Step 1: Prepare your project
This page describes the steps to prepare your Google Cloud project before deploying Manufacturing Data Engine (MDE) using Terraform.
Overview
MDE is delivered as a packaged solution. A Terraform script deploys all the required components and the integration code into your Google Cloud project. This unlocks maximum flexibility for you to modify and extends the architecture based on your needs.
The deployment script automatically sets up and configures the solution, assuming prerequisites such as a Google Cloud project and permissions are in place. Some customers may have extensive, customized Google Cloud restrictions in place. If this is the case, extra work (via Google Cloud Consulting or a Systems Integration partner) may be required for the deployment to navigate around these restrictions.
1. Prepare your client environment
Your client environment needs to have the following CLI tools installed in their most updated version:
Google Cloud CLI with the following additional components installed:
- kubectl
- cbt
- Terraform CLI
( v1.9.x or later)
- Make sure you also check the Minimum requirements for Terraform and the Terraform providers.
- Helm CLI (v3.9.x or later)
You can use any client environment to deploy MDE, but you can save time by deploying it from Cloud Shell since it has most of the required tools already installed.
2. Prepare your Google Cloud project
Make sure your Google Cloud project has the following characteristics:
- An active Cloud Billing account.
It's part of an organization with an active Cloud Identity or Workspace account.
Set up the default project to the MDE deployment project using the following command:
gcloud config set project PROJECT_IDReplace the following:
PROJECT_IDwith the MDE deployment project ID.
3. Create service accounts
You will need three different Service Accounts in your Google Cloud project:
mde-imgs@PROJECT_ID.iam.gserviceaccount.commde-df-worker@PROJECT_ID.iam.gserviceaccount.commde-tf@PROJECT_ID.iam.gserviceaccount.com.
Replace the following:
PROJECT_IDwith the MDE deployment project ID.
A user in your org with the roles/iam.serviceAccountCreator role can create the
mde-imgs, mde-df-worker and mde-tf service accounts with the
following commands:
gcloud iam service-accounts create mde-imgs \
--description="Manufacturing Data Engine GKE Image Service Account" \
--display-name="Manufacturing Data Engine GKE Image Service Account"
gcloud iam service-accounts create mde-df-worker \
--description="Manufacturing Data Engine Dataflow Worker Service Account" \
--display-name="Manufacturing Data Engine Dataflow Worker Service Account"
gcloud iam service-accounts create mde-tf \
--description="Manufacturing Data Engine Terraform Service Account" \
--display-name="Manufacturing Data Engine Terraform Service Account"
4. Generate keys for the mde-imgs service account
MDE will deploy a GKE cluster where its services will run. The *mde-imgs service account will be used to pull images from Artifact Registry to your GKE cluster. Terraform will need the keys from this service account to pull the images.
A user with the roles/iam.serviceAccountKeyAdmin role or equivalent
permissions can create the service account key with the
following commands:
export PROJECT_ID=$(gcloud config get-value project)
gcloud iam service-accounts keys create ~/mde-projects/${PROJECT_ID}/mde-imgs-service-account-key.json \
--iam-account="mde-imgs@${PROJECT_ID}.iam.gserviceaccount.com"
5. Grant roles for the mde-tf service account
Grant the mde-tf service account, used by Terraform for deployments, the following roles:
roles/bigquery.adminroles/bigtable.adminroles/cloudsql.adminroles/compute.instanceAdminroles/compute.loadBalancerAdminroles/compute.networkAdminroles/compute.securityAdminroles/container.adminroles/container.developerroles/dns.adminroles/iam.serviceAccountAdminroles/iam.serviceAccountUserroles/pubsub.adminroles/resourcemanager.projectIamAdminroles/secretmanager.adminroles/secretmanager.secretVersionManagerroles/serviceusage.serviceUsageAdminroles/storage.adminroles/monitoring.adminroles/redis.adminroles/file.editor
A user with the roles/iam.securityAdmin role or equivalent permissions can
grant the required roles to the mde-tf service account with the
following commands:
export PROJECT_ID=$(gcloud config get-value project)
export SA_TERRAFORM="mde-tf"
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/bigquery.admin'
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/dataflow.admin'
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/bigtable.admin'
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/cloudsql.admin'
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/compute.instanceAdmin'
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/compute.loadBalancerAdmin'
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/compute.networkAdmin'
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/compute.securityAdmin'
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/container.admin'
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/container.developer'
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/dns.admin'
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/iam.serviceAccountAdmin'
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/iam.serviceAccountUser'
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/pubsub.admin'
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/resourcemanager.projectIamAdmin'
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/secretmanager.admin'
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/secretmanager.secretVersionManager'
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/serviceusage.serviceUsageAdmin'
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/storage.admin'
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/monitoring.admin'
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/redis.admin'
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/file.editor'
6. Impersonate the mde-tf service account
Allow your user account to impersonate the mde-tf service account
if you have the roles/iam.serviceAccountTokenCreator role.
A user with the roles/iam.serviceAccountAdmin role or equivalent
permissions can grant your user account the role on the mde-tf service
account using the following command:
export USER_EMAIL=$(gcloud auth list --filter=status:ACTIVE --format="value(account)")
export PROJECT_ID=$(gcloud config get-value project)
gcloud iam service-accounts add-iam-policy-binding \
--role roles/iam.serviceAccountTokenCreator \
--member "user:${USER_EMAIL}" \
"mde-tf"@"${PROJECT_ID}".iam.gserviceaccount.com
7. Enable the Google Cloud APIs
Make sure Google Cloud APIs are enabled.
The following Google Cloud APIs must be enabled in order to execute Terraform scripts:
compute.googleapis.comiamcredentials.googleapis.comcloudresourcemanager.googleapis.com
A user with the roles/servicemanagement.serviceConsumer role or equivalent
permissions can enable the APIs using the following command:
gcloud services enable \
compute.googleapis.com \
iamcredentials.googleapis.com \
cloudresourcemanager.googleapis.com
8. Prepare a Cloud Storage Bucket
Prepare a Cloud Storage Bucket to store Terraform state:
Terraform requires a Cloud Storage bucket to save Terraform state
(PROJECT_ID-tf), and the mde-tf service
account must have read and write permissions on this bucket.
A user with the roles/storage.admin role or equivalent permissions can
create the bucket and grant the mde-tf the requisite permissions with
the following command:
export PROJECT_ID=$(gcloud config get-value project)
gsutil mb "gs://${PROJECT_ID}-tf"
gsutil iam ch \
"serviceAccount:mde-tf@${PROJECT_ID}.iam.gserviceaccount.com:roles/storage.objectViewer" \
gs://"${PROJECT_ID}-tf"
gsutil iam ch \
"serviceAccount:mde-tf@${PROJECT_ID}.iam.gserviceaccount.com:roles/storage.objectCreator" \
gs://"${PROJECT_ID}-tf"