步驟 1：準備專案

本頁說明如何按照步驟準備專案，再使用 Terraform 部署 Manufacturing Data Engine (MDE)。 Google Cloud

總覽

MDE 以套裝解決方案的形式提供。 Terraform 指令碼會將所有必要元件和整合程式碼部署到 Google Cloud 專案中。您可以根據需求修改及擴充架構，享有最大的彈性。

部署指令碼會自動設定及配置解決方案，前提是已備妥 Google Cloud 專案和權限等必要條件。部分客戶可能已設定廣泛的自訂限制 Google Cloud。如果是這種情況，可能需要額外工作 (透過 Google Cloud 諮詢或系統整合合作夥伴)，才能部署並規避這些限制。

1. 準備用戶端環境

用戶端環境必須安裝下列 CLI 工具的最新版本：

Google Cloud CLI，並安裝下列額外元件：
- kubectl
- cbt
- Terraform CLI ( v1.9.x 以上版本)
  - 請務必一併查看 Terraform 和 Terraform 供應商的最低需求。
- Helm CLI (3.9.x 以上版本)
您可以使用任何用戶端環境部署 MDE，但從 Cloud Shell 部署可節省時間，因為 Cloud Shell 已安裝大部分必要工具。
啟用 Cloud Shell

2. 準備 Google Cloud 專案

請確認 Google Cloud 專案具備下列特徵：

有效的 Cloud Billing 帳戶。
該帳戶隸屬於機構，且機構擁有有效的 Cloud Identity 或 Workspace 帳戶。

注意： Google Workspace 並非必要條件，只要您擁有建立網路和基礎架構資源的適當權限，即可在沒有機構的情況下設定專案。如要部署 Manufacturing Connect (MC)，則需要有效的網域。
使用下列指令，將預設專案設為 MDE 部署專案：
```
gcloud config set project PROJECT_ID
```
更改下列內容：
- 將 PROJECT_ID 替換為 MDE 部署專案 ID。

3. 建立服務帳戶

您需要在 Google Cloud 專案中建立兩個不同的服務帳戶：

mde-df-worker@PROJECT_ID.iam.gserviceaccount.com
mde-tf@PROJECT_ID.iam.gserviceaccount.com。

更改下列內容：

將 PROJECT_ID 替換為 MDE 部署專案 ID。

貴機構中具有 roles/iam.serviceAccountCreator 角色的使用者可以透過下列指令，建立 mde-df-worker 和 mde-tf 服務帳戶：

gcloud iam service-accounts create mde-df-worker \
--description="Manufacturing Data Engine Dataflow Worker Service Account" \
--display-name="Manufacturing Data Engine Dataflow Worker Service Account"

gcloud iam service-accounts create mde-tf \
--description="Manufacturing Data Engine Terraform Service Account" \
--display-name="Manufacturing Data Engine Terraform Service Account"

4. 授予 `mde-tf` 服務帳戶角色

將下列角色授予 Terraform 用於部署作業的 mde-tf 服務帳戶：

roles/bigquery.admin
roles/bigtable.admin
roles/cloudsql.admin
roles/compute.instanceAdmin
roles/compute.loadBalancerAdmin
roles/compute.networkAdmin
roles/compute.securityAdmin
roles/container.admin
roles/container.developer
roles/dataflow.admin
roles/dns.admin
roles/iam.serviceAccountAdmin
roles/iam.serviceAccountUser
roles/pubsub.admin
roles/resourcemanager.projectIamAdmin
roles/secretmanager.admin
roles/secretmanager.secretVersionManager
roles/serviceusage.serviceUsageAdmin
roles/storage.admin
roles/monitoring.admin
roles/redis.admin
roles/file.editor

具備 roles/iam.securityAdmin 角色或同等權限的使用者，可以透過下列指令將必要角色授予 mde-tf 服務帳戶：

export PROJECT_ID=$(gcloud config get-value project)
export SA_TERRAFORM="mde-tf"

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/bigquery.admin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/dataflow.admin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/bigtable.admin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/cloudsql.admin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/compute.instanceAdmin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/compute.loadBalancerAdmin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/compute.networkAdmin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/compute.securityAdmin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/container.admin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/container.developer'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/dns.admin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/iam.serviceAccountAdmin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/iam.serviceAccountUser'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/pubsub.admin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/resourcemanager.projectIamAdmin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/secretmanager.admin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/secretmanager.secretVersionManager'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/serviceusage.serviceUsageAdmin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/storage.admin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/monitoring.admin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/redis.admin'

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:${SA_TERRAFORM}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/file.editor'

5. 模擬 `mde-tf` 服務帳戶

如果您具備 roles/iam.serviceAccountTokenCreator 角色，請允許使用者帳戶模擬 mde-tf 服務帳戶。

具備 roles/iam.serviceAccountAdmin 角色或同等權限的使用者，可以使用下列指令，在 mde-tf 服務帳戶中授予使用者帳戶該角色：

export USER_EMAIL=$(gcloud auth list --filter=status:ACTIVE --format="value(account)")
export PROJECT_ID=$(gcloud config get-value project)
gcloud iam service-accounts add-iam-policy-binding \
--role roles/iam.serviceAccountTokenCreator \
--member "user:${USER_EMAIL}" \
"mde-tf"@"${PROJECT_ID}".iam.gserviceaccount.com

6. 啟用 Google Cloud API

確認已啟用 Google Cloud API。

您必須啟用下列 API，才能執行 Terraform 指令碼： Google Cloud

compute.googleapis.com
iamcredentials.googleapis.com
cloudresourcemanager.googleapis.com

具備 roles/servicemanagement.serviceConsumer 角色或同等權限的使用者，可以使用下列指令啟用 API：

gcloud services enable \
compute.googleapis.com \
iamcredentials.googleapis.com \
cloudresourcemanager.googleapis.com

7. 準備 Cloud Storage 值區

準備 Cloud Storage bucket 來儲存 Terraform 狀態：

Terraform 需要 Cloud Storage 值區來儲存 Terraform 狀態 (PROJECT_ID-tf)，且 mde-tf 服務帳戶必須擁有這個值區的讀取和寫入權限。

具備 roles/storage.admin 角色或同等權限的使用者可以建立 bucket，並使用下列指令授予 mde-tf 必要權限：

export PROJECT_ID=$(gcloud config get-value project)

gcloud storage buckets create "gs://${PROJECT_ID}-tf"

gcloud storage buckets add-iam-policy-binding gs://"${PROJECT_ID}-tf" \
--member="serviceAccount:mde-tf@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/storage.objectViewer'

gcloud storage buckets add-iam-policy-binding gs://"${PROJECT_ID}-tf" \
--member="serviceAccount:mde-tf@${PROJECT_ID}.iam.gserviceaccount.com" \
--role='roles/storage.objectCreator'