# 1 - Provision Cloud Infrastructure

teaser: Create cloud VPCs

<details>
<summary>Lab ArchitectureDiagram</summary>
<a href="https://htmlpreview.github.io/?https://raw.githubusercontent.com/hashicorp/field-workshops-consul/add-consul-multi-cloud/instruqt-tracks/multi-cloud-service-networking-with-consul/assets/diagrams/diagrams.html"><img src=https://raw.githubusercontent.com/hashicorp/field-workshops-consul/add-consul-multi-cloud/instruqt-tracks/multi-cloud-service-networking-with-consul/assets/diagrams/consul-muti-cloud-ws.png></a>
</details>

**notes:**
You are being provisioned on-demand cloud infrastructure.
Please be patient as this can take up to ~25 minutes.

## assignment

The terraform code will provision cloud infrastructure in AWS, GPC, and Azure. <br>

### Verify Packer images

Your lab environment will leverage pre-built packer images.
You can inspect the image build in the code editor, and validate the images are available in AWS & Azure. <br>

In [None]:
printf "\n${GREEN}#==> Azure Images ${NC}\n"
az image list -g packer | jq -c
printf "\n${GREEN}#==> AWS Images ${NC}\n"
aws ec2 describe-images --owners self | jq -c

### Verify networks

Inspect the terraform code and validate the VPCs and VNets that were pre-provisioned for shared services and application workloads. <br>

In [None]:
printf "\n${GREEN}#==> Azure Networks${NC}\n"
az network vnet list | jq -c
printf "\n${GREEN}#==> AWS Networks${NC}\n"
aws ec2 describe-vpcs | jq -c
printf "\n${GREEN}#==> Google Networks${NC}\n"
gcloud compute networks list

If you get an error on your Packer images, you can rebuild either image below from the packer directory:

```shell
cd /root/packer/
```

* AWS
```
packer build -force -only=amazon-ebs-ubuntu-bionic hashistack.json
```
* AZURE
```
packer build -force -only=azure-ubuntu-bionic hashistack.json
```

In the next few challenges we will centralize secrets across environments.

Go back to Instruqt and click "**Check**".

# 2 - Provision Vault Infrastructure
teaser: Set up Vault Infrastructure and Enable Replication

## assignment
Vault supports cross-site replication. In this assignment you provision Vault infrastructure in AWS & Azure.

### Steps

Inspect the Terraform code and provision the Vault infrastructure.

In [None]:
cd /root/terraform/vault

In [None]:
terraform plan -input=false -out=tfplan

In [None]:
terraform apply -input=false -auto-approve tfplan

You can monitor the init scripts with the below commands.

* AWS Vault

In [None]:
ssh ubuntu@$(terraform output aws_vault_ip) 'grep -v "auth.handler" /var/log/cloud-init-output.log | tail'

* Azure Vault

In [None]:
ssh ubuntu@$(terraform output azure_vault_ip) 'grep -v "auth.handler" /var/log/cloud-init-output.log | tail'

Vault will support secure introduction of non-container Consul infrastructure in the next few assignments.

Go back to Instruqt and click "**Check**".

# 3 - Provision Service & Workload Identities

teaser: Create workload identities for secure introduction

## assignment

In this assignment you will create trust with various runtime platforms. These identities are required for Vault to securely introduce workloads.

You can read more about the supported Vault authentication mechanisms on the [Vault website](https://www.vaultproject.io/docs/auth).

### Steps

Inspect the Terraform and create the workload identities. <br>

In [None]:
cd /root/terraform/iam

In [None]:
terraform plan -input=false -out=tfplan

In [None]:
terraform apply -input=false -auto-approve tfplan

In the next assignment you will centralize secrets around these identities.

Go back to Instruqt and click "**Check**".

# 4 - Centralize Secrets in Vault

teaser: Create trust and seed bootstrap credentials.

> This tracks takes a few minutes to setup.

## assignment

In this assignment you will centralize secrets in Vault that will be consumed by applications and services across clouds and runtimes.

### Prerequisites

NOTE: Make sure you clicked "**Check**" in Instruqt and that you are on the "Centralize Secrets in Vault" track.

In the background, the following tasks are being performed:
1. Initializing AWS Vault
1. Initializing Azure Vault
1. Starting Performance Replication on AWS Vault as Primary
1. Starting Performance Replication on Azure Vault as Secondary
1. Writing Vault Policies
1. Enable Userpass auth engine
1. Create Userpass users with associated policies: admin, *-developer
1. Enable auth engines: AWS, Azure
1. Enable secrets engine: Transit, KV-v2, PKI
1. Define auth roles: AWS, Azure

The Vault servers are now available and the UI can be accessed in the tab.

### Steps

In [None]:
cd /root/terraform/vault

* AWS Vault

In [None]:
ssh ubuntu@$(terraform output aws_vault_ip) hostname

* Azure Vault

In [None]:
ssh ubuntu@$(terraform output azure_vault_ip) hostname

### Verify Vault Replication

Check the replication status.

In [None]:
vault_lb=$(terraform output -state /root/terraform/vault/terraform.tfstate aws_vault_ip)
export VAULT_ADDR=http://${vault_lb}:8200

In [None]:
vault read -format=json sys/replication/status | jq .data

Vault replication is configured across AWS & Azure.
See the [documentation](https://www.vaultproject.io/docs/enterprise/replication) for more information about Vault replication. <br>

### Verify Vault secrets and auth engines

An `admin` account in Vault is now available. Use the below command to log in. <br>

In [None]:
vault login -method=userpass username=admin password=admin

You can view the [auth methods](https://www.vaultproject.io/docs/auth) and [secrets engines](https://www.vaultproject.io/docs/secrets) that are configured for the environments.

In [None]:
printf "#==> List enabled secrets engines\n"
vault secrets list
printf "\n#==> List enabled auth engines\n"
vault auth list

### Verify Vault Roles

Inspect the role bindings that are configured for the Consul server infrastructure.

In [None]:
printf "Read AWS role for consul\n"
vault read /auth/aws/role/consul
printf "Read Azure role for consul\n"
vault read /auth/azure/role/consul

### Seed initial Consul secret

Now that the configuration is valid, seed the initial secret for Consul.

In [None]:
vault kv put kv/consul \
  master_token=$(cat /proc/sys/kernel/random/uuid) \
  gossip_key=$(consul keygen) \
  ttl=5m

### Configure Vault Auto Config

Last, configure Vault to support [Auto Config](https://www.hashicorp.com/blog/automate-consul-agent-security-with-auto-confighttps://www.hashicorp.com/blog/automate-consul-agent-security-with-auto-config) in the AWS DC. Auto Config is out of scope for this lab in Azure DC.

In [None]:
vault write /auth/aws/config/identity iam_alias=full_arn
vault write identity/oidc/key/consul allowed_client_ids=consul-server-aws-us-east-1
vault write identity/oidc/role/consul-aws-us-east-1 \
    ttl=30m key=consul client_id=consul-server-aws-us-east-1 \
    template='{"consul": {"node_arn": {{identity.entity.aliases.'$(vault auth list -format=json | jq -r '."aws/".accessor')'.name}} } }'

In [None]:
> Check out the [Automate Consul Agent Security with auto-config tutorial](https://learn.hashicorp.com/tutorials/consul/docker-compose-auto-config).

**NOTE**: If you receive errors you can run the following two scripts to repair your Vault environment.

In [None]:
# /root/terraform/vault/reset_vault.sh
# /root/terraform/vault/setup_vault.sh
# vault login -method=userpass username=admin password=admin
# vault kv put kv/consul \
#   master_token=$(cat /proc/sys/kernel/random/uuid) \
#   gossip_key=$(consul keygen) \
#   ttl=5m

Run this if you want to see the contents of `setup_vault.sh`.

In [None]:
cat /root/terraform/vault/setup_vault.sh

You will tie these tokens to Consul policies in a later assignment.

Go back to Instruqt and click "**Check**".

# 5 - Provision AWS Consul Primary Datacenter
teaser: Run Consul in AWS

## assignment
In this assignment you will bootstrap the initial cluster and validate the health of the server.
The primary Consul server cluster resides in AWS. <br>

### Steps

In [None]:
cd /root/terraform/aws-consul-primary

Inspect the initialization scripts in the CLI or UI.

In [None]:
cat scripts/aws_consul_server.sh

In [None]:
cat scripts/aws_mesh_gateway.sh

### Provision AWS Consul Primary - Terraform

Inspect the Terraform and provision the servers.

In [None]:
terraform plan -input=false -out=tfplan

In [None]:
terraform apply -input=false -auto-approve tfplan

This configuration will create:

1. Consul instance
1. Mesh gateway instance
1. Security group for above instances

### Verify AWS Consul Primary

You can monitor the init scripts with the below commands. <br>

* Consul Server

In [None]:
ssh ubuntu@$(terraform output aws_consul_public_ip) 'tail /var/log/cloud-init-output.log'

You want to see `finished` like the below output.
```shell
Cloud-init v. 21.2-3-g899bfaa9-0ubuntu2~18.04.1 finished at Thu, 30 Sep 2021
```

* Consul MGW

In [None]:
ssh ubuntu@$(terraform output aws_mgw_public_ip) 'tail /var/log/cloud-init-output.log'

Wait for the server to elect a leader (it can take a few minutes for the EC2 instance to become available).

In [None]:
consul_api=$(terraform output aws_consul_public_ip)
echo $consul_api
printf "\nLeader: $(curl -s -v http://{$consul_api}:8500/v1/status/leader)\n"

In the next assignment you will finish configuring the Consul primary server.

Go back to Instruqt and click "**Check**".

# 6 - Bootstrap Consul Primary Datacenter
teaser: Set up Consul for multi-datacenter

## assignment

In this assignment you will finish configuring the primary server
and configure tokens and policies for federated clusters to connect to the primary.

* [Vault CA](https://www.consul.io/docs/connect/ca/vault)
* [Secure Multi DC](https://learn.hashicorp.com/tutorials/consul/access-control-replication-multiple-datacenters)
* [Proxy Defaults](https://www.consul.io/docs/agent/config-entries/proxy-defaults)

The Consul server is now available in the UI.

The Consul server was initialized with a [master token](https://www.consul.io/docs/security/acl/acl-system#builtin-tokens)
to facilitate the bootstrap process.

### Prerequisites

The following items were performed for you:
1. Create Consul ACL policy for anonymous
1. Create `terraform/aws-consul-primary/proxy-defaults.hcl`

In [None]:
cd /root/terraform/aws-consul-primary

### Steps

Log in to Vault and get an admin token to finish setting up the Consul server cluster.

In [None]:
vault login -method=userpass username=admin password=admin
export CONSUL_HTTP_TOKEN=$(vault kv get -field master_token kv/consul)

### Enable Vault Dynamic Consul secrets engine

Vault can [create short lived tokens](https://www.vaultproject.io/docs/secrets/consul) for Consul access.

Configure that now so we can provide least privilege to operators.

In [None]:
AWS_CONSUL_IP=$(terraform output -state /root/terraform/aws-consul-primary/terraform.tfstate aws_consul_public_ip)
printf "\n#==> Enable Consul secrets engine.\n"
vault secrets enable consul
printf "\n#==> Configure Consul secrets engine.\n"
vault write consul/config/access \
    address=http://${AWS_CONSUL_IP}:8500 \
    token=$(consul acl token create -description 'vault mgmt' -policy-name=global-management -format=json | jq -r '.SecretID')

### Configure role - operator

In [None]:
printf "\n#==> Configure acl policy.\n"
consul acl policy create -name operator -rules @/root/policies/consul/operator.hcl
printf "\n#==> Configure roles.\n"
vault write consul/roles/operator policies=operator ttl=30m

### Get Dynamic Consul credentials

You can now request a short lived token to make administrative changes to the cluster. <br>

In [None]:
export CONSUL_HTTP_TOKEN=$(vault read -field token consul/creds/operator)
consul acl token read -self

> The remaining tasks will be ran with dynamic Consul creds from the operator role.

### Configure role - agent

Add a policy for the Consul agents. <br>

In [None]:
printf "\n#==> Configure acl policy.\n"
consul acl policy create -name agent -rules @/root/policies/consul/agent.hcl
printf "\n#==> Configure roles.\n"
vault write consul/roles/agent policies=agent

### Configure role - mgw

Add a policy for the mesh gateway so this token is dynamically managed by Vault for Consul.
You may need to wait a minute or so for this to be picked up by the MGW process.

In [None]:
printf "\nConfigure acl policy.\n"
consul acl policy create -name mesh-gateway -rules @/root/policies/consul/mesh-gateway.hcl
printf "\nConfigure roles.\n"
vault write consul/roles/mgw policies=mesh-gateway
sleep 60

### Monitor Mesh Gateway

You can monitor the MGW with the below commands. <br>

* Consul MGW

In [None]:
ssh ubuntu@$(terraform output aws_mgw_public_ip) 'journalctl -u consul | tail'

Check out the Consul Auto Config configuration on the Consul Server and an example Consul Client.  The `node_arn` will allow us to get a node identity signed by Vault.

Start with the server. <br>

In [None]:
ssh ubuntu@$(terraform output aws_consul_public_ip) 'cat /etc/consul.d/server.json' | jq .auto_config

Check the MGW client agent config. <br>

In [None]:
ssh ubuntu@$(terraform output aws_mgw_public_ip) 'cat /etc/consul.d/auto.json' | jq

Check the MGW client agent node.

In [None]:
ssh ubuntu@$(terraform output aws_mgw_public_ip) 'curl -s localhost:8500/v1/agent/self' | jq .Config.NodeName

Now review the issued intro token and check that it was signed by Vault. The token will have a 30 min expiry.

In [None]:
curl -s $VAULT_ADDR/v1/identity/oidc/.well-known/keys  | jq
ssh ubuntu@$(terraform output aws_mgw_public_ip) 'cat /etc/consul.d/token' | jwt

The auto config secrets will be stored in the `data_dir`. These will be auto rotated by the Consul client. <br>

Check the ACL secrets. <br>

In [None]:
ssh ubuntu@$(terraform output aws_mgw_public_ip) 'sudo cat /opt/consul/data/auto-config.json' | jq .Config.ACL

Check the Gossip Key. <br>

In [None]:
ssh ubuntu@$(terraform output aws_mgw_public_ip) 'sudo cat /opt/consul/data/auto-config.json' | jq .Config.Gossip

### Configure role - replication

Next, tie the token in Vault to the replication policy so we can establish trust with federated clusters. <br>

In [None]:
consul acl policy create -name replication -rules @/root/policies/consul/replication.hcl
vault write consul/roles/replication policies=replication

### Configure role - vault

Add an additionally policy for Vault SD for Consul.

In [None]:
consul acl policy create -name vault -rules @/root/policies/consul/vault.hcl
vault write consul/roles/vault policies=vault

### Check CA infrastructure for the primary

Check the CA infrastructure for the primary. Notice the `pri-` prefix for primary DC. <br>

In [None]:
consul_lb=$(terraform output -state /root/terraform/aws-consul-primary/terraform.tfstate aws_consul_public_ip)
export CONSUL_HTTP_ADDR=http://${consul_lb}:8500
echo ${CONSUL_HTTP_ADDR}

In [None]:
curl -s ${CONSUL_HTTP_ADDR}/v1/connect/ca/roots | jq '.Roots'
curl -s ${CONSUL_HTTP_ADDR}/v1/connect/ca/roots \
  | jq -r '.Roots[0].RootCert' | openssl x509 -text -noout

### Apply defaults for service mesh

Last, apply defaults for the service mesh that you'll leverage in the last few assignments. <br>

In [None]:
consul config write proxy-defaults.hcl

In the next few assignments you will connect secondary Consul datacenters to this cluster.

Go back to Instruqt and click "**Check**".

# 7 - Create Namespaces & Policies
teaser: Configure multi-tenancy

## assignment:

In this assignment you will create namespaces in Consul for development groups. <br>

In [None]:
cd /root/policies/consul

### Steps

Get an operator token. <br>

In [None]:
vault login -method=userpass username=admin password=admin
export CONSUL_HTTP_TOKEN=$(vault read -field token consul/creds/operator)

Create the namespaces. <br>

In [None]:
printf "${GREEN}#==> Create Consul policy\n${NC}"
consul acl policy create -name "cross-namespace-policy-sd" -description "cross-namespace service discovery" -rules @cross-namespace-sd.hcl
printf "${GREEN}#==> Create Consul namespaces\n${NC}"
consul namespace update -name default -default-policy-name=cross-namespace-policy-sd
consul namespace write payments-namespace.hcl
consul namespace write product-namespace.hcl
consul namespace write frontend-namespace.hcl

Create the developer policies and link them to vault roles. <br>

In [None]:
printf "${GREEN}#==> Create Consul policy\n${NC}"
consul acl policy create -name "payments-developer-policy" -description "payments devloper" -rules @payments-developer.hcl
consul acl policy create -name "product-developer-policy" -description  "product developer" -rules @product-developer.hcl
consul acl policy create -name "frontend-developer-policy" -description "frontend developer" -rules @frontend-developer.hcl
printf "${GREEN}#==> Create roles and associate with Consul policies\n${NC}"
vault write consul/roles/payments-developer policies=payments-developer-policy ttl=30m
vault write consul/roles/product-developer  policies=product-developer-policy ttl=30m
vault write consul/roles/frontend-developer policies=frontend-developer-policy ttl=30m

Dev teams will deploy application workloads to the above namespaces in future assignments.

Go back to Instruqt and click "**Check**".

# 8 - Provision Azure Consul Secondary Datacenter - ISSUES?
teaser: Run Consul in Azure

## assignment

In this assignment you will bootstrap the Azure secondary Cluster, validate the health of the server and its connection to the primary.

Inspect the initialization scripts in the CLI or UI.

In [None]:
cd /root/terraform/azure-consul-secondary

In [None]:
cat scripts/azure_consul_server.sh

In [None]:
cat scripts/azure_mesh_gateway.sh

Inspect the Terraform and provision the servers.

In [None]:
terraform plan -input=false -out=tfplan

In [None]:
terraform apply -input=false -auto-approve tfplan

You can monitor the init scripts with the below commands. <br>

* Consul Server

In [None]:
ssh ubuntu@$(terraform output azure_consul_public_ip) 'grep Cloud /var/log/cloud-init-output.log'

* Consul MGW

In [None]:
ssh ubuntu@$(terraform output azure_mgw_public_ip) 'grep Cloud /var/log/cloud-init-output.log'

You want to see `finished` in the output.

Sample
```shell
Cloud-init v. 21.2-3-g899bfaa9-0ubuntu2~18.04.1 finished at Wed, 29 Sep 2021 04:07:14 +0000. ...  Up 111.07 seconds
```

Wait for the server to elect a leader (it can take a few minutes for the Azure compute instance to become available).
Replication with the primary will be enabled. <br>

In [None]:
consul_api=$(terraform output azure_consul_public_ip)
curl -s -v http://{$consul_api}:8500/v1/status/leader
curl -s -v http://{$consul_api}:8500/v1/acl/replication | jq

Check the CA infrastructure for the secondary. Notice the `sec-` prefix for secondary DC. <br>

In [None]:
# consul_api=$(terraform output azure_consul_public_ip)
echo $consul_api
curl -s http://${consul_api}:8500/v1/connect/ca/roots | jq '.Roots'
curl -s http://${consul_api}:8500/v1/connect/ca/roots | jq -r '.Roots[0].IntermediateCerts[0]' | openssl x509 -text -noout

In the next assignment you will configure the remaining secondary cluster.

Go back to Instruqt and click "**Check**".

# 9 - Provision GCP Consul Secondary Datacenter
teaser: Run Consul in GKE

## assignment

In this assignment you will bootstrap the GCP secondary Cluster, validate the health of the server and its connection to the primary. <br>

In this environment, Consul on GCP runs entirely in GKE K8s. The Consul helm chart easily supports running Consul in K8s for both Consul server agents, and Consul client agents. <br>

You can read the following resources for more information on running Consul in K8s: <br>
  * https://www.consul.io/docs/k8s
  * https://www.consul.io/docs/k8s/installation/multi-cluster/kubernetes

### Prerequisites

The following items were done for you:

* Installed helm
* Added Hashicorp helm repo.

In [None]:
cd /root/terraform/gcp-consul-secondary

### Steps

### Provision GCP Consul Secondary with Terraform

Inspect the Terraform and provision K8s shared services cluster. <br>

In [None]:
terraform plan -input=false -out=tfplan

In [None]:
terraform apply -input=false -auto-approve tfplan

### Confirm worker node availability

Check the worker nodes are available for the cluster. <br>

In [None]:
gcloud container clusters get-credentials \
  $(terraform output gcp_gke_cluster_shared_name) --region us-central1-a
kubectl config rename-context $(kubectl config current-context) shared
kubectl config use-context shared
kubectl get nodes

### Create k8s federation secret

Now that K8s is ready, you create the K8s federation secret.

In [None]:
printf "${GREEN}\nGet server info\n"
vault login -method=userpass username=admin password=admin
aws_mgw=$(terraform output -state /root/terraform/aws-consul-primary/terraform.tfstate aws_mgw_public_ip)
server_json=$(jq -n --arg mgw "$aws_mgw" '{primary_datacenter: "aws-us-east-1",primary_gateways:["\($mgw):443"]}')
printf "${GREEN}\nCreate k8s federation secret\n"
cat <<EOF | kubectl apply -f -
{
"apiVersion": "v1",
"kind": "Secret",
  "data": {
    "caCert": "$(vault read -field certificate pki/cert/ca | base64 -w 0)",
    "caKey": "$(vault kv get -field private_key kv/pki | base64 -w 0)",
    "gossipEncryptionKey": "$(vault kv get -field gossip_key kv/consul | base64 -w 0)",
    "replicationToken": "$(vault read -field token consul/creds/replication | base64 -w 0)",
    "serverConfigJSON": "$(echo $server_json | base64 -w 0)"
    },
    "metadata": {
        "name": "consul-federation",
        "namespace": "default"
    }
}
EOF

### Depoy Consul servers with helm

Next, deploy the Consul servers. **NOTE:** This can take 3 minutes.

In [None]:
kubectl create secret generic consul-ent-license \
  --from-literal="key=$(cat /etc/consul.hclic)"
helm install hashicorp hashicorp/consul -f /root/helm/gke-consul-values.yaml \
  --debug --wait --version 0.33.0

You can review the configuration below.

In [None]:
cat /root/helm/gke-consul-values.yaml

### Verify Consul cluster federation

Check that all three clusters are federated.

In [None]:
export CONSUL_HTTP_TOKEN=$(vault read -field token consul/creds/operator)
consul acl token read -self

In [None]:
consul members -wan

In the next assignment you will connect Consul secondary components to the server clusters in AWS & Azure.

Go back to Instruqt and click "**Check**".

# 10 - Provision Consul ESMs
teaser: Create health checks for external services

## assignment

In this assignment you will provision Consul External Services Monitors (ESMs) to health check services that do not run Consul agents. <br>

Cloud managed services are common targets for external services monitoring. <br>

You can read more about Consul ESM:
  * https://learn.hashicorp.com/tutorials/consul/service-registration-external-services
  * https://github.com/hashicorp/consul-esm
  * https://www.hashicorp.com/resources/bloomberg-s-consul-story-to-20-000-nodes-and-beyond

### Steps

Get creds for this operation. <br>

In [None]:
vault login -method=userpass username=admin password=admin
export CONSUL_HTTP_TOKEN=$(vault read -field token consul/creds/operator)

Create the ESM policy. <br>

In [None]:
consul acl policy create -name consul-esm -rules @/root/policies/consul/consul-esm.hcl
vault write consul/roles/esm policies=consul-esm

### Provision Consul ESM with Terraform

Inspect the Terraform code and provision the external monitoring.

In [None]:
cd /root/terraform/esm

In [None]:
terraform plan -input=false -out=tfplan

In [None]:
terraform apply -input=false -auto-approve tfplan

You can monitor the init scripts with the below commands. <br>
* AWS ESM

In [None]:
ssh ubuntu@$(terraform output aws_esm_public_ip) 'tail /var/log/cloud-init-output.log'

* Azure ESM

In [None]:
ssh ubuntu@$(terraform output azure_esm_public_ip) 'tail /var/log/cloud-init-output.log'

ESM services are now available in your Consul datacenters. <br>

In [None]:
printf "\n${GREEN}List AWS Services\n${NC}"
consul catalog services -datacenter=aws-us-east-1
printf "\n${GREEN}List Azure Services\n${NC}"
consul catalog services -datacenter=azure-west-us-2

In the next assignments you will provision cloud managed services and configure them for Consul ESM monitoring.

Go back to Instruqt and click "**Check**".

# title: Provision Cache Services
teaser: Deploy managed Cache instances

## assignment

In this assignment you will provision AWS ElastiCache instances to be consumed by the application.
The ElastiCache instances are Redis datastores. <br>

We can use Terraform to configure Consul with the [Consul Provider](https://registry.terraform.io/providers/hashicorp/consul/latest/docs).

Inspect the Terraform, retrieve an operator token, and provision the Cache instances. <br>

In [None]:
cd /root/terraform/cache-services

In [None]:
vault login -method=userpass username=admin password=admin
export CONSUL_HTTP_TOKEN=$(vault read -field token consul/creds/operator)

In [None]:
terraform plan -input=false -out=tfplan
terraform apply -input=false -auto-approve tfplan

The managed Cache instance will now be available in the catalog.

In [None]:
curl -s "${CONSUL_HTTP_ADDR}/v1/health/service/redis?passing=true" | jq

You will use the managed Redis instance to process payments in future assignments.

Go back to Instruqt and click "**Check**".

# 12 - Provision Database Services
teaser: Deploy managed DB instances

## assignment

In this assignment you will provision Azure Database Postgres instance to be consumed by the application. <br>

We can use Terraform to configure Consul with the [Consul Provider](https://registry.terraform.io/providers/hashicorp/consul/latest/docs).

Inspect the Terraform, retrieve an operator token, and provision the Database instances. <br>

In [None]:
cd /root/terraform/database-services

In [None]:
vault login -method=userpass username=admin password=admin
export CONSUL_HTTP_TOKEN=$(vault read -field token consul/creds/operator)

In [None]:
terraform plan -input=false -out=tfplan

In [None]:
terraform apply -input=false -auto-approve tfplan

The managed database instance will now be available in the catalog.

In [None]:
curl -s "${CONSUL_HTTP_ADDR}/v1/health/service/postgres?dc=azure-west-us-2&passing=true" | jq

You will use the managed Postgres instance to query available products in future assignments.

Go back to Instruqt and click "**Check**".

# 13 - Provision Consul Terminating Gateways
teaser: Configure egress traffic for external services

## assignment

In this assignment you will provision Consul Terminating Gateways(TGW).
You can read [the docs](https://www.consul.io/docs/connect/gateways/terminating-gateway) for more information on how TGW works. <br>

Get credentials. <br>

In [None]:
vault login -method=userpass username=admin password=admin
export CONSUL_HTTP_TOKEN=$(vault read -field token consul/creds/operator)

Create the policies for the TGWs.

In [None]:
consul acl policy create -name aws-terminating-gateway -rules @/root/policies/consul/aws-tgw.hcl
vault write consul/roles/aws-tgw policies=aws-terminating-gateway
consul acl policy create -name azure-terminating-gateway -rules @/root/policies/consul/azure-tgw.hcl
vault write consul/roles/azure-tgw policies=azure-terminating-gateway

Inspect the Terraform, retrieve an operator token, and provision the TGWs. <br>

In [None]:
cd /root/terraform/tgw

In [None]:
terraform plan -input=false -out=tfplan

In [None]:
terraform apply -input=false -auto-approve

You can monitor provisioning with the below commands: <br>

* AWS TGW - `ssh ubuntu@$(terraform output aws_tgw_public_ip) 'tail -f /var/log/cloud-init-output.log'`
* Azure TGW - `ssh ubuntu@$(terraform output azure_tgw_public_ip) 'tail -f /var/log/cloud-init-output.log'`

TGW services are now running. <br>

In [None]:
consul catalog services -datacenter=aws-us-east-1
consul catalog services -datacenter=azure-west-us-2

In future assignments you will route traffic to Vault, Redis, and Postgres leveraging the TGW in AWS & Azure.

Go back to Instruqt and click "**Check**".

# 14: Provision Nomad Scheduler Services
teaser: Deploy Nomad workload infrastructure

## assignment

In this assignment you will provision Nomad to run payments workloads in AWS.
You can read the docs for more information about the Nomad integrations used in this lab environment: <br>

* [Introduction](https://www.nomadproject.io/intro)
* [Nomad & Vault](https://www.nomadproject.io/docs/integrations/vault-integration)
* [Nomad & Consul](https://www.nomadproject.io/docs/integrations/consul-integration)
* [Nomad & Consul Connect](https://www.nomadproject.io/docs/integrations/consul-connect)

Inspect the Terraform and provision Nomad servers and clients. <br>

In [None]:
cd /root/terraform/nomad-scheduler-services

In [None]:
terraform plan -input=false -out=false

In [None]:
terraform apply -input=false -auto-approve

You can monitor provisioning with the below command: <br>

In [None]:
ssh ubuntu@$(terraform output aws_nomad_server_public_ip) 'tail -f /var/log/cloud-init-output.log'

You can access the Nomad UI at the below URL: <br>

In [None]:
echo http://$(terraform output aws_nomad_server_public_ip):4646

Nomad services are now running in AWS. <br>

In [None]:
consul catalog services -datacenter=aws-us-east-1

You will schedule workloads on this nomad cluster in a later assignment.

Go back to Instruqt and click "**Check**".

# 15 - Provision K8s Scheduler Services
teaser: Deploy K8s workload infrastructure

## assignment
In this assignment you will provision K8s workload clusters in GCP.
These clusters will connect to the shared services Consul GKE cluster in GCP. <br>

You can read the docs for more information on these patterns: <br>

* [Overview](https://www.consul.io/docs/k8s)
* [Multi-Cluster](https://www.consul.io/docs/k8s/installation/multi-cluster)

Inspect the Terraform and provision the K8s clusters. <br>

In [None]:
cd /root/terraform/k8s-scheduler-services

In [None]:
terraform plan -input=false -out=tfplan

In [None]:
terraform apply -input=false -auto-approve

Next, configure the two provisioned workload K8s clusters and connect them to the shared svcs cluster.

First, deploy the React cluster. <br>

In [None]:
vault login -method=userpass username=admin password=admin
gcloud container clusters get-credentials $(terraform output -state /root/terraform/k8s-scheduler-services/terraform.tfstate gcp_gke_cluster_react_name) --region us-central1-a
kubectl config rename-context $(kubectl config current-context) react
kubectl config use-context react
kubectl create secret generic hashicorp-consul-ca-cert --from-literal="tls.crt=$(vault read -field certificate pki/cert/ca)"
kubectl create secret generic hashicorp-consul-gossip-key --from-literal="key=$(vault kv get -field=gossip_key kv/consul)"
kubectl create secret generic bootstrap-token --from-literal="token=$(vault read -field token consul/creds/operator)"
helm install consul hashicorp/consul --set externalServers.k8sAuthMethodHost="https://$(terraform output gcp_gke_cluster_react_endpoint)" -f /root/helm/react-consul-values.yaml --debug --wait --timeout 10m --version 0.33.0
helm list -a

Last, deploy the Graphql cluster. <br>

In [None]:
vault login -method=userpass username=admin password=admin
gcloud container clusters get-credentials $(terraform output -state /root/terraform/k8s-scheduler-services/terraform.tfstate gcp_gke_cluster_graphql_name) --region us-central1-a
kubectl config rename-context $(kubectl config current-context) graphql
kubectl config use-context graphql
kubectl create secret generic hashicorp-consul-ca-cert --from-literal="tls.crt=$(vault read -field certificate pki/cert/ca)"
kubectl create secret generic hashicorp-consul-gossip-key --from-literal="key=$(vault kv get -field=gossip_key kv/consul)"
kubectl create secret generic bootstrap-token --from-literal="token=$(vault read -field token consul/creds/operator)"
helm install consul hashicorp/consul --set externalServers.k8sAuthMethodHost="https://$(terraform output gcp_gke_cluster_graphql_endpoint)" -f /root/helm/graphql-consul-values.yaml --debug --wait --timeout 10m --version 0.33.0
helm list -a

The K8s nodes are now registered in the Consul catalog.

In [None]:
consul catalog nodes -datacenter gcp-us-central-1

In later assignments you will use these clusters to run frontend application workloads.

Go back to Instruqt and click "**Check**".

# 16 - Configure Intentions
teaser: Allow selective mTLS between workloads

## assignment
In this assignment you will log in as each persona and configure intentions for self-service access.

Allow least privilege access to shared services as an infrastructure operator.

In [None]:
cd /root/policies/consul

In [None]:
vault login -method=userpass username=admin password=admin
export CONSUL_HTTP_TOKEN=$(vault read -field token consul/creds/operator)
consul intention create -allow '*/*' 'default/vault'
consul intention create -allow 'default/payments-api' 'default/redis'
consul intention create -allow 'frontend/public-api' 'default/payments-api'
consul intention create -allow 'product/*' 'default/postgres'

As a product developer grant access to frontend team APIs to connect to product services.

In [None]:
vault login -method=userpass username=product-developer password=product
export CONSUL_HTTP_TOKEN=$(vault read -field token consul/creds/product-developer)
consul intention create -allow 'frontend/public-api' 'product/product-api'

As a frontend developer, you will manage intentions with CRDs in a later exercise.

In later assignments you will use these clusters to run frontend application workloads.

Go back to Instruqt and click "**Check**".

# 17 - Deploy Payments Tier

teaser: Run Payments workloads

## assignment

In this assignment you will schedule the payments-api with Nomad.

### Prerequisites

In [None]:
printf "Set NOMAD_ADDR\n"
NOMAD_IP=$(terraform output -state /root/terraform/nomad-scheduler-services/terraform.tfstate aws_nomad_server_public_ip)
export NOMAD_ADDR=http://${NOMAD_IP}:4646

In [None]:
cd /root/terraform/nomad-scheduler-services

Run this if you want to see the Nomad job definition.

In [None]:
cat payments-api.hcl

Run the nomad job.

In [None]:
nomad run payments-api.hcl

Payments API services should now be running in the cluster.

In [None]:
curl -s ${CONSUL_HTTP_ADDR}/v1/health/service/payments-api?passing=true | jq

In future assignments you will use these APIs to process payments.

🛑 Go back to Instruqt and click "**Check**".

# 18 - Deploy Product Tier

teaser: Run Product workloads

## assignment
In this assignment you will deploy product applications in Azure.

### Prerequisites

* postgres was configured and data imported for you.

In [None]:
cd /root/terraform/product-applications

### Steps

In [None]:
terraform plan -input=false -out=tfplan
terraform apply -input=false -auto-approve tfplan

You can monitor provisioning with the below command: <br>

In [None]:
ssh ubuntu@$(terraform output azure_product_api_public_ip) 'tail /var/log/cloud-init-output.log'

Product API services should now be running in the cluster.

In [None]:
consul catalog services -datacenter azure-west-us-2 -namespace=product

In future assignments you will use these APIs to process product queries.

🛑 Go back to Instruqt and click "**Check**".

# 19: Deploy Frontend Tier
teaser: Run Frontend workloads

## assignment
In this assignment you will deploy frontend applications to the GKE clusters. <br>

### Prerequisites

* These commands were issued for you
```shell
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
```

In [None]:
cd /root/apps

### Steps

Review the k8s deployment specs in the code editor. <br>


Deploy the Public APIs. This API will be exposed via a Consul ingress gateway. <br>

In [None]:
kubectl config use-context graphql
kubectl apply -f k8s/public-api

Deploy the React Frontend. This frontend will be exposed via an ingress controller with a Connect transparent proxy. <br>

In [None]:
kubectl config use-context react
helm install nginx-ingress -f /root/helm/nginx-ingress.yml ingress-nginx/ingress-nginx  --debug --wait
sleep 10
kubectl apply -f k8s/web

Frontend services are now available.

In [None]:
consul catalog services -datacenter gcp-us-central-1 -namespace=frontend

In future assignments you will use these web interfaces and APIs to send traffic to backend application components.

Go back to Instruqt and click "**Check**".

# 20 - Review Application Deployment
teaser: Validate workload configuration

## assignment

In this assignment you will validate the product DB and access to the payment queue. <br>

### Prerequisites

* None

Check the DB for available products. <br>

In [None]:
export PGPASSWORD=$(terraform output -state /root/terraform/database-services/terraform.tfstate postgres_password)
psql -U postgres@$(terraform output -state /root/terraform/infra/terraform.tfstate env) \
  -d postgres \
  -h $(terraform output -state /root/terraform/database-services/terraform.tfstate postgres_fqdn) \
  -c 'SELECT * FROM coffees' \
  -a

Check the queue for payments (there will be zero keys). <br>

In [None]:
ssh -i ~/.ssh/id_rsa ubuntu@$(terraform output -state /root/terraform/infra/terraform.tfstate aws_bastion_ip) \
  "redis-cli -h \
  $(terraform output -state /root/terraform/cache-services/terraform.tfstate -json aws_elasticache_cache_nodes | jq -r .[0].address) -p 6379 keys '*'"

In the next few assignments you will retrieve products and send payments.

Go back to Instruqt and click "**Check**".

# 21 - Test Application Deployment
teaser: Put it all together

## assignment
In this assignment you will test the application. <br>

### Prerequisites

* nginx was reconfigured and restarted

### Steps

The UI is available on the react cluster. <br>

In [None]:
kubectl config use-context react
echo "http://$(kubectl get svc nginx-ingress-controller -o json | jq -r .status.loadBalancer.ingress[0].ip)"

Monitor the cache for incoming payments in one window. <br>

In [None]:
ssh -i ~/.ssh/id_rsa ubuntu@$(terraform output -state /root/terraform/infra/terraform.tfstate aws_bastion_ip) \
  "redis-cli -h \
  $(terraform output -state /root/terraform/cache-services/terraform.tfstate -json aws_elasticache_cache_nodes | jq -r .[0].address) -p 6379 MONITOR"

In the other window send traffic to the HashiCups public APIs. <br>

In [None]:
kubectl config use-context graphql
endpoint=$(kubectl get svc consul-graphql-graphql-ingress-gateway -o json | jq -r .status.loadBalancer.ingress[0].ip)

Try the Product API. <br>

In [None]:
curl -s -v http://${endpoint}:8080/api \
  -H 'Accept-Encoding: gzip, deflate, br' \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -H 'Connection: keep-alive' \
  -H 'DNT: 1' \
  --data-binary '{"query":"{\n  coffees{id,name,price}\n}"}' \
  --compressed | jq

Try the payment API. <br>

#payments

In [None]:
curl -s -v http://${endpoint}:8080/api \
  -H 'Accept-Encoding: gzip, deflate, br' \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -H 'Connection: keep-alive' \
  -H 'DNT: 1' \
  --data-binary '{"query":"mutation{ pay(details:{ name: \"nic\", type: \"mastercard\", number: \"1234123-0123123\", expiry:\"10/02\", cv2: 1231, amount: 12.23 }){id, card_plaintext, card_ciphertext, message } }"}' \
  --compressed | jq

You just connected the HashiCups app across three clouds!

Go back to Instruqt and click "**Check**".

# 22 - Observe Application Deployment
teaser: Collect metrics and traces across clouds.

## assignment

In this assignment you will view traces in the Jaeger UI. <br>

### Prerequisites

* Consul intentions created
* Terraform monitoring applied
* Jaeger enabled /etc/nginx/conf.d/jaeger.conf
* Created some traces

In [None]:
cd /root/terraform/monitoring

### Steps

Simulate application traffic. <br>

In [None]:
kubectl config use-context graphql
endpoint=$(kubectl get svc consul-graphql-graphql-ingress-gateway -o json | jq -r .status.loadBalancer.ingress[0].ip)

In [None]:
curl -s -v http://${endpoint}:8080/api \
  -H 'Accept-Encoding: gzip, deflate, br' \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -H 'Connection: keep-alive' \
  -H 'DNT: 1' \
  --data-binary '{"query":"{\n  coffees{id,name,price}\n}"}' \
  --compressed | jq

In [None]:
curl -s -v http://${endpoint}:8080/api \
  -H 'Accept-Encoding: gzip, deflate, br' \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -H 'Connection: keep-alive' \
  -H 'DNT: 1' \
  --data-binary '{"query":"mutation{ pay(details:{ name: \"nic\", type: \"mastercard\", number: \"1234123-0123123\", expiry:\"10/02\", cv2: 1231, amount: 12.23 }){id, card_plaintext, card_ciphertext, message } }"}' \
  --compressed | jq

Review the traces in the Jaeger UI for each cloud.

Go back to Instruqt and click "**Check**".

# Resources

* Instruqt - https://play.instruqt.com/hashicorp/tracks/multi-cloud-service-networking-with-consul

### Install JupyterLab on Instruqt

Install JupyterLab on Instruqt

```shell
#==> Install Jupyter Lab
pip install jupyterlab
pip install bash_kernel
python -m bash_kernel.install

#==> Git clone
cd ~
git clone https://github.com/phanclan/hc_demos-jupyter


#==> Start Jupyter Lab Server
#go to root directory of Jupyter Lab notebooks
cd /root
nohup jupyter lab --allow-root --ip=0.0.0.0 --no-browser &

# Get jupyter browser token
JUPYTER_TOKEN=$(jupyter lab list | awk 'NR>=2 {print $1}' | awk -F= '{print $2}')

#==> Print out clickable link
echo "http://${HOSTNAME}-8888-${INSTRUQT_PARTICIPANT_ID}.env.play.instruqt.com/lab?token=${JUPYTER_TOKEN}"

#==> Do cool labs from Jupyter
echo "http://${HOSTNAME}-8888-${INSTRUQT_PARTICIPANT_ID}.env.play.instruqt.com/lab/tree/hc_demos-jupyter/Consul/consul_multi_cloud_2.ipynb"
```

### Convert to pdf

Linux

In [None]:
apt-get install pandoc
apt-get install texlive-xetex texlive-fonts-recommended texlive-plain-generic
jupyter nbconvert --to pdf consul_multi_cloud_2.ipynb

### Update repo

In [None]:
# BE SURE TO CLEAR ALL OUTPUTS AND SAVE NOTEBOOK FIRST
git add consul_multi_cloud_2.ipynb && \
git commit -m "update consule notebooks" && git push

### Git pull from Instruqt
Commands
```shell
cd ~/hc_demos-jupyter/Consul/
git checkout consul_multi_cloud_2.ipynb
git pull
```

### Jupyter Tips

1. I am stuck with this `[*]` - Your cell is waiting for something in the background. You can interrupt the run by clicking <kbd>I</kbd> twice.
1. Hide the outputs of my runs - You can click on the blue vertical bar to the left of a cell or output to collapse/expand it.

## Prerequisites - IGNORE

* Azure Client
* AWS Client

### Set Main Environment Variables

In [None]:
source ../Scripts/baseline.sh

Be sure to replace `POC_NAME` with your own value.

In [None]:
export POC_NAME=pphan
export GIT_REPO_DIR=config/consul/field-workshops-consul
export WORK_DIR=$MAIN_DIR/$GIT_REPO_DIR
printf "$MAIN_DIR\n$GIT_REPO_DIR\n$WORK_DIR"

### Cloud Credentials

You can grab credentials from Instruqt with these commands. Copy the results and run them in the cell below.

```shell
env | grep -i ^AWS_ | grep -v ACCOUNT && \
env | grep ^INSTRUQT_AZURE_SUBSCRIPTION_CONSUL_USERNAME && \
env | grep ^INSTRUQT_AZURE_SUBSCRIPTION_CONSUL_PASSWORD && \
env | grep ^INSTRUQT_GCP_PROJECT_CONSUL_SERVICE_ACCOUNT_KEY && \
env | grep ^INSTRUQT_GCP_PROJECT_CONSUL_PROJECT_ID && \
env | grep ^HC_
 # env | grep ^INSTRUQT_AZURE_SUBSCRIPTION_CONSUL_SUBSCRIPTION_ID && \
 # env | grep ^INSTRUQT_AZURE_SUBSCRIPTION_CONSUL_SPN_ID && \
 # env | grep ^INSTRUQT_AZURE_SUBSCRIPTION_CONSUL_SPN_PASSWORD && \
```

Paste and run output from Instruqt in cell below.

```shell
AWS_SECRET_ACCESS_KEY=QfddPWXYmWcFf/lafkKpAOuaEifSfks+Z7LeOTz4
AWS_ACCESS_KEY_ID=AKIASCE2S4WQUPO3SUCG
INSTRUQT_AZURE_SUBSCRIPTION_CONSUL_USERNAME=vblhflltntsh-consul@instruqt.io
INSTRUQT_AZURE_SUBSCRIPTION_CONSUL_PASSWORD=umXd4xzd+gxp@iQ+
INSTRUQT_GCP_PROJECT_CONSUL_SERVICE_ACCOUNT_KEY=
HC_CONSUL_LICENSE=
HC_VAULT_LICENSE=
```

Clear existing creds

In [None]:
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY

In [None]:
AWS_SECRET_ACCESS_KEY=1ZD7jpJMC6PFeF5HdtaFB/UZgX1hndRQUmjUEWAK
AWS_ACCESS_KEY_ID=AKIASORA74EFUNHHO5FY
INSTRUQT_AZURE_SUBSCRIPTION_CONSUL_USERNAME=3zwqg84fvtwx-consul@instruqt.io
INSTRUQT_AZURE_SUBSCRIPTION_CONSUL_PASSWORD=TlOIlz%o^pdC-nnv
INSTRUQT_GCP_PROJECT_CONSUL_SERVICE_ACCOUNT_KEY=ewogICJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsCiAgInByb2plY3RfaWQiOiAicC1veWg2azVmeXdlMnFqOG9uOWRvZHBpdDkxbjVnIiwKICAicHJpdmF0ZV9rZXlfaWQiOiAiZTk1ZDkzY2I2ZTBlNjkzZjc3MTA3MGRhZDFjZWRlNmUwNTY1YTNjNiIsCiAgInByaXZhdGVfa2V5IjogIi0tLS0tQkVHSU4gUFJJVkFURSBLRVktLS0tLVxuTUlJRXZnSUJBREFOQmdrcWhraUc5dzBCQVFFRkFBU0NCS2d3Z2dTa0FnRUFBb0lCQVFDdjNKWWxGSVFkZkNuUlxubnJpSU16WFhlMjBhVzQzYjRoQjRPekl5TEQ5U1FtUHBxdjc2Ni92ZUhscHY4UUlZUnZraVNqK0lPUlV3VFJxOVxuYjZZa0dpOVJYVG5TQ3pBdzA5NndwTU1wbjB2YVNIMU4xaEZxS1J2aE0yeFFtSWdHQjdXU3FISWNueGRUVnZwdVxueStEbXJZeFdkVi9PZUFZY1BHVlVocWFIQUpybXI3aFAxdlhObGlnMnVMWmF2SlhaemIrM21aMVZzV1BXWVlGNFxuTmNqY0RoZzVBRjRnYnUzdzg1Ymx1bWN0TjVmQnQ5dWVUU3lvZTYxcHJrSVRPdTZsZFBwOFFnNWkwU0JmeG5VbVxudFZYekt0R3hjaExFZVFpUkhGZVlBdVhrdGZSaUluUTBxbWQ4aUVVbnpUdzBZQmpVdmZvTTJjWWdFKy9wbnl2ZlxuSVkxdk1BMzVBZ01CQUFFQ2dnRUFCYkR4WEw1SDVMTitMaE5hTnpqVW1NbnlOUTE5NUcvSEhEbHFwS3Bic0hheVxuQVgrbFlNczNtYWlYSktoQ3NmdkVyU0JMeHZCWkZrNHZtRHgvYVVTVE9NWDRCWUNUb2puSFI1ZEdUdTB2NlFKSVxuYjJHLzQ5d1F0MXJKeUZrSzR6Vks0aGw0aWJFSEFEZmo3WXJnM2lSMC9WQXZHWXZodFBaeExYNm03NlcrUVIvNVxuMENzdU9WR2EvcFluWlZaUWRSMVVFTUpFWmMzckY4a2FpMWlrdVVpQjhteVpGdEQ5bzRxNG81L1VSSG5TYTFWN1xuNWV3bkY5Nlg3bEdCdk5IbkVCTi9SS2ZzQlVqT21KYmoyS0d0ZHBKTE9TMHRFZjNtNzg5UDRXdUl4c1YydmVld1xuWFJnSkFQaUpVcnJYL3FBMk0zRkJkczlIVktDMi9oKy9PTUFkaVJldlFRS0JnUURiM1phZHVpMEJJdjY3VUhMNFxuRWFKVjE5V1FBWHJ6MEVEUk1WZzNBTUIvR2FOb0cvVjdjMEZmdytmWkU5WEVLdE5USEVlbys0cG9ZaHlxaUFuZlxucC9NcjdOZlBEc2FvNFFoRnZLMnJrdFN2NVlEcGtXcUhpRlpKUGFwb1poaURsTFBkMVBhRnJVSlNRTlJBS201OFxudTBHUVNURHFPbThQQy8rQ1ptdjNMR0xTendLQmdRRE13NTY5ck53VUs1OFVRdi8xUFptczEwYkJkdWtVSXdUd1xud2t2YnArd2J4ZGVaK2o3QnhRQ1NHZThBS3Y1LzdET3pWZXNOS3hOcHFzMDlaOFpleXFuTWdOQk81cW5kUVNONFxuYmt4MGw3cU9SNW9reXlrYm1OMUV4T2QxNjU4K0x0UVVuY2JqVERDLytTTjNJLzJ3QzBnYkhHaCtTNng5QWx6UlxuTjQ0ejhVWGt0d0tCZ1FDajY2QW9kaTZwZzByQm9xZ2t0Umovd1V3UzhsZVZ3WFVod2hWUDVMcWZ5Q0NoTlA4ZlxuaS8xNGhabXNxWElkc0FRZ0daeC9xeEkwNHJrV2x4Z3RiSTBLK2Fpb1VnN2d4KzJmK0p6T3AwajAzem51YWFFdlxuN1FEUDJDN2RhUWpyeVFrVTRYcnVqUTgrUGVGQSthR29Vdi85citQTkxjV3hSVE81Sjkxa3llM2Yxd0tCZ0ZsQlxuUC9XZjNzS3dEUVNRKys5VGJhUW9wbi80TERzSjFNSjVmd1Y5V2U3MU96aTBHeHp0bVlVVjV0Y2s1cEN1VGc3eVxuK2FWZ3pISjM4RVMrOG5vcFR3Q0VlY2lheFJwYnBYRithcmM3MkNiaTBTOE9tNW1hOVlCZmNDRTNsczlOTEViY1xuUzNDU3FvRlR3UURTNEdjWFU5UDFleHJxTTRLK1ArVTJtVGJOQ2RGYkFvR0JBSU5lTmZnYmVDTW1hOW1OVjJUWVxubDFEOHVVZWpUb0J1VGFtQ2NWZWFzMXk3YVRvd21yVEk1cmVuM3NYMXFwLzhSVi9ZSVNFWFM1alUzb0NnR1VTVFxuVjhtbDZxZmNFK1Q4QXFzTFBIdVlxN0ZvMW1aekh6eGFmWEkxQWlyTEs0VmdqMkVjZnJWN2JIZGpaQ1dBeVNibFxuTDdkOXpJRnBnTUtOL3BYL3pLSGZ1Uk1rXG4tLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tXG4iLAogICJjbGllbnRfZW1haWwiOiAic2VydmljZS1hY2NvdW50QHAtb3loNms1Znl3ZTJxajhvbjlkb2RwaXQ5MW41Zy5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsCiAgImNsaWVudF9pZCI6ICIxMTQ2NDkzOTcwMTk4NDY3OTg1NjgiLAogICJhdXRoX3VyaSI6ICJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20vby9vYXV0aDIvYXV0aCIsCiAgInRva2VuX3VyaSI6ICJodHRwczovL29hdXRoMi5nb29nbGVhcGlzLmNvbS90b2tlbiIsCiAgImF1dGhfcHJvdmlkZXJfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9vYXV0aDIvdjEvY2VydHMiLAogICJjbGllbnRfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9yb2JvdC92MS9tZXRhZGF0YS94NTA5L3NlcnZpY2UtYWNjb3VudCU0MHAtb3loNms1Znl3ZTJxajhvbjlkb2RwaXQ5MW41Zy5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIKfQo=
HC_CONSUL_LICENSE=02MV4UU43BK5HGYYTOJZWFQMTMNNEWU33JJVLU2NCZNVEXSTSENN2E6R2RGVHFGMBTJVKGQ3KMKRUGSWSHLF2E43KSNRMTEUTMLJDUU2CONJTXSSLJO5UVSM2WPJSEOOLULJMEUZTBK5IWST3JJJUE6VDHGRNFITJRJVUTC22ZK5LGUTCUJUYE4VDLORGUI2DIJ5BTA6KONVCXSWSXKF5FURCKNNGVOWLJJRBUU4DCNZHDAWKXPBZVSWCSOBRDENLGMFLVC2KPNFEXCSLJO5UWCWCOPJSFOVTGMRDWY5C2KNETMSLKJF3U22SFORGUIZ3UJV5EMVKNIRETMTSUIE3E2RDLOVGUIRJVJVVEC6SNKRKTCV3JJFZUS3SOGBMVQSRQLAZVE4DCK5KWST3JJF4U2RCJPBGFIQJUJRKE252WIRAXOT3KIF3U62SBO5LWSSLTJFWVMNDDI5WHSWKYKJYGEMRVMZSEO3DULJJUSNSJNJEXOTLKIV2E2VCBORGUIRSVJVCECNSNIRATMTKEIJQUS2LXNFSEOVTZMJLWY5KZLBJHAYRSGVTGIR3MORNFGSJWJFVES52NNJCXITKUIF2E2RCGKVGUIQJWJVCECNSNIRBGCSLJO5UWGSCKOZNEQVTKMRBUSNSJNVHHMYTOJYYWEQ2JONEW2WTTLFLWI6SJNJYDOSLNGF3FUSCWONNFQTLJJ5WHG2K2GJ4HMWLNIZZUYWC2OBRTE3DJMFLXQ4DEJBVXIY3NHEYWIR3MOVNHSML2LEZEM422KNEXGSLNMR3GI3KWPFRG2RTVLEZFK5DDI44XGYKXJY2US3BRHFTFCPJ5FZUTANZPNBSWQZ2OINUHCOKRMJKTQZLJKVSDM53FORXU6NZYNVUHC5DDORMFM2CUHB2GUVJRKNDCWTRPGBDTEU3XF44DOYLKJRLS6SZUINHXUSLJMREVAU3INVMTC4TTPJ3VO4TWINYDCZCBNNRWCNDEKYYDGMZYKB3W2VTMMF3EUUBUOBFHQSKJHFCDMVKGJRKWCVSQNJVVOSTUMNCDM4DBNQ3G6T3GI5XEWMT2KBFUUUTNI5EFMM3FLJ3XCRTFFNXTO2ZPOMVUCVCONBIFUZ2TF5FVMWLHF5FSW3CHKB3UYN3KIJ4ESN2HJ5QWWNSVMFUWCSDPMVVTAUSUN43TERCRHU6Q
HC_VAULT_LICENSE=02MV4UU43BK5HGYYTOJZWFQMTMNNEWU33JJVCFM22NKRVTIT2ENN2FSVCGNBGVGMLJJVVGONKMKRFGQTSEJF2E2R2ZPJGVIRTJLFLVKMCOK5HGYSLJO5UVSM2WPJSEOOLULJMEUZTBK5IWST3JJJUE6VDHGRNFITJRJVUTC22ZK5LGUTCUJUYE4VDLORGUI2DIJ5BTA6KONVCXSWSXKF5FURCKNNGVOWLJJRBUU4DCNZHDAWKXPBZVSWCSOBRDENLGMFLVC2KPNFEXCSLJO5UWCWCOPJSFOVTGMRDWY5C2KNETMSLKJF3U22SFORGUIZ3UJV5EMVKNIRETMTSUIE3E2RCROVHUISLYJ5KGGMSNNJFGCSLJO5UWGM2SNBRW4UTGMRDWY5C2KNETMSLKJF3U22SFORGUIZ3UJV5EEVKNIRATMTKEIE3E2RCCMFEWS53JLJMGQ53BLBFGQZCHNR3GE3BZGBQVOMLMJFVG62KNNJAXSTKTGB4E2QZQO5GVMULXJVCG652NIRXXOTKGN5UUYQ2KGBNFQSTUMFLTK2DEI5WHMYTMHEYGCVZRNREWU33JJVVEC6KNKMYHQTKDGB3U2VSRO5GUI33XJVCG652NIZXWSTCDJJ3WG3JZNNSFOTRQJFVG62LENVDDCYSIKFUUYQ2KNVREORTOMN4USNTFPFFHIYRSKIYWER2WPJEWU4DCJFWTCMLCJBJHATCXKJVEYWCONJMVO6DMJFUXO2K2GI4TEWSYJJ2VSVZVNJNFGMLXMIZHQ4CZGNVWSTCDJJUFUSC2NBRG2TTMLJBTC22ZLBJGQTCYIJ4WEM2SNRMTGUTQMIZDI2KYLAYTSLS2KFZW22BUNRBDSN2EMJIXMZLSMRUTKN2OONTU22CTPIXSWN2FINKVQ4TQIFJXORJSPBEG4YKHKVGEO4SKKZJFESTOJVXE4USJMQ3DO23NOFSG6Z2IKBVFQWDXNZWEK43EIZBWGQRVGFSEC23DME2GIVRQGMZTQUDXNVLGYYLWJJIDI4CKPBEUSOKEGZKUMTCVMFLFA2TLK5FHIY2EGZYGC3BWN5HWMR3OJMZHUUCLJJJG2R2IKYZWKWTXOFDGKK3PG5VS64ZLIFKE42CQLJTVGL2LKZMWOL2LFNWEOUDXJQ3WUQTYJE3UOT3BNM3FKYLJMFEG6ZLLGBJFI3ZXGJCFCPJ5
INSTRUQT_GCP_PROJECT_CONSUL_PROJECT_ID=p-oyh6k5fywe2qj8on9dodpit91n5g

In [None]:
az login \
  --username "${INSTRUQT_AZURE_SUBSCRIPTION_CONSUL_USERNAME}" \
  --password "${INSTRUQT_AZURE_SUBSCRIPTION_CONSUL_PASSWORD}"
export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
export GOOGLE_CREDENTIALS=$(echo $INSTRUQT_GCP_PROJECT_CONSUL_SERVICE_ACCOUNT_KEY | base64 -d)
# echo 'export GOOGLE_CREDENTIALS=$(echo $INSTRUQT_GCP_PROJECT_CONSUL_SERVICE_ACCOUNT_KEY | base64 -d)' >> ${HOME}/.bashrc
# source ${HOME}/.bashrc

Set your Google Project

In [None]:
export GCP_PROJECT="$(echo $INSTRUQT_GCP_PROJECT_CONSUL_PROJECT_ID)"
gcloud config set project $GCP_PROJECT

In [None]:
#debugging
echo $GOOGLE_CREDENTIALS | jq
export GOOGLE_APPLICATION_CREDENTIALS=$GOOGLE_CREDENTIALS