Follow these steps to deploy the Google Fleet Routing App container image and supporting resources to an initialized Google Cloud project.
🛑 This document assumes that you have created and initialized a Google Cloud project as described in the project creation and configuration guide. If you have not created a project according to that process, go follow those steps, then come back here to continue with deployment.
- Google Cloud SDK (
gcloud
CLI) - Git
- Terraform CLI v1.1 or later
Terraform runs as your gcloud
Application Default Credentials.
So the CLI must be logged in as a Google account
with permission to modify the target project.
If not already configured, run the following commands to authorize the CLI and set your default credentials:
gcloud auth login
gcloud auth application-default login
This repository contains Terraform configurations for the deployment. Clone the repository and navigate to the checked-out directory.
git clone https://github.com/google/cfr.git
cd fleetrouting-app
Open a shell to the root of the cloned source code repo and follow these steps.
Create a file named local.auto.tfvars
in the deployment/
directory:
touch deployment/local.auto.tfvars
Edit this file and populate local.auto.tfvars
with appropriate values for your project.
The following sections explain the variables in detail.
At minimum, the following variables must be populated in your local.auto.tfvars
file. If you followed the project setup instructions, these values should be familiar:
project
- Google Cloud project ID (NOT number or name) of the project you created in project setup.dns_name
- Fully-qualified domain name to host the app at, without any protocol or path (e.g.fleetrouting.example.com
)- This domain must be registered in a Google Cloud DNS zone and be editable by your Google account.
dns_zone
- ID of the Cloud DNS zone that owns yourdns_name
domaindns_project
- ID of the Google Cloud project that containsdns_zone
deployment_tag
- Container version to deploy (4.4.1
or later).maps_api_key
- API Key credential created in project setup to enable Google Maps Platform features.iap_client_id
andiap_client_secret
- The OAuth credential you created during project setup. Find these on the Cloud Console page for your project (APIs & Services > Credentials > OAuth 2 Client IDs). Click the name of your key and copy the values from the right hand side of the page.authorized_users
- An array of users and/or groups of users who are authorized to access the app- Each entry should follow IAM principal syntax
(e.g.
user:[email protected]
,group:[email protected]
,domain:example.com
). - Be sure to include yourself in this list (project owners do not automatically inherit IAP-secured Web App User permission).
- Each entry should follow IAM principal syntax
(e.g.
project = "my-fleetrouting-123"
dns_name = "fleetrouting.example.com"
dns_zone = "example-com-zone"
dns_project = "my-dns-project-456"
deployment_tag = "4.4.1" # or later
# find the following values in Cloud Console (APIs & Services > Credentials)
maps_api_key = "AIzaBc123..."
iap_client_id = "1234...5678-ZXhh...ZSA2.apps.googleusercontent.com"
iap_client_secret = "Z9y8X7..."
authorized_users = [
"user:[email protected]",
"group:[email protected]",
"domain:example.com"
]
The following variables are not necessary to specify for most deployments. Only set these when you need to override the defaults or are referencing resources that already exist from a previous deployment.
Variable Name | Description | Default |
---|---|---|
allow_experimental_features |
When 'true' , enables experimental CFR features in the app. Project must be allow-listed by Google for features to work. Must be a string literal (i.e. not a boolean value). |
'false' |
allow_user_gcs_storage |
When 'true' , enables scenarios and solutions to be stored in Google Cloud Storage. Must be a string literal (i.e. not a boolean value). |
'false' |
deployment_name |
Deprecated: Name/prefix applied to deployed resources (must be kebab case). The deployment_name variable exists for backward compatibility with existing environments. New deployments should use the default value. |
fleetrouting-app |
image_repo_channel |
Build channel the deployment_tag belongs to (release or snapshot ). Should be release for all official builds, snapshot builds should only be used for development and testing. |
release |
static_ip_address_name |
Name of the external IP address. Set if you need to reference an existing IP address (e.g. from v3) in a new/updated deployment. | fleetrouting-app-ip |
region |
Google Cloud region to deploy to. Must be a supported Cloud Run region. | us-central1 |
Navigate to the deployment/
directory.
Initialize Terraform and run the apply
command to deploy the app and its resources:
cd deployment
terraform init
terraform apply
Resolve any errors that may appear due to missing or invalid values
in your local.auto.tfvars
file.
Review the planned changes and, if everything looks good,
enter yes
to confirm the deployment.
Expect the deployment process to take 10-20 minutes to complete.
Terraform may take up to 10 minutes to deploy all the resources.
And it may take an additional 10 minutes after apply
completes
for the HTTPS certificate to finish provisioning
and the load balancer to become healthy and start serving the app.
Open your web browser and periodically refresh your deployed URL: https://{domain_name}
- Initially, expect to see "connection reset errors".
- Next, as the load balancer starts to come online, you may see "temporarily unavailable" errors.
- Then, expect your browser to display "SSL cipher" errors until the HTTPS certificate finishes provisioning.
The application is live when you see a Google Sign-In page upon loading the URL. After signing in, you should see the app's landing page with "Cloud Fleet Routing API" displayed at the top.
Expand the Request Details section and check the displayed redirect_uri
value.
Open your OAuth Client ID credential in Cloud Console and verify that the URL in the error message matches the configured Authorized redirect URI (see Configure the Authorized Redirect URI section of project setup.
Edit the Authorized redirect URI to match the redirect_uri
in the error message.
The Cloud Run service failed to deploy or is unhealthy.
Verify that deployment_tag
is a valid container version.
If not, change the value and re-run terraform apply
.
Go to the Cloud Run section of Cloud Console and check for errors.
An authorized user (from your authorized_user
list) may still be rejected
if they are not a member of your Google Cloud organization.
This is working as intended because OAuth was originally configured
as an Internal app, meaning it only supports identities from your organization.
To allow users outside your organization to access the app, you must change the OAuth user type from Internal to External, and set the publishing status to Testing.
- Go to Google Cloud Console and open your project
- Navigate to the APIs & Services > OAuth consent screen section
- Click the MAKE EXTERNAL button
- In the dialog that appears, change the Publishing status to Testing and click CONFIRM
See OAuth support for the limitations on apps published in Testing mode.
To add or remove authorized users,
edit the authorized_users
list in local.auto.tfvars
and re-run the terraform apply
command.