Using Terraform to provision vSphere Templates with GOVC and AWS S3

-
Gilles Chekroun
Lead VMware Cloud on AWS Solutions Architect
---
With my recent post about using Terraform for VMware Cloud on AWS provisioning, I had to provision OVA templates in my VMC vCenter so I would be able to use the Terraform vSphere provider to clone and deploy VMs.
Since this requires access to ESXi inside VMware Cloud on AWS, it's not possible to do it from an external machine like my Mac over the internet.
Only coming from a VPN connection or a Direct Connect will allow this but . . . 
. . . it is possible to use an AWS EC2 instance on the attached VPC to provision and this is the goal of this post.

AWS EC2 Deployment

Using AWS terraform provider, I am deploying a very simple EC2 without any initialisation.
I could do the provisioning at this time but my code needs output parameters stored in the tfstate file.
What I need now is the Public IP and the Public DNS name of my EC2 instance.
This will be part of the terraform output.

Connect to the EC2 with SSH

Before we can connect to the EC2 and start provisioning, make sure your security group allow access to SSH port 22 and that you have an IGW so we can grab GOVC software to install.
In the code below I am using a dummy null-resource
resource "null_resource" "dummy" {
  /*======================================
  Connect to EC2 with SSH and pem key-pair
  =======================================*/
  connection {
    type = "ssh"
    user = "ec2-user"
    host = var.VM1_IP
    private_key = file("~/AWS-SSH/my-oregon-key.pem")
  }
Connection type is SSH; user is the standard ec2-user from AWS; host is our EC2 public IP; and my pem key-pair is provided as private_key.

Local-exec and remote exec

We will start with "remote-exec" which means that we are executing code on the remote machine - in our case the EC2
/*====================================
  execute code on the EC2 after creation
  ====================================*/
  provisioner "remote-exec" {
    inline = [
      # install GOVC:
      # download and unzip
      "wget https://github.com/vmware/govmomi/releases/download/v0.20.0/govc_linux_amd64.gz",
      "gunzip govc_linux_amd64.gz",
      # rename
      "mv govc_linux_amd64 govc",
      "sudo chown root govc",
      "sudo chmod ug+r+x govc",
      "sudo mv govc /usr/local/bin/.",
      #install jq
      "sudo yum install jq -y",
      #install AWS CLI
      "sudo yum install awscli -y"
    ]
  }

Install GOVC, jq and awscli

Grab the code from github with wget and unzip.
Change name and permissions.
Move to a proper place like /usr/local/bin.
Use yum install for jq and awscli with the -y option so we don't have any interactions.
JQ is a neat package to manipulate json. At this stage we are ready with the EC2.
With "local-exec" we are sunning code on the machine that runs the terraform (here my Mac). Let's prepare a few files:
/*=====================================
  execute code locally
  ======================================*/
  provisioner "local-exec" {
    command = S1
        cd ../../p3/main/
        terraform  output -state=../../phase1.tfstate -json S2 outputs.json
        scp -o StrictHostKeyChecking=no -i ~/AWS-SSH/my-oregon-key.pem ./outputs.json ec2-user@${var.VM1_DNS}:
        scp -o StrictHostKeyChecking=no -i ~/AWS-SSH/my-oregon-key.pem ./data.sh ec2-user@${var.VM1_DNS}:
        scp -o StrictHostKeyChecking=no -i ~/AWS-SSH/my-oregon-key.pem  -r ~/.aws ec2-user@${var.VM1_DNS}:
     S3
  }
(Sorry but the HTML of my blog has difficulties accepting << and > so please substitute:
S1="<<EOT "; S2=">" ; S3="EOT")

Create the outputs.json file

The terraform output command will read the tfstate file and convert the outputs into a outputs.json file. We will use that file to grab the data we need to set the GOVC parameters.
Use secure copy scp to transfer the outputs.json, the data.sh script and your AWS credentials. There are multitude ways to transfer AWS credentials to EC2 so we can read from S3. The best would be a IAM associated with the EC2 but secure copying my credentials to that EC2 is not too bad.

Setting GOVC parameters in data.sh script

#!/usr/bin/env bash

export GOVC_URL=$(cat ./outputs.json | jq -r '.GOVC_vc_url.value')
export GOVC_USERNAME=$(cat ./outputs.json | jq -r '.cloud_username.value')
export GOVC_PASSWORD=$(cat ./outputs.json | jq -r '.cloud_password.value')
export GOVC_INSECURE=true

echo $GOVC_URL
echo $GOVC_USERNAME
echo $GOVC_PASSWORD
govc about

# extract VM specs with . . .
# govc import.spec ./vmc-demo.ova | python -m json.tool > vmc-demo.json
# govc import.spec ./photoapp-u.ova | python -m json.tool > photoapp-u.json
# and update Network

govc import.ova -dc="SDDC-Datacenter" -ds="WorkloadDatastore" -pool="Compute-ResourcePool" -folder="Templates" -options=./vmc-demo.json ./vmc-demo.ova
govc import.ova -dc="SDDC-Datacenter" -ds="WorkloadDatastore" -pool="Compute-ResourcePool" -folder="Templates" -options=./photoapp-u.json ./photoapp-u.ova
Parsing the outputs.json file with JQ is quite simple and we can retrieve the GOVC_URL, GOVC_USERNAME and GOVC_PASSWORD easily.

OVA templates and json are in AWS S3

We need to copy the files from AWS S3 bucket before we can run GOVC and upload our templates in vCenter. 
For this we will run a "remote-exec" again simply sync our S3 bucket to the local EC2. After that, we can launch the data.sh script to upload the OVA templates.
/*====================================
  execute code on the EC2 again
  ====================================*/
  provisioner "remote-exec" {
    inline = [
      #sync our S3 bucket
      "aws s3 sync s3://terraform-ova .",
      #run the GOVC OVA import
      "./data.sh"
    ]
  }

Speed and No Data Charges

I am quite happy with the fact that the S3 endpoint of our VPC gives us a direct access to our EC2 with no data charges (read or write) and then from EC2 to VMware Cloud on AWS over the ENI without data charges as well !

 Thank you for reading!
Here is a short video of the provisioning.

Comments

Post a Comment

Populars

Egress VPC and AWS Transit Gateway (Part1)

-
Image
Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- Usually my blog posts are customer driven and recently I have been working on a design that would include an Egress VPC and AWS Transit Gateway. This customer is going to use both VMware Managed Transit Gateway and also AWS Transit Gateway. I will split this post in 3 parts: The Egress VPC - this article Adding a VMC SDDC to the Egress VPC here Adding VMware Managed Transit Gateway here Why do we need an Egress VPC? Numerous posts on AWS site  will describe how to build an Egress VPC and the subtleties of the various route tables of the TGW and the Egress VPC itself. The main goal is to have ONE Internet gateway only  that will allow workloads to go out to internet on the Egress VPC. One of the most important point is redundancy and multi-availability zones. Applications usually reside in private subnets, while NAT Gateways reside in a public subnet. NAT Gateways To focus the Internet access to a single point, we can cre
Read more

AWS Transitive routing with Transit Gateways in the same region

-
Image
Gilles Chekroun Lead VMware Cloud on AWS Specialist --- At the AWS Re:invent 2019 conference, the long waited TGW peering functionality was announced and available in a few AWS regions. This is an INTER-REGION peering only meaning that the Transit Gateways need to be in different regions. Hoping that AWS will soon release an INTRA-REGION capability I discussed with a few AWS Solutions Architects in Las Vegas, among them Tom Adamski , about using a VPC as a bridge between two TGWs in the same region. Tom assured me that it is possible opening for the first time the transitive routing capability in AWS networking. Well . . . I needed to test that and see by myself. Test bed For a simple test, I will use 2 TGWs in the same regions with 2 VPCs attached each and another VPC as "bridge" connected to both TGWs. Yes you can connect a VPC up to 5 TGWs . The whole idea is to use this "bridging VPC" and point the default route of the TGWs to it. To do that I c
Read more

Considerations on vTGW to TGW Peering Link

-
Image
   Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- Recently I was talking with a Customer on designing their VMware Cloud on AWS environment and linking it to their existing AWS infrastructure. The idea was to have 2 SDDCs, Test and Prod, and link them with a VMware Managed TGW and peer it to their existing TGW. The customer requirements were: VMs in each SDDC should have internet access from the SDDC out VMs from Test should be able to talk to VMs in Prod VMs in any SDDC should be able to access their own vCenter but also the other one Some VMs any SDDC should have a Public IP and NAT rule to be accessible from outside VMware traffic should stay within VMware SDDCs Other traffic, like on-prem, should go via the Customer TGW Test Setup Step1 - Create SDDC Group Create an SDDC Group and attach the 2 SDDCs Prod and Test Make sure the proper FireWall rules are open in each SDDC Compute GW. Step 2 - Attach the Customer TGW In the SDDC Groups, under External TGW TAB, add t
Read more