Terraform module to demonstrate Feast setup on GCP (feast-dev#1148)

* Terraform module to demonstrate Feast setup on GCP

Signed-off-by: Khor Shu Heng <[email protected]>

* Use local variable instead of template for helm values

Signed-off-by: Khor Shu Heng <[email protected]>

Co-authored-by: Khor Shu Heng <[email protected]>

Author: khorshuheng

infra/terraform/gcp/README.md

@@ -0,0 +1,35 @@
+# Terraform config for feast on GCP
+
+This serves as a guide on how to deploy Feast on GCP. At the end of this guide, we will have provisioned:
+1. GKE cluster
+2. Feast services running on GKE
+3. Google Memorystore (Redis) as online store
+4. Dataproc cluster
+4. Kafka running on GKE, exposed to the dataproc cluster via internal load balancer.
+
+# Steps
+
+1. Create a tfvars file, e.g. `my.tfvars`. A sample configuration is as below:
+
+```
+gcp_project_name        = "kf-feast"
+name_prefix             = "feast-0-8"
+region                  = "asia-east1"
+gke_machine_type        = "n1-standard-2"
+network                 = "default"
+subnetwork              = "default"
+dataproc_staging_bucket = "kf-feast-dataproc-staging-test"
+```
+
+3. Configure tf state backend, e.g.:
+```
+terraform {
+  backend "gcs" {
+    bucket = "<your bucket name>"
+    prefix = "terraform/feast"
+  }
+}
+```
+
+3. Use `terraform apply -var-file="my.tfvars"` to deploy.
+

infra/terraform/gcp/dataproc.tf

@@ -0,0 +1,68 @@
+resource "google_storage_bucket" "dataproc_staging_bucket" {
+  name          = var.dataproc_staging_bucket
+  project       = var.gcp_project_name
+  location      = var.region
+  force_destroy = true
+}
+
+resource "google_dataproc_autoscaling_policy" "feast_dataproc_cluster_asp" {
+  policy_id = var.name_prefix
+  location  = var.region
+  project   = var.gcp_project_name
+
+  worker_config {
+    min_instances = var.min_dataproc_worker_count
+    max_instances = var.max_dataproc_worker_count
+  }
+
+  basic_algorithm {
+    yarn_config {
+      graceful_decommission_timeout = "3600s"
+      scale_down_factor             = 0.5
+      scale_up_factor               = 0.5
+    }
+  }
+}
+
+resource "google_dataproc_cluster" "feast_dataproc_cluster" {
+  project = var.gcp_project_name
+  name    = var.name_prefix
+  region  = var.region
+
+  cluster_config {
+    staging_bucket = google_storage_bucket.dataproc_staging_bucket.name
+
+    master_config {
+      num_instances = 1
+      machine_type  = var.dataproc_master_instance_type
+      disk_config {
+        boot_disk_type    = var.dataproc_master_disk_type
+        boot_disk_size_gb = var.dataproc_master_disk_size
+      }
+    }
+
+    worker_config {
+      num_instances = var.min_dataproc_worker_count
+      machine_type  = var.dataproc_worker_instance_type
+      disk_config {
+        boot_disk_type    = var.dataproc_worker_disk_type
+        boot_disk_size_gb = var.dataproc_worker_disk_size
+      }
+    }
+
+    gce_cluster_config {
+      subnetwork      = var.subnetwork
+      service_account = google_service_account.feast_sa.email
+
+      internal_ip_only = true
+    }
+
+    software_config {
+      image_version = var.dataproc_image_version
+    }
+
+    autoscaling_config {
+      policy_uri = google_dataproc_autoscaling_policy.feast_dataproc_cluster_asp.name
+    }
+  }
+}

infra/terraform/gcp/feast.tf

@@ -0,0 +1,121 @@
+locals {
+  feast_postgres_secret_name = "${var.name_prefix}-postgres-secret"
+  feast_helm_values = {
+    redis = {
+      enabled = false
+    }
+
+    kafka = {
+      enabled = true
+      externalAccess = {
+        enabled = true
+        service = {
+          types                    = "LoadBalancer"
+          port                     = 9094
+          loadBalancerIPs          = [google_compute_address.kafka_broker.address]
+          loadBalancerSourceRanges = ["10.0.0.0/8"]
+          annotations = {
+            "cloud.google.com/load-balancer-type" = "Internal"
+          }
+        }
+      }
+    }
+
+    grafana = {
+      enabled = false
+    }
+
+
+    postgresql = {
+      existingSecret = local.feast_postgres_secret_name
+    }
+
+    feast-core = {
+      postgresql = {
+        existingSecret = local.feast_postgres_secret_name
+      }
+    }
+
+    feast-online-serving = {
+      enabled = true
+      "application-override.yaml" = {
+        feast = {
+          core-host      = "${var.name_prefix}-feast-core"
+          core-grpc-port = 6565
+          active_store   = "online_store"
+          stores = [
+            {
+              name = "online_store"
+              type = "REDIS"
+              config = {
+                host = google_redis_instance.online_store.host
+                port = 6379
+                subscriptions = [
+                  {
+                    name    = "*"
+                    project = "*"
+                  }
+                ]
+              }
+            }
+          ]
+        }
+      }
+    }
+
+    feast-jupyter = {
+      enabled = true
+      envOverrides = {
+        feast_redis_host             = google_redis_instance.online_store.host,
+        feast_redis_port             = 6379,
+        feast_spark_launcher         = "dataproc"
+        feast_dataproc_cluster_name  = google_dataproc_cluster.feast_dataproc_cluster.name
+        feast_dataproc_project       = var.gcp_project_name
+        feast_dataproc_region        = var.region
+        feast_spark_staging_location = "gs://${var.dataproc_staging_bucket}/artifacts/"
+        feast_historical_feature_output_location : "gs://${var.dataproc_staging_bucket}/out/"
+        feast_historical_feature_output_format : "parquet"
+        demo_kafka_brokers : "${google_compute_address.kafka_broker.address}:9094"
+        demo_data_location : "gs://${var.dataproc_staging_bucket}/test-data/"
+      }
+      gcpServiceAccount = {
+        enabled = true
+        name    = var.feast_sa_secret_name
+        key     = "credentials.json"
+      }
+    }
+  }
+}
+
+resource "random_password" "feast-postgres-password" {
+  length  = 16
+  special = false
+}
+
+resource "kubernetes_secret" "feast-postgres-secret" {
+  metadata {
+    name = local.feast_postgres_secret_name
+  }
+  data = {
+    postgresql-password = random_password.feast-postgres-password.result
+  }
+}
+
+resource "google_compute_address" "kafka_broker" {
+  project      = var.gcp_project_name
+  region       = var.region
+  subnetwork   = var.subnetwork
+  name         = "${var.name_prefix}-kafka"
+  address_type = "INTERNAL"
+}
+
+resource "helm_release" "feast" {
+  depends_on = [kubernetes_secret.feast-postgres-secret, kubernetes_secret.feast_sa_secret]
+
+  name  = var.name_prefix
+  chart = "../../charts/feast"
+
+  values = [
+    yamlencode(local.feast_helm_values)
+  ]
+}

infra/terraform/gcp/gke.tf

@@ -0,0 +1,19 @@
+resource "google_container_cluster" "feast_gke_cluster" {
+  name       = "${var.name_prefix}-cluster"
+  location   = var.region
+  network    = var.network
+  subnetwork = var.subnetwork
+
+  initial_node_count = var.gke_node_count
+  node_config {
+    machine_type = var.gke_machine_type
+  }
+
+  ip_allocation_policy {
+  }
+}
+
+data "google_container_cluster" "feast_gke_cluster" {
+  location = var.region
+  name     = google_container_cluster.feast_gke_cluster.name
+}

infra/terraform/gcp/iam.tf

@@ -0,0 +1,37 @@
+resource "google_service_account" "feast_sa" {
+  account_id   = var.name_prefix
+  display_name = var.name_prefix
+  project      = var.gcp_project_name
+}
+
+resource "google_service_account_key" "feast_sa" {
+  service_account_id = google_service_account.feast_sa.name
+}
+
+resource "google_project_iam_member" "feast_dataproc_worker" {
+  project = var.gcp_project_name
+  role    = "roles/dataproc.worker"
+  member  = "serviceAccount:${google_service_account.feast_sa.email}"
+}
+
+resource "google_project_iam_member" "feast_dataproc_editor" {
+  project = var.gcp_project_name
+  role    = "roles/dataproc.editor"
+  member  = "serviceAccount:${google_service_account.feast_sa.email}"
+}
+
+resource "google_project_iam_member" "feast_batch_ingestion_storage" {
+  project = var.gcp_project_name
+  role    = "roles/storage.admin"
+  member  = "serviceAccount:${google_service_account.feast_sa.email}"
+}
+
+resource "kubernetes_secret" "feast_sa_secret" {
+  metadata {
+    name = var.feast_sa_secret_name
+  }
+  data = {
+    "credentials.json" = base64decode(google_service_account_key.feast_sa.private_key)
+  }
+}
+

infra/terraform/gcp/online_store.tf

@@ -0,0 +1,18 @@
+resource "google_redis_instance" "online_store" {
+  project        = var.gcp_project_name
+  region         = var.region
+  name           = "${var.name_prefix}-online-store"
+  tier           = var.redis_tier
+  memory_size_gb = var.redis_memory_size_gb
+
+  authorized_network = data.google_compute_network.redis-network.id
+
+  redis_version = "REDIS_5_0"
+  display_name  = "Feast Online Store"
+
+}
+
+data "google_compute_network" "redis-network" {
+  project = var.gcp_project_name
+  name    = var.network
+}

infra/terraform/gcp/provider.tf

@@ -0,0 +1,27 @@
+provider "google" {
+  version = "~> 3.46"
+  project = var.gcp_project_name
+}
+
+data "google_client_config" "gcp_client" {
+  provider = google
+}
+
+provider "kubernetes" {
+  version = "~> 1.13.3"
+
+  host                   = google_container_cluster.feast_gke_cluster.endpoint
+  token                  = data.google_client_config.gcp_client.access_token
+  cluster_ca_certificate = base64decode(google_container_cluster.feast_gke_cluster.master_auth.0.cluster_ca_certificate)
+  load_config_file       = false
+}
+
+provider "helm" {
+  version = "~> 1.3.2"
+  kubernetes {
+    host                   = google_container_cluster.feast_gke_cluster.endpoint
+    token                  = data.google_client_config.gcp_client.access_token
+    cluster_ca_certificate = base64decode(google_container_cluster.feast_gke_cluster.master_auth.0.cluster_ca_certificate)
+    load_config_file       = false
+  }
+}