第 1 步：准备项目

本页面介绍在通过 Terraform 部署 Manufacturing Data Engine (MDE) 之前，准备 Google Cloud 项目的步骤。

概览

MDE 以打包解决方案的形式交付。 Terraform 脚本会将所有必需的组件和集成代码部署到您的 Google Cloud 项目中。这样一来，您就可以根据自己的需求灵活地修改和扩展架构。

部署脚本会自动设置和配置解决方案，前提是已满足 Google Cloud 项目和权限等前提条件。部分客户可能已设置了广泛的自定义 Google Cloud限制。在这种情况下，可能需要额外的工作（通过 Google Cloud 咨询或系统集成合作伙伴）才能部署并绕过这些限制。

1. 准备客户端环境

您的客户端环境需要安装以下 CLI 工具，且版本为最新版本：

Google Cloud CLI，并安装了以下附加组件：
- kubectl
- cbt
- Terraform CLI（v1.9.x 或更高版本）
  - 请务必同时查看 Terraform 和 Terraform 提供商的最低要求。
- Helm CLI（v3.9.x 或更高版本）
您可以使用任何客户端环境来部署 MDE，但由于 Cloud Shell 已安装大多数必需的工具，因此从 Cloud Shell 部署可以节省时间。
激活 Cloud Shell

2. 准备 Google Cloud 项目

确保您的 Google Cloud 项目具有以下特征：

有效的 Cloud Billing 账号。
该账号所属的组织拥有有效的 Cloud Identity 或 Workspace 账号。

注意： Google Workspace 要求并非硬性要求，只要您拥有创建网络和基础架构资源的相应权限，就可以在没有组织的情况下设置项目。如果您计划部署 Manufacturing Connect (MC)，则需要有效网域。
使用以下命令将默认项目设置为 MDE 部署项目：
```
gcloud config set project PROJECT_ID
```
替换以下内容：
- 将 PROJECT_ID 替换为 MDE 部署项目 ID。

3. 创建服务账号

您需要在 Google Cloud 项目中创建两个不同的服务账号：

mde-df-worker@PROJECT_ID.iam.gserviceaccount.com
mde-tf@PROJECT_ID.iam.gserviceaccount.com。

替换以下内容：

将 PROJECT_ID 替换为 MDE 部署项目 ID。

组织中具有 roles/iam.serviceAccountCreator 角色的用户可以使用以下命令创建 mde-df-worker 和 mde-tf 服务账号：

gcloud iam service-accounts create mde-df-worker \
--description="Manufacturing Data Engine Dataflow Worker Service Account" \
--display-name="Manufacturing Data Engine Dataflow Worker Service Account"

gcloud iam service-accounts create mde-tf \
--description="Manufacturing Data Engine Terraform Service Account" \
--display-name="Manufacturing Data Engine Terraform Service Account"

4. 为 `mde-tf` 服务账号授予角色

向 Terraform 用于部署的 mde-tf 服务账号授予以下角色：

roles/bigquery.admin
roles/bigtable.admin
roles/cloudsql.admin
roles/compute.instanceAdmin
roles/compute.loadBalancerAdmin
roles/compute.networkAdmin
roles/compute.securityAdmin
roles/container.admin
roles/container.developer
roles/dataflow.admin
roles/dns.admin
roles/iam.serviceAccountAdmin
roles/iam.serviceAccountUser
roles/pubsub.admin
roles/resourcemanager.projectIamAdmin
roles/secretmanager.admin
roles/secretmanager.secretVersionManager
roles/serviceusage.serviceUsageAdmin
roles/storage.admin
roles/monitoring.admin
roles/redis.admin
roles/file.editor

具有 roles/iam.securityAdmin 角色或同等权限的用户可以使用以下命令向 mde-tf 服务账号授予所需的角色：

export PROJECT_ID=$(gcloud config get-value project)
export SA_TERRAFORM="mde-tf"

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/bigquery.admin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/dataflow.admin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/bigtable.admin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/cloudsql.admin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/compute.instanceAdmin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/compute.loadBalancerAdmin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/compute.networkAdmin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/compute.securityAdmin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/container.admin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/container.developer'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/dns.admin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/iam.serviceAccountAdmin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/iam.serviceAccountUser'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/pubsub.admin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/resourcemanager.projectIamAdmin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/secretmanager.admin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/secretmanager.secretVersionManager'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/serviceusage.serviceUsageAdmin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/storage.admin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/monitoring.admin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/redis.admin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/file.editor'

5. 模拟 `mde-tf` 服务账号

如果您拥有 roles/iam.serviceAccountTokenCreator 角色，则允许您的用户账号模拟 mde-tf 服务账号。

具有 roles/iam.serviceAccountAdmin 角色或同等权限的用户可以使用以下命令，为您的用户账号授予 mde-tf 服务账号的角色：

export USER_EMAIL=$(gcloud auth list --filter=status:ACTIVE --format="value(account)")
export PROJECT_ID=$(gcloud config get-value project)
gcloud iam service-accounts add-iam-policy-binding \
--role roles/iam.serviceAccountTokenCreator \
--member "user:${USER_EMAIL}" \
"mde-tf"@"${PROJECT_ID}".iam.gserviceaccount.com

6. 启用 Google Cloud API

确保已启用 Google Cloud API。

必须启用以下 Google Cloud API 才能执行 Terraform 脚本：

compute.googleapis.com
iamcredentials.googleapis.com
cloudresourcemanager.googleapis.com

拥有 roles/servicemanagement.serviceConsumer 角色或同等权限的用户可以使用以下命令启用 API：

gcloud services enable \
compute.googleapis.com \
iamcredentials.googleapis.com \
cloudresourcemanager.googleapis.com

7. 准备 Cloud Storage 存储分区

准备一个 Cloud Storage 存储分区来存储 Terraform 状态：

Terraform 需要一个 Cloud Storage 存储桶来保存 Terraform 状态 (PROJECT_ID-tf)，并且 mde-tf 服务账号必须对此存储桶拥有读写权限。

具有 roles/storage.admin 角色或等效权限的用户可以创建存储桶，并使用以下命令向 mde-tf 授予必需的权限：

export PROJECT_ID=$(gcloud config get-value project)

gcloud storage buckets create "gs://${PROJECT_ID}-tf"

gcloud storage buckets add-iam-policy-binding gs://"${PROJECT_ID}-tf" \
--member="serviceAccount:mde-tf@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/storage.objectViewer'

gcloud storage buckets add-iam-policy-binding gs://"${PROJECT_ID}-tf" \
--member="serviceAccount:mde-tf@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/storage.objectCreator'