffold                                             │ skaffold                 │ 22.1 MiB │
  │ Not Installed │ gcloud Alpha Commands                                │ alpha                    │  < 1 MiB │
  │ Not Installed │ gcloud Beta Commands                                 │ beta                     │  < 1 MiB │
  │ Not Installed │ gcloud app Java Extensions                           │ app-engine-java          │ 62.0 MiB │
  │ Not Installed │ gcloud app PHP Extensions                            │ app-engine-php           │          │
  │ Not Installed │ gcloud app Python Extensions                         │ app-engine-python        │  6.0 MiB │
  │ Not Installed │ gcloud app Python Extensions (Extra Libraries)       │ app-engine-python-extras │ 27.1 MiB │
  │ Not Installed │ kubectl                                              │ kubectl                  │  < 1 MiB │
  │ Installed     │ BigQuery Command Line Tool                           │ bq                       │  < 1 MiB │
  │ Installed     │ Cloud SDK Core Libraries                             │ core                     │ 12.5 MiB │
  │ Installed     │ Cloud Storage Command Line Tool                      │ gsutil                   │  3.6 MiB │
  └───────────────┴──────────────────────────────────────────────────────┴──────────────────────────┴──────────┘
  To install or remove components at your current SDK version [272.0.0], run:
    $ gcloud components install COMPONENT_ID
    $ gcloud components remove COMPONENT_ID

  To update your SDK installation to the latest version [272.0.0], run:
    $ gcloud components update

9. Install additional component, for e.g. kubectl

  $> gcloud components install kubectl

10. To install, beta functionality

  $> gcloud components install beta

Initialize Google Cloud SDK

Now to interact with GCP services, we must initialize SDK and setup authentication.

1. Initialize the SDK.

  $> gcloud init

2. Accept to login to your Google account.

  To continue, you must login. Would you like to log in (Y/n)? Y

3. This will open your browser and prompt for permissions. Login with your Google account credentials and Allow.

4. Select the preferred project and zone.

5. You should now see the following message for successful initialization.

  gcloud has now been configured!
  You can use [gcloud config] to change more gcloud settings.

  Your active configuration is: [default]

6. Verify initialization.

  $> gcloud auth list

This will display the active account.

Let's do something with gcloud

Google Cloud Storage (GCS) Bucket Operations

1. Create a GCS Bucket

  $> gsutil mb gs://my-bucket-34678945/

2. Create a file locally and upload to GCS Bucket.

  $> echo "Hello GCS" > hello-gcs.txt

  $> gsutil cp hello-gcs.txt gs://my-bucket-34678945/

3. List objects in a GCS Bucket.

  $> gsutil ls -r gs://my-bucket-34678945/

4. Get the GCS Bucket size.

  $> gsutil du -sh gs://my-bucket-34678945/

5. Delete a GCS Bucket.

warning: Following command deletes all the objects stored in the specified bucket and cannot be recovered.

  $> gsutil rm -r gs://my-bucket-34678945

Google Compute Engine (GCE) Operation

1. Create a VM instance.

  $> gcloud compute instances create my-instance

This will create a VM instance will default configuration.

Output will be similar as below:

  Created [https://www.googleapis.com/compute/v1/projects/your-project-id/zones/europe-west1-d/instances/my-instance].
  NAME         ZONE            MACHINE_TYPE   PREEMPTIBLE  INTERNAL_IP  EXTERNAL_IP    STATUS
  my-instance  europe-west1-d  n1-standard-1               10.132.0.3   IP.IP.IP.IP  RUNNING

2. Update VM instance and add some labels.

  $> gcloud compute instances update my-instance \
        --update-labels=key1=value1,key2=value2

3. Delete a VM instance.

  $> gcloud compute instances delete my-instance

Below is the terminal recording:

To revoke gcloud access from terminal

  $> gcloud auth revoke

Hope this blog helps you get familiar with Google Cloud SDK.

Getting started with Terraform

Pradeep Bhadani — Sun, 08 Dec 2019 18:54:45 +0000

Originally published at pbhadani.com

Learn to setup Terraform on your workstation in this step-by-step guide.

Photo by Firdouss Ross on Unsplash

What is Terraform?

Terraform is an open-source tool allows to build, change and version our infrastructure in an easy and efficient way.
It uses declarative language HCL (Hashicorp Configuration Language) to define infrastructure as code.

Terraform concepts

Let's quickly learn about some concepts in Terraform.

Providers
Terraform Providers enables interaction with APIs and handle authentication of different IaaS(e.g. Google Cloud Platform, Amazon Web Service, Azure) or SaaS(e.g. Cloudflare). There are many Terraform supported providers already available and a full list can be seen here.
Resource
Terraform Resource is a very important component. Each resource block describes the infrastructure object(e.g. VM instance, Storage buckets, DNS records, Cloud NAT).
Modules
Terraform modules are the collection of resources defined in a way that can be reused.
Data Sources
Terraform Data Sources help to read infrastructure which is created using (or without using) Terraform.
State
Terraform State stores information about the infrastructure created by Terraform code. It is used by Terraform to detect changes in the resources defined in the code.

Terraform state is stored on local machine by default in the name of terraform.tfstate but can be stored remotely on systems like Google Cloud Storage(GCS), AWS S3.

Let's setup Terraform

Below steps are for Linux based system. For MAC, download the relevant package and the rest of the steps should be the same.

Download the latest terraform package from terraform.io/downloads.

export TF_VERSION=0.12.16
wget https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip -O /tmp/terraform.zip

Unzip the terraform binary to a directory which is included in your system PATH.
```
sudo unzip /tmp/terraform.zip -d /usr/local/bin/
```
Reload your shell.
```
exec -l $SHELL
```
Verify installation.
```
terraform --help
```

Below is the terminal recording:

Hope this blog help you get started quickly with Terraform.