Skip to content

anyscale/terraform-google-anyscale-cloudfoundation-modules

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

86 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Build Status Terraform Version OpenTofu Version Google Provider Version

Terraform Modules for Anyscale Cloud Foundations on Google

This repository's Terraform modules build the foundational cloud resources needed to run Anyscale in a cloud environment. This module and sub-modules support Google Cloud.

THIS IS PROVIDED AS A STARTING POINT

USE AT YOUR OWN RISK

Google Cloud Resources

The Anyscale GCP Deployment Guide details the minimum required resources for deploying Anyscale on GCP. This module can be used to build the resources to support Customer Defined Networking Clouds (diagrammed below) and Direct Networking Clouds.

Customer Defined Networking

To streamline long-term management and enable customization, we've modularized the resources into the following Terraform sub-modules:

  • google-anyscale-cloudapis - This enables the Google Cloud APIs necessary for Anyscale to work
  • google-anyscale-cloudstorage - This builds a Cloud Storage bucket, which Anyscale uses to store cluster logs and shared resources.
  • google-anyscale-filestore - This builds a FileStore and mount points, which Workspaces use.
  • google-anyscale-iam - This builds IAM roles and policies. One role for cross-account access from the Anyscale Control Plane, and one for compute/clusters to use.
  • google-anyscale-project - This builds a base Google Project
  • google-anyscale-vpc - This builds a rudimentary Google VPC
  • google-anyscale-vpc-firewall - This builds the required Google VPC Firewall Policy
  • google-anyscale-memorystore - This (optional) module creates a Memorystore resource used for Anyscale Services Head Node High Availability. To use, make sure to set enable_anyscale_memorystore properly.

These sub-modules should only be called from the root module (current location).

Customization

These modules are designed with best practices in mind, ensuring a secure, efficient, and scalable Anyscale deployment on Google Cloud. Each submodule can be disabled, allowing easy incorporation of custom solutions for specific resources.

If you choose to disable a module, creating and managing that resource shifts to you. This flexibility is ideal if you have existing network setups (e.g., VPCs) or need tailored configurations for Buckets, IAM, Filestore, or other services. The Anyscale GCP Terraform Modules are particularly useful for integrating Anyscale components with pre-existing infrastructure, ensuring a smooth blend between what you already have and need.

Examples

The examples folder has several common use cases that have been tested. These include:

  • Anyscale v2
    • anyscale-v2: Build everything with minimal parameters (primarily used for testing)
    • anyscale-v2-commonname: Build everything, use a common name for all resources
    • anyscale-v2-privatenetwork: Build everything but with a private network - includes Memorystore resources
    • anyscale-v2-existingproject: Build everything except the project
    • anyscale-v2-existingvpc: Build everything except the VPC
    • anyscale-v2-kitchensink: Build everything with as many parameters as possible
    • anyscale-v2-vpc-shared: Build evertything but use an existing VPC shared from a different Anyscale Project

These examples will include an output that can be run with the Anyscale CLI to build an Anyscale Cloud with the Google resources. Additional examples can be requested via an issues ticket.

Example Cloud Register command for GCP:

anyscale cloud register --provider gcp \
--name gce-anyscale-tf-test-1 \
--vpc-name anyscale-tf-test-1 \
--subnet-names anyscale-tf-test-1-subnet-uscentral1 \
--filestore-instance-id anyscale-tf-test-1  \
--filestore-location us-central1-a \
--anyscale-service-account-email anyscale-tf-test-1-crossacc@gcp-register-cloud-1.iam.gserviceaccount.com \
--instance-service-account-email anyscale-tf-test-1-cluster@gcp-register-cloud-1.iam.gserviceaccount.com \
--firewall-policy-names anyscale-tf-test-1-fw  \
--cloud-storage-bucket-name anyscale-tf-test-1 \
--region us-central1 \
--project-id gcp-register-cloud-dogfood-1 \
--provider-name projects/123456789012/locations/global/workloadIdentityPools/anyscale-tf-test-1/providers/private-cloud
--memorystore-instance-name anyscale-memorystore
--private-network

Reporting Issues

We use GitHub Issues to track community reported issues and missing features.

Notes

Memorystore Module notes

When registering a cloud with Memorystore, please take note that Ray GCS supports a single shard across multiple Redis nodes, but NOT multiple shards.

Known Issues/Untested Features

None

Requirements

Name Version
terraform >= 1.0
google ~> 5.0
random ~> 3.0

Providers

Name Version
google 6.4.0
random 3.6.3

Modules

Name Source Version
google_anyscale_cloudapis ./modules/google-anyscale-cloudapis n/a
google_anyscale_cloudstorage ./modules/google-anyscale-cloudstorage n/a
google_anyscale_filestore ./modules/google-anyscale-filestore n/a
google_anyscale_iam ./modules/google-anyscale-iam n/a
google_anyscale_loggingsink ./modules/google-anyscale-loggingsink n/a
google_anyscale_memorystore ./modules/google-anyscale-memorystore n/a
google_anyscale_project ./modules/google-anyscale-project n/a
google_anyscale_vpc ./modules/google-anyscale-vpc n/a
google_anyscale_vpc_firewall_policy ./modules/google-anyscale-vpc-firewall n/a

Resources

Name Type
random_id.common_name resource
google_client_config.current data source
google_compute_subnetwork.existing_vpc_subnet data source
google_compute_subnetwork.shared_vpc_subnet data source

Inputs

Name Description Type Default Required
allow_ssh_from_google_ui (Optional) Determines if SSH access is allowed from the Google UI.

ex:
allow_ssh_from_google_ui = true
bool false no
anyscale_access_role_description (Optional) The description of the Anyscale IAM access role.

ex:
anyscale_access_role_description = "Anyscale Cross Account Access"
string "Anyscale Cross Account Access Role" no
anyscale_bucket_cors_rules (Optional) List of CORS rules to configure.

Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket.html#cors except max_age_seconds should be a number.

ex:
anyscale_bucket_cors_rules = [
{
origins = ["https://.anyscale.com"]
methods = ["GET", "HEAD, "PUT", "POST", "DELETE"]
response_headers = ["
"]
max_age_seconds = 3600
}
]
set(object({
# Object with keys:
# - origins - (Required) List of values, with wildcards, of the Origin header in the request that an incoming OPTIONS request will be matched against.
# - methods - (Required) Lilst of values, with wildcards, of the Access-Control-Request-Method header in the request that an incoming OPTIONS request will be matched against.
# - response_headers - (Required) List of values, with wildcards, of the Access-Control-Request-Headers header in the request that an incoming OPTIONS request will be matched against.
# - max_age_seconds - (Optional) The value, in seconds, to return in the Access-Control-Max-Age header used in preflight responses.
origins = list(string)
methods = list(string)
response_headers = list(string)
max_age_seconds = number
}))
[
{
"max_age_seconds": 3600,
"methods": [
"GET",
"POST",
"PUT",
"HEAD",
"DELETE"
],
"origins": [
"https://.anyscale.com"
],
"response_headers": [
"
"
]
}
]
no
anyscale_bucket_lifecycle_rules (Optional) List of lifecycle rules to configure.

Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket.html#lifecycle_rule except condition.matches_storage_class should be a comma delimited string.

ex:
anyscale_bucket_lifecycle_rules = [
{
action = {
type = "Delete"
storage_class = "MULTI_REGIONAL"
}
condition = {
age = 30
}
}
]
set(object({
# Object with keys:
# - type - The type of the action of this Lifecycle Rule. Supported values: Delete and SetStorageClass.
# - storage_class - (Required if action type is SetStorageClass) The target Storage Class of objects affected by this Lifecycle Rule.
action = map(string)

# Object with keys:
# - age - (Optional) Minimum age of an object in days to satisfy this condition.
# - created_before - (Optional) Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.
# - with_state - (Optional) Match to live and/or archived objects. Supported values include: "LIVE", "ARCHIVED", "ANY".
# - matches_storage_class - (Optional) Comma delimited string for storage class of objects to satisfy this condition. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, DURABLE_REDUCED_AVAILABILITY.
# - matches_prefix - (Optional) One or more matching name prefixes to satisfy this condition.
# - matches_suffix - (Optional) One or more matching name suffixes to satisfy this condition.
# - num_newer_versions - (Optional) Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition.
# - custom_time_before - (Optional) A date in the RFC 3339 format YYYY-MM-DD. This condition is satisfied when the customTime metadata for the object is set to an earlier date than the date used in this lifecycle condition.
# - days_since_custom_time - (Optional) The number of days from the Custom-Time metadata attribute after which this condition becomes true.
# - days_since_noncurrent_time - (Optional) Relevant only for versioned objects. Number of days elapsed since the noncurrent timestamp of an object.
# - noncurrent_time_before - (Optional) Relevant only for versioned objects. The date in RFC 3339 (e.g. 2017-06-13) when the object became nonconcurrent.
condition = map(string)
}))
[] no
anyscale_bucket_location (Optional) The location of the bucket.

ex:
anyscale_bucket_location = "US"
string "US" no
anyscale_bucket_name (Optional - forces new resource) Cloudstorage bucket name.

The name of the bucket used to store Anyscale related logs and other shared resources.
- If left null, will default to anyscale_bucket_prefix.
- If provided, overrides the anyscale_bucket_prefix variable.

ex:
anyscale_bucket_name = "anyscale-bucket"
string null no
anyscale_bucket_prefix (Optional - forces new resource) Cloudstorage bucket name prefix.

Creates a unique bucket name beginning with the specified prefix.
- If anyscale_bucket_name is provided, it will override this variable.
- The variable general_prefix is a fall-back prefix if this is not provided.
- Default is null but is set to anyscale- in a local variable.

ex:
anyscale_bucket_prefix = "anyscale-bucket-"
string null no
anyscale_bucket_storage_class (Optional) Bucket storage class.

Must be one of: STANDARD, MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, ARCHIVE

ex:
anyscale_bucket_storage_class = "STANDARD"
string "STANDARD" no
anyscale_cloud_id (Optional) Anyscale Cloud ID.

This is the ID of the Anyscale Cloud. This is not the same as the GCP Project ID. Used in labels.

ex:
anyscale_cloud_id = "cld_1234567890"
string null no
anyscale_cluster_node_service_acct_description (Optional) The description of the IAM role that will be created for Anyscale access.

ex:
anyscale_cluster_node_service_acct_description = "Anyscale Cluster Node"
string null no
anyscale_cluster_node_service_acct_name (Optional - forces new resource) IAM Cluster Node Role Name

The name of the IAM role that will be created for Anyscale cluster nodes.
- If left null, will default to anyscale_cluster_node_service_acct_name_prefix.
- If provided, overrides the anyscale_cluster_node_service_acct_name_prefix variable.
- It needs to be > 4 chars and < 28 chars.

ex:
anyscale_cluster_node_service_acct_name = "anyscale-cluster-node"
string null no
anyscale_cluster_node_service_acct_name_prefix (Optional - forces new resource) IAM Cluster Node Role Name Prefix

Creates a unique IAM role name beginning with the specified prefix.
- If anyscale_cluster_node_service_acct_name is provided, it will override this variable.
- The variable general_prefix is a fall-back prefix if this is not provided.
- Default is null but is set to anyscale-cluster- in a local variable.
- It needs to be > 4 chars and < 20 chars.

ex:
anyscale_cluster_node_service_acct_name_prefix = "anyscale-cluster-"
string null no
anyscale_deploy_env (Optional) Anyscale deploy environment.

Used in resource names and tags.

ex:
anyscale_deploy_env = "production"
string "production" no
anyscale_filestore_capacity_gb (Optional) The capacity of the fileshare in GB.
This must be at least 1024 GiB for the standard or enterprise tiers, or 2560 GiB for the premium tier.
Default is 1024.
number 1024 no
anyscale_filestore_description (Optional) The description of the filestore instance.

ex:
anyscale_filestore_description = "Anyscale Filestore Instance"
string "Anyscale Filestore Instance" no
anyscale_filestore_fileshare_name (Optional - forces new resource) Filestore fileshare name.

The name of the fileshare to create.
- If left null, will default to common_name.
- If common_name is null or over 16 chars, will default to anyscale.
- Must start with a letter, followed by letters, numbers, or underscores, and cannot end with an underscore.
- Can not be longer than 16 characters.

ex:
anyscale_filestore_fileshare_name = "anyscale-fileshare"
string null no
anyscale_filestore_labels (Optional) Filestore Labels

A map of labels to be added to the Filestore instance.
Duplicate labels in labels will be overwritten by labels in anyscale_filestore_labels.

ex:
anyscale_filestore_labels = {
application = "Anyscale",
environment = "prod"
}
map(string) {} no
anyscale_filestore_location (Optional) The name of the location region in which the filestore resource will be created.

This can be a region for ENTERPRISE tier instances.
If it is not provided, the region for the VPC network will be used
If a VPC network was not created, provider region is used.

ex:
anyscale_filestore_location = "us-central1"
string null no
anyscale_filestore_name (Optional - forces new resource) Filestore instance name.

The name of the filestore instance used to store Anyscale related logs and other shared resources.
- If left null, will default to anyscale_filestore_name_prefix.
- If provided, overrides the anyscale_filestore_name_prefix variable.

ex:
anyscale_filestore_name = "anyscale-filestore"
string null no
anyscale_filestore_name_prefix (Optional - forces new resource) Filestore instance name prefix.

Creates a unique filestore instance name beginning with the specified prefix.
- If anyscale_filestore_name is provided, it will override this variable.
- The variable general_prefix is a fall-back prefix if this is not provided.
- Default is null but is set to anyscale- in a local variable.

ex:
anyscale_filestore_name_prefix = "anyscale-filestore-"
string null no
anyscale_filestore_network_conect_mode (Optional) The network connect mode of the filestore instance.

Must be one of DIRECT_PEERING or PRIVATE_SERVICE_ACCESS. If using a Shared VPC, this must be set to PRIVATE_SERVICE_ACCESS.

ex:
anyscale_filestore_network_conect_mode = "DIRECT_PEERING"
string "DIRECT_PEERING" no
anyscale_filestore_tier (Optional) The tier of the filestore to create.

Supported values include STANDARD, PREMIUM, BASIC_HDD, BASIC_SSD, HIGH_SCALE_SSD, ENTERPRISE, ZONAL, and REGIONAL.

ex:
anyscale_filestore_tier = "STANDARD"
string "STANDARD" no
anyscale_iam_access_role_id (Optional, forces creation of new resource) The ID of the Anyscale IAM access role.

Overrides anyscale_iam_access_role_id_prefix.

ex:
anyscale_iam_access_role_id = "anyscale_access_role"
string null no
anyscale_iam_access_role_id_prefix (Optional, forces creation of new resource) The prefix of the Anyscale IAM access role.

If anyscale_iam_access_role_id is provided, it will override this variable.
If set to null, the prefix will be set to "anyscale_" in a local variable.

ex:
anyscale_iam_access_role_id_prefix = "anyscale_crossacct_role_"
string "anyscale_crossacct_role_" no
anyscale_iam_access_service_acct_description (Optional) The description of the IAM role that will be created for Anyscale access.

ex:
anyscale_iam_access_service_acct_description = "Anyscale Cross Account Access"
string null no
anyscale_iam_access_service_acct_name (Optional - forces new resource) IAM Access Service Account Name

The name of the IAM role that will be created for Anyscale access.
- If left null, will default to anyscale_iam_access_service_acct_name_prefix.
- If provided, overrides the anyscale_iam_access_service_acct_name_prefix variable.
- It needs to be > 4 chars and < 28 chars.

ex:
anyscale_iam_access_service_acct_name = "anyscale-crossacct-access"
string null no
anyscale_iam_access_service_acct_name_prefix (Optional - forces new resource) IAM Access Role Name Prefix

Creates a unique IAM Service Account name beginning with the specified prefix.
- If anyscale_iam_access_service_acct_name is provided, it will override this variable.
- The variable general_prefix is a fall-back prefix if this is not provided.
- Default is null but is set to anyscale-crossacct- in a local variable.
- It needs to be > 4 chars and < 20 chars.

ex:
anyscale_iam_access_service_acct_name_prefix = "anyscale-crossacct-"
string null no
anyscale_memorystore_display_name (Optional) Memorystore Display Name

The display name of the Memorystore instance used for Anyscale Services Head Node HA.
Must start with a lowercase letter followed by up to 62 lowercase letters, numbers, or hyphens, and cannot end with a hyphen.

ex:
anyscale_memorystore_display_name = "Anyscale Memorystore"
string null no
anyscale_memorystore_labels (Optional) Memorystore Labels

A map of labels to be added to the Memorystore instance.
Duplicate labels in labels will be overwritten by labels in anyscale_memorystore_labels.

ex:
anyscale_memorystore_labels = {
application = "Anyscale",
environment = "prod"
}
map(string) {} no
anyscale_memorystore_name (Optional - forces new resource) Memorystore Name

The name of the Memorystore instance used for Anyscale Services Head Node HA.

If left null, will default to anyscale_memorystore_name_prefix.
If provided, overrides the anyscale_memorystore_name_prefix variable.

ex:
anyscale_memorystore_name = "anyscale-memorystore"
string null no
anyscale_memorystore_name_prefix (Optional - forces new resource) Memorystore Name Prefix

Creates a unique Memorystore instance name beginning with the specified prefix.
If anyscale_memorystore_name is provided, it will override this variable.

Because it is the prefix, it can end in a hyphen as it will have a random suffix appended to it.
The variable general_prefix is a fall-back prefix if this is not provided.

ex:
anyscale_memorystore_name_prefix = "anyscale-memorystore"
string null no
anyscale_organization_id (Required) Anyscale Organization ID.
This is the ID of the Anyscale Organization. This is not the same as the GCP Organization ID.
The Organization ID will be used to lock down the cross account access from Anyscale.
You can find the Anyscale Organization ID by going to the Anyscale UI while logged in as an Organization Owner,
and clicking on you're username, then clicking on Organization.
This is required.
string n/a yes
anyscale_project_billing_account (Optional) Google Billing Account ID.

This is required if creating a new project.

ex:
anyscale_project_billing_account = "123456-123456-123456"
string null no
anyscale_project_folder_id (Optional) The ID of a Google Cloud Folder.

Conflicts with anyscale_project_organization_id. If anyscale_project_folder_id is provided, it will be used and anyscale_project_organization_id will be ignored.

Changing this forces the project to be migrated to the newly specified folder.

ex:
anyscale_project_folder_id = "1234567890"
string null no
anyscale_project_labels (Optional) Project labels.

A map of labels to be added to the Anyscale Project.

ex:
anyscale_project_labels = {
application = "Anyscale",
environment = "prod"
}
Default is an empty map.
map(string) {} no
anyscale_project_name (Optional) Google Project name.

Google Project Name to create.

ex:
anyscale_project_name = "anyscale-project"
string null no
anyscale_project_name_prefix (Optional) The name prefix for the project.

If anyscale_project_name is provided, it will override this variable.
The variable general_prefix is a fall-back prefix if this is not provided.

Default is null but is set to anyscale-project- in a local variable.

ex:
anyscale_project_name_prefix = "anyscale-project-"
string null no
anyscale_project_organization_id (Optional) Google Cloud Organization ID.

Conflicts with anyscale_project_folder_id. If anyscale_project_folder_id is provided, it will be used and organization_id will be ignored.

Changing this forces the project to be migrated to the newly specified organization.

ex:
anyscale_project_organization_id = "1234567890"
string null no
anyscale_vpc_create_natgw (Optional) Determines if a NAT Gateway is created.

anyscale_vpc_private_subnet_cidr must also be specified for this resource to be created.

ex:
anyscale_vpc_create_natgw = true
bool true no
anyscale_vpc_description (Optional) The description of the VPC.

ex:
anyscale_vpc_description = "Anyscale VPC"
string "VPC for Anyscale Resources" no
anyscale_vpc_firewall_allow_access_from_cidrs (Required) Comma delimited string of IPv4 CIDRs

CIDR ranges to allow access to Anyscale resources. This should be the list of CIDR ranges that have access to the clusters. Public or private IPs are supported.
SSH and HTTPs ports will be opened to these CIDR ranges.

ex:
anyscale_vpc_firewall_allow_access_from_cidrs = "10.0.1.0/24,24.1.24.24/32"
string n/a yes
anyscale_vpc_firewall_policy_description (Optional) The description of the Anyscale VPC Firewall Policy.

ex:
anyscale_vpc_firewall_policy_description = "Anyscale VPC Firewall Policy"
string "Anyscale VPC Firewall Policy" no
anyscale_vpc_firewall_policy_name (Optional) The name of the Anyscale VPC Firewall Policy.

ex:
anyscale_vpc_firewall_policy_name = "anyscale-vpc-firewall-policy"
string null no
anyscale_vpc_name (Optional) VPC name.

The name of the VPC to create.
- If left null, will default to anyscale_vpc_name_prefix.
- If provided, overrides the anyscale_vpc_name_prefix variable.

ex:
anyscale_vpc_name = "anyscale-vpc"
string null no
anyscale_vpc_name_prefix (Optional) The prefix of the VPC name.

Creates a unique VPC name beginning with the specified prefix.
- If anyscale_vpc_name is provided, it will override this variable.
- The variable general_prefix is a fall-back prefix if this is not provided.
- Default is null but is set to anyscale-vpc- in a local variable.

ex:
anyscale_vpc_name_prefix = "anyscale-vpc-"
string null no
anyscale_vpc_private_subnet_cidr (Optional) The private subnet to create.

Anyscale recommends a /20 or larger CIDR block, but will accept a /24 or larger with a warning. The Anyscale VPC module will only create one private subnet in one region.

ex:
anyscale_vpc_private_subnet_cidr = "10.100.0.0/20"
string null no
anyscale_vpc_private_subnet_name (Optional) The private subnet name.

This VPC terraform will only create one private subnet in one region.
Overrides anyscale_vpc_private_subnet_suffix if provided.

ex:
anyscale_vpc_private_subnet_name = "anyscale-private-subnet"
string null no
anyscale_vpc_private_subnet_suffix (Optional) The private subnet suffix.

Prepended with the VPC name and region to create a unique private subnet name.
Overriden by anyscale_vpc_private_subnet_name.

ex:
anyscale_vpc_private_subnet_suffix = "private"
string "private" no
anyscale_vpc_proxy_subnet_cidr (Optional) The proxy subnet to create.

Anyscale recommends a /22 or larger CIDR block. The Anyscale VPC module will only create one proxy subnet in one region.
Anyscale uses Proxy Subnets for the load balancer as part of Anyscale Services.

ex:
anyscale_vpc_proxy_subnet_cidr = "10.100.0.0/20"
string null no
anyscale_vpc_proxy_subnet_name (Optional) The proxy subnet name.

Overrides anyscale_vpc_proxy_subnet_suffix if provided.

This VPC terraform will only create one proxy subnet in one region. Proxy-Only subnets are used for Google Cloud Load Balancers.
More information can be found in the Google Cloud Load Balancer Documentation.

ex:
anyscale_vpc_proxy_subnet_name = "anyscale-proxy-subnet"
string null no
anyscale_vpc_proxy_subnet_suffix (Optional) The proxy subnet suffix.

Prepended with the VPC name and region to create a unique proxy subnet name.
Overridden by anyscale_vpc_proxy_subnet_name.

ex:
anyscale_vpc_proxy_subnet_suffix = "proxy"
string "proxy" no
anyscale_vpc_public_subnet_cidr (Optional) The public subnet to create.

This VPC terraform will only create one public subnet in one region.

ex:
anyscale_vpc_public_subnet_cidr = "10.100.0.0/20"
string null no
anyscale_vpc_public_subnet_name (Optional) The public subnet name.

This VPC terraform will only create one public subnet in one region.
Overrides anyscale_vpc_public_subnet_suffix if provided.

ex:
anyscale_vpc_public_subnet_name = "anyscale-public-subnet"
string null no
anyscale_vpc_public_subnet_suffix (Optional) The public subnet suffix.

Prepended with the VPC name and region to create a unique public subnet name.
Overridden by anyscale_vpc_public_subnet_name.

ex:
anyscale_vpc_public_subnet_suffix = "public"
string "public" no
anyscale_workload_identity_account_id (Optional) The AWS Account ID for Anyscale. Only use this if you are instructed to do so.

This will override the sub-module variable: anyscale_aws_account_id

ex:
anyscale_workload_identity_account_id = "123456789012"
string null no
anyscale_workload_identity_pool_description (Optional) The description of the workload identity pool.

ex:
anyscale_workload_identity_pool_description = "Used to provide Anyscale access from AWS."
string "Used to provide Anyscale access from AWS." no
anyscale_workload_identity_pool_display_name (Optional) The display name of the workload identity pool.

Must be less than or equal to 32 chars.

ex:
anyscale_workload_identity_pool_display_name = "Anyscale Cross Account Access"
string "Anyscale Cross Account Access" no
anyscale_workload_identity_pool_name (Optional) The name of the workload identity pool.

If it is not provided, the Anyscale Access role name is used.

ex:
anyscale_workload_identity_pool_name = "anyscale-identitypool-access"
string null no
anyscale_workload_identity_pool_provider_name (Optional) The name of the workload identity pool provider.

If it is not provided, the Anyscale Access role name is used.

ex:
anyscale_workload_identity_pool_provider_name = "anyscale-identitypool-access"
string null no
bucket_iam_member_additional_roles (Optional) List of roles to grant to the Anyscale Service Accounts on the storage bucket.

This allows you to append the defaults in the google-anyscale-cloudstorage module.

Default is an empty list but will be populated with the following roles via the module: ["roles/storage.objectAdmin", "roles/storage.legacyBucketWriter", "roles/storage.folderAdmin"]

ex:
bucket_iam_member_additional_roles = ["roles/storage.objectAdmin"]
list(string) [] no
common_prefix (Optional) Common Prefix for all resources.

A common prefix to add to resources created (where prefixes are allowed).
If paired with use_common_name, this will apply to all resources.
If this is not paired with use_common_name, this applies to:
- CloudStorage Buckets
- IAM Resources
- Security Groups
Resource specific prefixes override this variable.
Max length is 30 characters.

ex:
common_prefix = "anyscale-"
string null no
enable_anyscale_filestore (Optional) Determines if the Anyscale Filestore is created.

ex:
enable_anyscale_filestore = true
bool true no
enable_anyscale_gcs (Optional) Determines if the Anyscale Cloud Storage bucket is created.

ex:
enable_anyscale_gcs = true
bool true no
enable_anyscale_iam (Optional) Determines if the Anyscale IAM resources are created.

ex:
enable_anyscale_iam = true
bool true no
enable_anyscale_loggingsink (Optional) Determines if the Anyscale Logging Sink is executed.

This sub-module will disable sending syslog events to the _Default Log Sink.

ex:
enable_anyscale_loggingsink = true
bool true no
enable_anyscale_memorystore (Optional) Determines if the Anyscale Memorystore is created.

ex:
enable_anyscale_memorystore = true
bool false no
enable_anyscale_vpc_firewall (Optional) Determines if the Anyscale VPC Firewall is created.

The Anyscale VPC Firewall is a Google Cloud VPC Firewall Policy that allows access to Anyscale resources.

ex:
enable_anyscale_vpc_firewall = true
bool true no
enable_cloud_logging_monitoring (Optional) Determines if the Google Cloud Logging and Monitoring APIs are enabled.

If this is set to true, the following APIs will be enabled:
- logging.googleapis.com
- monitoring.googleapis.com

Additionally, the Anyscale Cluster Role will be granted access to the following roles:
- logging.logWriter
- monitoring.metricWriter
- monitoring.viewer

ex:
enable_cloud_logging_monitoring = true
bool false no
enable_google_apis (Optional) Determines if the required Google APIs are enabled.

ex:
enable_google_apis = true
bool true no
existing_cloudstorage_bucket_name (Optional) Existing Cloud Storage Bucket Name.

The name of an existing Cloud Storage bucket that you'd like to use. Please make sure that it meets the minimum requirements for Anyscale including:
- Bucket Policy
- CORS Policy
- Encryption configuration

If provided, this will skip creating a new Cloud Storage bucket with the Anyscale Cloud Storage module.

ex:
existing_cloudstorage_bucket_name = "anyscale-bucket"
string null no
existing_filestore_instance_name (Optional) Existing Filestore Instance Name.

The name of an existing Filestore instance that you'd like to use.
If provided, this will skip creating a new Filestore instance with the Anyscale Filestore module.

ex:
existing_filestore_instance_name = "anyscale-filestore"
string null no
existing_memorystore_instance_name (Optional) The name of an existing Memorystore instance.

If this is provided, the Anyscale Memorystore module will skip creating a new Memorystore instance.

ex:
existing_memorystore_instance_name = "anyscale-memorystore"
string null no
existing_project_id (Optional) An existing GCP Project ID.

If provided, this will skip creating resources with the Anyscale Project module.

ex:
existing_project_id = "my-project-id"
string null no
existing_vpc_id (Optional) An existing VPC ID.

If provided, this module will skip creating a new VPC with the Anyscale VPC module.
An existing VPC Subnet Name (existing_vpc_subnet_name) is also required if this is provided.

ex:
existing_vpc_id = "projects/anyscale/global/networks/anyscale-network"
string null no
existing_vpc_name (Optional) An existing VPC Name.

If provided, this module will skip creating a new VPC with the Anyscale VPC module.
An existing VPC Subnet Name (existing_vpc_subnet_name) is also required if this is provided.

ex:
existing_vpc_name = "anyscale-vpc"
string null no
existing_vpc_subnet_name (Optional) Existing subnet name to create Anyscale resources in.

If provided, this will skip creating resources with the Anyscale VPC module.
An existing VPC Name (existing_vpc_name) is also required if this is provided.

ex:
existing_vpc_subnet_name = "anyscale-subnet"
string null no
existing_workload_identity_provider_name (Optional) The name of an existing workload identity provider to use.

If provided, will skip creating the workload identity pool and provider. The Workload Identity Provider can be in a different project.

You can retrieve the name of an existing Workload Identity Provider by running the following command:
gcloud iam workload-identity-pools providers list --location global --workload-identity-pool anyscale-access-pool
ex:
existing_workload_identity_provider_name = "projects/1234567890/locations/global/workloadIdentityPools/anyscale-access-pool/providers/anyscale-access-provider"
string null no
ingress_from_machine_pool_cidr_ranges (Optional) CIDR Range for Anyscale Machine Pools.

If a CIDR range is provided, a firewall rule will be created to support Anyscale Machine Pools.

ex:
ingress_from_machine_pool_cidr_ranges = ["10.100.1.0/24","10.102.1.0/24"]
list(string) [] no
labels (Optional) A map of labels.

Labels to be added to all resources that accept labels.
Resource dependent labels will be appended to this list.

ex:
labels = {
application = "Anyscale",
environment = "prod"
}
Default is an empty map.
map(string) {} no
random_char_length (Optional) Random suffix character length

Determines the random suffix length that is used to generate a common name.

Certain Google resources have a hard limit on name lengths and this will allow
the ability to control how many characters are added as a suffix.
Many Google resources have a limit of 28 characters in length.
Keep that in mind while setting this value.
Must be >= 2 and <= 12.

ex:
random_char_length = 4
number 4 no
shared_vpc_project_id (Optional) The ID of the project that hosts the shared VPC.

If provided, this will set the Project ID to the Shared VPC for the google-anyscale-vpc-firewall submodule.
An existing VPC Name (existing_vpc_name) and VPC Subnet Name (existing_vpc_subnet_name) are also required if this is provided.

ex:
shared_vpc_project_id = "anyscale-sharedvpc"
string null no
use_common_name (Optional) Determines if a standard name should be used across all resources.

- If set to true and common_prefix is also provided, the common_prefix will be used and prefixed to a common name.
- If set to true and common_prefix is not provided, the prefix will be anyscale-
- If set to true, this will also use a random suffix to avoid name collisions.

ex:
use_common_name = true
bool false no

Outputs

Name Description
cloudstorage_bucket_name The Google Cloud Storage bucket name.
cloudstorage_bucket_selflink The Google Cloud Storage self link.
cloudstorage_bucket_url The Google Cloud Storage url for the bucket. Will be in the format gs://<bucket-name>.
filestore_fileshare_name The Google Filestore fileshare name.
filestore_id The Google Filestore id.
filestore_location The Google Filestore location.
filestore_name The Google Filestore name.
iam_anyscale_access_service_acct_email The Google IAM Anyscale Access Service Account email.
iam_anyscale_access_service_acct_id The Google IAM Anyscale Access Service Account ID.
iam_anyscale_access_service_acct_name The Google IAM Anyscale Access Service Account name.
iam_anyscale_access_service_acct_unique_id The Google IAM Anyscale Access Service Account unique id.
iam_anyscale_cluster_node_service_acct_email The Google IAM Anyscale Cluster Node Service Account email.
iam_anyscale_cluster_node_service_acct_id The Google IAM Anyscale Cluster Node Service Account ID.
iam_anyscale_cluster_node_service_acct_name The Google IAM Anyscale Cluster Node Service Accpimt name.
iam_anyscale_cluster_node_service_acct_unique_id The Google IAM Anyscale Cluster Node Service Account unique id.
iam_workload_identity_pool_id The Google IAM Anyscale Workload Identity Pool id.
iam_workload_identity_pool_name The Google IAM Anyscale Workload Identity Pool name.
iam_workload_identity_provider_id The Google IAM Anyscale Workload Identity Provider id.
iam_workload_identity_provider_name The Google IAM Anyscale Workload Identity Provider name.
memorystore_current_location_id The current zone where the Redis endpoint is placed.
memorystore_host The IP address of the instance.
memorystore_id The memorystore instance ID.
memorystore_port The port number of the exposed Redis endpoint.
memorystore_region The region the instance lives in.
private_subnet_cidr The Google VPC private subnet cidr.
private_subnet_id The Google VPC private subnet id.
private_subnet_name The Google VPC private subnet name.
private_subnet_region The Google VPC private subnet region.
project_id The Google Project id.
project_name The Google Project name.
public_subnet_cidr The Google VPC public subnet cidr.
public_subnet_id The Google VPC public subnet id.
public_subnet_name The Google VPC public subnet name.
public_subnet_region The Google VPC public subnet region.
vpc_firewall_id The Google VPC firewall policy id.
vpc_firewall_policy_name The Google VPC firewall policy name.
vpc_firewall_selflink The Google VPC firewall policy self link.
vpc_id The Google VPC id.
vpc_name The Google VPC network name.
vpc_selflink The Google VPC self link.

About

Terraform modules to manage Google cloud infrastructure for Anyscale.

Resources

Stars

Watchers

Forks

Packages

No packages published