From ec5b86e4c0e753f974a6ca3446d8fdbd433d3bde Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Mon, 12 Aug 2024 10:51:10 -0300 Subject: [PATCH 01/11] Adds instructions to deploy locally without Cloud Build. --- 0-bootstrap/README.md | 178 +++++++++++++++++++++++++++-- 1-org/README.md | 50 +++++--- 2-environments/README.md | 69 +++++++---- 3-networks-dual-svpc/README.md | 95 +++++++++------ 3-networks-hub-and-spoke/README.md | 96 ++++++++++------ 4-projects/README.md | 107 +++++++++-------- 6 files changed, 431 insertions(+), 164 deletions(-) diff --git a/0-bootstrap/README.md b/0-bootstrap/README.md index 2b5b5c58c..3db4c9f74 100644 --- a/0-bootstrap/README.md +++ b/0-bootstrap/README.md @@ -64,13 +64,15 @@ This repository is intended as an example to be forked, tweaked, and maintained Though this blueprint can help accelerate your foundation design and build, we assume that you have the engineering skills and teams to deploy and customize your own foundation based on your own requirements. We will support: - - Code is semantically valid, pinned to known good versions, and passes terraform validate and lint checks - - All PR to this repo must pass integration tests to deploy all resources into a test environment before being merged - - Feature requests about ease of use of the code, or feature requests that generally apply to all users, are welcome + +- Code is semantically valid, pinned to known good versions, and passes terraform validate and lint checks +- All PR to this repo must pass integration tests to deploy all resources into a test environment before being merged +- Feature requests about ease of use of the code, or feature requests that generally apply to all users, are welcome We will not support: - - In-place upgrades from a foundation deployed with an earlier version to a more recent version, even for minor version changes, might not be feasible. Repository maintainers do not have visibility to what resources a user deploys on top of their foundation or how the foundation was customized in deployment, so we make no guarantee about avoiding breaking changes. - - Feature requests that are specific to a single user's requirement and not representative of general best practices + +- In-place upgrades from a foundation deployed with an earlier version to a more recent version, even for minor version changes, might not be feasible. Repository maintainers do not have visibility to what resources a user deploys on top of their foundation or how the foundation was customized in deployment, so we make no guarantee about avoiding breaking changes. +- Feature requests that are specific to a single user's requirement and not representative of general best practices ## Prerequisites @@ -86,21 +88,25 @@ To run the commands described in this document, install the following: Version 1.5.7 is the last version before the license model change. To use a later version of Terraform, ensure that the Terraform version used in the Operational System to manually execute part of the steps in `3-networks` and `4-projects` is the same version configured in the following code - 0-bootstrap/modules/jenkins-agent/variables.tf + ``` default = "1.5.7" ``` - 0-bootstrap/cb.tf + ``` terraform_version = "1.5.7" ``` - scripts/validate-requirements.sh + ``` TF_VERSION="1.5.7" ``` - build/github-tf-apply.yaml + ``` terraform_version: '1.5.7' ``` @@ -112,6 +118,7 @@ Version 1.5.7 is the last version before the license model change. To use a late ``` - 0-bootstrap/Dockerfile + ``` ARG TERRAFORM_VERSION=1.5.7 ``` @@ -136,7 +143,9 @@ Set the variables in **terraform.tfvars** (`groups` block) to use the specific g # example: gcloud organizations add-iam-policy-binding ${ORG_ID} --member=user:$SUPER_ADMIN_EMAIL --role=roles/securitycenter.admin --quiet > /dev/null 1>&1 ``` + 1. Enable the following additional services on your current bootstrap project: + ```bash gcloud services enable cloudresourcemanager.googleapis.com gcloud services enable cloudbilling.googleapis.com @@ -342,11 +351,160 @@ The following steps introduce the steps to deploy with Cloud Build Alternatively ## Running Terraform locally -If you deploy using Cloud Build, the bucket information is replaced in the state -backends as part of the build process when the build is executed by Cloud Build. -If you want to execute Terraform locally, you need to add your Cloud -Storage bucket to the `backend.tf` files. -Each step has instructions for this change. +The following steps introduce the steps to deploy without Cloud Build. + +1. Clone [terraform-example-foundation](https://github.com/terraform-google-modules/terraform-example-foundation) into your local environment and create to the `gcp-bootstrap` folder at the same level. Copy the `0-bootstrap` content and `.gitignore` to `gcp-bootstrap`. + + ```bash + git clone https://github.com/terraform-google-modules/terraform-example-foundation.git + + mkdir gcp-bootstrap + + cp -R terraform-example-foundation/0-bootstrap/* gcp-bootstrap/ + + cp terraform-example-foundation/.gitignore gcp-bootstrap + ``` + +1. Navigate to `gcp-bootstrap` and initialize a local git repository, so you can manage versions locally. Create the environment branches. + + ```bash + cd gcp-bootstrap + + git init + git checkout -b plan + + git checkout -b shared + ``` + +1. Rename `terraform.example.tfvars` to `terraform.tfvars` and update the file with values from your environment: + + ```bash + mv terraform.example.tfvars terraform.tfvars + ``` + +1. Rename `cb.tf` to `cb.tf.example` and update the file with values from your environment: + + ```bash + mv cb.tf cb.tf.example + ``` + +1. Comment Cloud Build outputs related at `outputs.tf`. + +1. Comment lines related to Cloud Build at `sa.tf`. Search for `cicd_project_iam_member` and comment the module and the depends_on. + +1. Use the helper script [validate-requirements.sh](../scripts/validate-requirements.sh) to validate your environment: + + ```bash + ../terraform-example-foundation/scripts/validate-requirements.sh -o -b -u + ``` + + **Note:** The script is not able to validate if the user is in a Cloud Identity or Google Workspace group with the required roles. + +1. Run `terraform init` and `terraform plan` and review the output. + + ```bash + git checkout plan + terraform init + terraform plan -input=false -out bootstrap.tfplan + ``` + +1. Copy policy repo and copy contents of policy-library to new folder. Create it the folder at the same level of the `terraform-example-foundation` folder. + + ```bash + cd ../ + + mkdir gcp-policies + + cd gcp-policies + git init + git checkout -b main + cp -RT ../terraform-example-foundation/policy-library/ . + ``` + +1. Commit changes at your main branch to the policy repo. This way you can manage versions locally. + + ```bash + git add . + git commit -m 'Initialize policy library repo' + ``` + +1. Navigate out of the policies repo. + + ```bash + cd .. + ``` + +1. To validate your policies, run `gcloud beta terraform vet`. For installation instructions, see [Install Google Cloud CLI](https://cloud.google.com/docs/terraform/policy-validation/validate-policies#install). + +1. Run the following commands and check for violations: + + ```bash + export VET_PROJECT_ID=pjr-seed-serverless-test + terraform show -json bootstrap.tfplan > bootstrap.json + gcloud beta terraform vet bootstrap.json --policy-library="../terraform-example-foundation/policy-library" --project ${VET_PROJECT_ID} + ``` + + *`A-VALID-PROJECT-ID`* must be an existing project you have access to. This is necessary because `gcloud beta terraform vet` needs to link resources to a valid Google Cloud Platform project. + +1. Commit validated code in plan branch. + + ```bash + git add . + git commit -m "Initial version os gcp-bootstrap." + ``` + +1. Checkout `shared` branch and merge plan into it. Run `terraform apply`. + + ```bash + git checkout shared + git merge plan + + terraform apply bootstrap.tfplan + ``` + +1. Run `terraform output` to get the email address of the terraform service accounts that will be used to run steps manually and the state bucket that will be used by step `4-projects`. + + ```bash + export network_step_sa=$(terraform output -raw networks_step_terraform_service_account_email) + export projects_step_sa=$(terraform output -raw projects_step_terraform_service_account_email) + export projects_gcs_bucket_tfstate=$(terraform output -raw projects_gcs_bucket_tfstate) + + echo "network step service account = ${network_step_sa}" + echo "projects step service account = ${projects_step_sa}" + echo "projects gcs bucket tfstate = ${projects_gcs_bucket_tfstate}" + ``` + +1. Copy the backend and update `backend.tf` with the name of your Google Cloud Storage bucket for Terraform's state. Also update the `backend.tf` of all steps. + + ```bash + export backend_bucket=$(terraform output -raw gcs_bucket_tfstate) + echo "backend_bucket = ${backend_bucket}" + + export backend_bucket_projects=$(terraform output -raw projects_gcs_bucket_tfstate) + echo "backend_bucket_projects = ${backend_bucket_projects}" + + cp backend.tf.example backend.tf + + cd ../ + + for i in `find . -name 'backend.tf'`; do sed -i'' -e "s/UPDATE_ME/${backend_bucket}/" $i; done + for i in `find . -name 'backend.tf'`; do sed -i'' -e "s/UPDATE_PROJECTS_BACKEND/${backend_bucket_projects}/" $i; done + + cd gcp-bootstrap + ``` + +1. Re-run `terraform init`. When you're prompted, agree to copy Terraform state to Cloud Storage. + + ```bash + terraform init + ``` + +1. Commit the applied code, so you can manage versions locally. + + ```sh + git commit -m "Init gcs backend." + cd ../ + ``` ## Inputs diff --git a/1-org/README.md b/1-org/README.md index 1be58e521..e4d212002 100644 --- a/1-org/README.md +++ b/1-org/README.md @@ -180,14 +180,14 @@ If required, run `terraform output cloudbuild_project_id` in the `0-bootstrap` f 1. Push your plan branch to trigger a plan for all environments. Because the _plan_ branch is not a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), pushing your _plan_ - branch triggers _terraform plan_ but not _terraform apply_. Review the plan output in your Cloud Build project. https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID + branch triggers _terraform plan_ but not _terraform apply_. Review the plan output in your Cloud Build project. ```bash git push --set-upstream origin plan ``` 1. Merge changes to the production branch. Because the _production_ branch is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project. https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project. ```bash git checkout -b production @@ -214,14 +214,25 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s ### Running Terraform locally 1. The next instructions assume that you are at the same level of the `terraform-example-foundation` folder. -Change into the `1-org` folder, copy the Terraform wrapper script, and ensure it can be executed. +Create `gcp-org` folder, copy `1-org` content and Terraform wrapper script; ensure it can be executed. ```bash - cd terraform-example-foundation/1-org - cp ../build/tf-wrapper.sh . + mkdir gcp-org + cp -R terraform-example-foundation/1-org/* gcp-org/ + cp terraform-example-foundation//build/tf-wrapper.sh gcp-org/ + cp terraform-example-foundation/.gitignore gcp-org + cd gcp-org chmod 755 ./tf-wrapper.sh ``` +1. Initialize a local git repository, so you can manage versions locally. Create the environment branches. + + ```bash + git init + git checkout -b plan + git checkout -b production + ``` + 1. Rename `./envs/shared/terraform.example.tfvars` to `./envs/shared/terraform.tfvars`. ```bash @@ -231,7 +242,7 @@ Change into the `1-org` folder, copy the Terraform wrapper script, and ensure it 1. Check if a Security Command Center notification with the default name, **scc-notify**, already exists. If it exists, choose a different value for the `scc_notification_name` variable in the `./envs/shared/terraform.tfvars` file. ```bash - export ORGANIZATION_ID=$(terraform -chdir="../0-bootstrap/" output -json common_config | jq '.org_id' --raw-output) + export ORGANIZATION_ID=$(terraform -chdir="../gcp-bootstrap/" output -json common_config | jq '.org_id' --raw-output) gcloud scc notifications describe "scc-notify" --organization=${ORGANIZATION_ID} ``` @@ -242,10 +253,10 @@ Change into the `1-org` folder, copy the Terraform wrapper script, and ensure it echo "access_context_manager_policy_id = ${ACCESS_CONTEXT_MANAGER_ID}" ``` -1. Update the `envs/shared/terraform.tfvars` file with values from your environment and 0-bootstrap step. If the previous step showed a numeric value, un-comment the variable `create_access_context_manager_access_policy = false`. See the shared folder [README.md](./envs/shared/README.md) for additional information on the values in the `terraform.tfvars` file. +1. Update the `envs/shared/terraform.tfvars` file with values from your environment and `gcp-bootstrap` step. If the previous step showed a numeric value, un-comment the variable `create_access_context_manager_access_policy = false`. See the shared folder [README.md](./envs/shared/README.md) for additional information on the values in the `terraform.tfvars` file. ```bash - export backend_bucket=$(terraform -chdir="../0-bootstrap/" output -raw gcs_bucket_tfstate) + export backend_bucket=$(terraform -chdir="../gcp-bootstrap/" output -raw gcs_bucket_tfstate) echo "remote_state_bucket = ${backend_bucket}" sed -i'' -e "s/REMOTE_STATE_BUCKET/${backend_bucket}/" ./envs/shared/terraform.tfvars @@ -254,23 +265,23 @@ Change into the `1-org` folder, copy the Terraform wrapper script, and ensure it ``` You can now deploy your environment (production) using this script. -When using Cloud Build or Jenkins as your CI/CD tool, each environment corresponding to a branch is the repository for 1-org step and only the corresponding environment is applied. To use the `validate` option of the `tf-wrapper.sh` script, follow the [instructions](https://cloud.google.com/docs/terraform/policy-validation/validate-policies#install) to install the terraform-tools component. -1. Use `terraform output` to get the Cloud Build project ID and the organization step Terraform service account from 0-bootstrap output. An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set using the Terraform Service Account to enable impersonation. +1. Use `terraform output` to get the Seed project ID and the organization step Terraform service account from gcp-bootstrap output. An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set using the Terraform Service Account to enable impersonation. ```bash - export CLOUD_BUILD_PROJECT_ID=$(terraform -chdir="../0-bootstrap/" output -raw cloudbuild_project_id) - echo ${CLOUD_BUILD_PROJECT_ID} + export SEED_PROJECT_ID=$(terraform -chdir="../gcp-bootstrap/" output -raw seed_project_id) + echo ${SEED_PROJECT_ID} - export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../0-bootstrap/" output -raw organization_step_terraform_service_account_email) + export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../gcp-bootstrap/" output -raw organization_step_terraform_service_account_email) echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT} ``` 1. Run `init` and `plan` and review the output. ```bash + git checkout plan ./tf-wrapper.sh init production ./tf-wrapper.sh plan production ``` @@ -278,12 +289,21 @@ To use the `validate` option of the `tf-wrapper.sh` script, follow the [instruct 1. Run `validate` and resolve any violations. ```bash - ./tf-wrapper.sh validate production $(pwd)/../policy-library ${CLOUD_BUILD_PROJECT_ID} + ./tf-wrapper.sh validate production $(pwd)/../gcp-policies ${SEED_PROJECT_ID} + ``` + +1. Commit validated code in plan branch. + + ```bash + git add . + git commit -m "Initial version of gcp-org." ``` -1. Run `apply production`. +1. Checkout `production` branch and merge plan into it. Run `apply production`. ```bash + git checkout production + git merge plan ./tf-wrapper.sh apply production ``` diff --git a/2-environments/README.md b/2-environments/README.md index d0624593a..ea0badb9a 100644 --- a/2-environments/README.md +++ b/2-environments/README.md @@ -81,7 +81,6 @@ Use the [GCP console](https://console.cloud.google.com/compliance/assuredworkloa ## Usage - **Note:** If you are using MacOS, replace `cp -RT` with `cp -R` in the relevant commands. The `-T` flag is needed for Linux, but causes problems for MacOS. @@ -142,7 +141,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get git push --set-upstream origin plan ``` -1. Review the plan output in your cloud build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID +1. Review the plan output in your cloud build project 1. Merge changes to development branch. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), pushing to this branch triggers both _terraform plan_ and _terraform apply_. @@ -151,9 +150,9 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get git push origin development ``` -1. Review the apply output in your cloud build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID +1. Review the apply output in your cloud build project 1. Merge changes to nonproduction. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your cloud build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your cloud build project ```bash git checkout -b nonproduction @@ -161,7 +160,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get ``` 1. Merge changes to production branch. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your cloud build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your cloud build project ```bash git checkout -b production @@ -180,12 +179,24 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s ### Run Terraform locally -1. The next instructions assume that you are at the same level of the `terraform-example-foundation` folder. Change into `2-environments` folder, copy the Terraform wrapper script and ensure it can be executed. +1. The next instructions assume that you are at the same level of the `terraform-example-foundation` folder. Create the `gcp-environments` folder, copy the Terraform wrapper script and ensure it can be executed. ```bash - cd terraform-example-foundation/2-environments - cp ../build/tf-wrapper.sh . - chmod 755 ./tf-wrapper.sh + mkdir gcp-environments + cp -R terraform-example-foundation/2-environments/* gcp-environments/ + cp terraform-example-foundation/build/tf-wrapper.sh gcp-environments/ + cp terraform-example-foundation/.gitignore gcp-environments + chmod 755 ./gcp-environments/tf-wrapper.sh + ``` + +1. Navigate to `gcp-environments` and initialize a local git repository, so you can manage versions locally. Create the environment branches. + + ```bash + cd gcp-environments + git init + git checkout -b production + git checkout -b nonproduction + git checkout -b development ``` 1. Rename `terraform.example.tfvars` to `terraform.tfvars`. @@ -198,30 +209,30 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s 1. Use `terraform output` to get the backend bucket value from 0-bootstrap output. ```bash - export backend_bucket=$(terraform -chdir="../0-bootstrap/" output -raw gcs_bucket_tfstate) + export backend_bucket=$(terraform -chdir="../gcp-bootstrap/" output -raw gcs_bucket_tfstate) echo "remote_state_bucket = ${backend_bucket}" sed -i'' -e "s/REMOTE_STATE_BUCKET/${backend_bucket}/" ./terraform.tfvars ``` We will now deploy each of our environments(development/production/nonproduction) using this script. -When using Cloud Build or Jenkins as your CI/CD tool each environment corresponds to a branch is the repository for 2-environments step and only the corresponding environment is applied. To use the `validate` option of the `tf-wrapper.sh` script, please follow the [instructions](https://cloud.google.com/docs/terraform/policy-validation/validate-policies#install) to install the terraform-tools component. -1. Use `terraform output` to get the Cloud Build project ID and the environment step Terraform Service Account from 0-bootstrap output. An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set using the Terraform Service Account to enable impersonation. +1. Use `terraform output` to get the Seed project ID and the organization step Terraform service account from gcp-bootstrap output. An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set using the Terraform Service Account to enable impersonation. ```bash - export CLOUD_BUILD_PROJECT_ID=$(terraform -chdir="../0-bootstrap/" output -raw cloudbuild_project_id) - echo ${CLOUD_BUILD_PROJECT_ID} + export SEED_PROJECT_ID=$(terraform -chdir="../gcp-bootstrap/" output -raw seed_project_id) + echo ${SEED_PROJECT_ID} - export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../0-bootstrap/" output -raw environment_step_terraform_service_account_email) + export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../gcp-bootstrap/" output -raw environment_step_terraform_service_account_email) echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT} ``` -1. Run `init` and `plan` and review output for environment development. +1. Checkout development branch. Run `init` and `plan` and review output for environment development. ```bash + git checkout development ./tf-wrapper.sh init development ./tf-wrapper.sh plan development ``` @@ -229,18 +240,22 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i 1. Run `validate` and check for violations. ```bash - ./tf-wrapper.sh validate development $(pwd)/../policy-library ${CLOUD_BUILD_PROJECT_ID} + ./tf-wrapper.sh validate development $(pwd)/../gcp-policies ${SEED_PROJECT_ID} ``` -1. Run `apply` development. +1. Run `apply` development and commit initial version of development. ```bash ./tf-wrapper.sh apply development + git add . + git commit -m "Development initial commit." ``` -1. Run `init` and `plan` and review output for environment nonproduction. +1. Checkout nonproduction branch and merge development into it. Run `init` and `plan` and review output for environment nonproduction. ```bash + git checkout nonproduction + git merge development ./tf-wrapper.sh init nonproduction ./tf-wrapper.sh plan nonproduction ``` @@ -248,18 +263,22 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i 1. Run `validate` and check for violations. ```bash - ./tf-wrapper.sh validate nonproduction $(pwd)/../policy-library ${CLOUD_BUILD_PROJECT_ID} + ./tf-wrapper.sh validate nonproduction $(pwd)/../gcp-policies ${SEED_PROJECT_ID} ``` -1. Run `apply` nonproduction. +1. Run `apply` production and commit initial version of nonproduction. ```bash ./tf-wrapper.sh apply nonproduction + git add . + git commit -m "Nonproduction initial commit." ``` -1. Run `init` and `plan` and review output for environment production. +1. Checkout production branch and merge nonproduction into it. Run `init` and `plan` and review output for environment production. ```bash + git checkout production + git merge nonproduction ./tf-wrapper.sh init production ./tf-wrapper.sh plan production ``` @@ -267,13 +286,15 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i 1. Run `validate` and check for violations. ```bash - ./tf-wrapper.sh validate production $(pwd)/../policy-library ${CLOUD_BUILD_PROJECT_ID} + ./tf-wrapper.sh validate production $(pwd)/../gcp-policies ${SEED_PROJECT_ID} ``` -1. Run `apply` production. +1. Run `apply` production and commit initial version of production. ```bash ./tf-wrapper.sh apply production + git add . + git commit -m "Production initial commit." ``` If you received any errors or made any changes to the Terraform config or `terraform.tfvars` you must re-run `./tf-wrapper.sh plan ` before running `./tf-wrapper.sh apply `. diff --git a/3-networks-dual-svpc/README.md b/3-networks-dual-svpc/README.md index 1a5255e3d..4ec8f435a 100644 --- a/3-networks-dual-svpc/README.md +++ b/3-networks-dual-svpc/README.md @@ -55,7 +55,6 @@ For an overview of the architecture and the parts, see the ## Purpose - The purpose of this step is to: - Set up the global [DNS Hub](https://cloud.google.com/blog/products/networking/cloud-forwarding-peering-and-zones). @@ -189,6 +188,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get sed -i'' -e "s/REMOTE_STATE_BUCKET/${backend_bucket}/" ./common.auto.tfvars ``` + **Note:** Make sure that you update the `perimeter_additional_members` variable with your user identity in order to be able to view/access resources in the project protected by the VPC Service Controls. 1. Commit changes @@ -231,14 +231,14 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get 1. Push your plan branch to trigger a plan for all environments. Because the _plan_ branch is not a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), pushing your _plan_ - branch triggers _terraform plan_ but not _terraform apply_. Review the plan output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID + branch triggers _terraform plan_ but not _terraform apply_. Review the plan output in your Cloud Build project ```bash git push --set-upstream origin plan ``` 1. Merge changes to production. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project ```bash git checkout -b production @@ -247,7 +247,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get 1. After production has been applied, apply development. 1. Merge changes to development. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project ```bash git checkout -b development @@ -256,7 +256,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get 1. After development has been applied, apply nonproduction. 1. Merge changes to nonproduction. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project ```bash git checkout -b nonproduction @@ -281,12 +281,25 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s ### Run Terraform locally -1. The next instructions assume that you are at the same level of the `terraform-example-foundation` folder. Change into `3-networks-dual-svpc` folder, copy the Terraform wrapper script and ensure it can be executed. +1. The next instructions assume that you are at the same level of the `terraform-example-foundation` folder. Create and change into `gcp-network` folder, copy `3-networks-dual-svpc` content, the Terraform wrapper script and ensure it can be executed. Also, initialize git so you can manage versions locally. ```bash - cd terraform-example-foundation/3-networks-dual-svpc - cp ../build/tf-wrapper.sh . - chmod 755 ./tf-wrapper.sh + mkdir gcp-network + cp -R terraform-example-foundation/3-networks-dual-svpc/* gcp-network + cp terraform-example-foundation/build/tf-wrapper.sh gcp-network/ + cp terraform-example-foundation/.gitignore gcp-network + chmod 755 ./gcp-environments/tf-wrapper.sh + ``` + +1. Navigate to `gcp-network` and initialize a local git repository, so you can manage versions locally. Create the environment branches. + + ```bash + cd gcp-network + git init + git checkout -b shared + git checkout -b development + git checkout -b nonproduction + git checkout -b production ``` 1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `shared.auto.example.tfvars` to `shared.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`. @@ -300,40 +313,39 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s 1. Update `common.auto.tfvars` file with values from your environment and bootstrap. See any of the envs folder [README.md](./envs/production/README.md) files for additional information on the values in the `common.auto.tfvars` file. 1. Update `shared.auto.tfvars` file with the `target_name_server_addresses`. 1. Update `access_context.auto.tfvars` file with the `access_context_manager_policy_id`. -1. Use `terraform output` to get the backend bucket value from 0-bootstrap output. +1. Use `terraform output` to get the backend bucket value from gcp-bootstrap output. ```bash - export ORGANIZATION_ID=$(terraform -chdir="../0-bootstrap/" output -json common_config | jq '.org_id' --raw-output) + export ORGANIZATION_ID=$(terraform -chdir="../gcp-bootstrap/" output -json common_config | jq '.org_id' --raw-output) export ACCESS_CONTEXT_MANAGER_ID=$(gcloud access-context-manager policies list --organization ${ORGANIZATION_ID} --format="value(name)") echo "access_context_manager_policy_id = ${ACCESS_CONTEXT_MANAGER_ID}" sed -i'' -e "s/ACCESS_CONTEXT_MANAGER_ID/${ACCESS_CONTEXT_MANAGER_ID}/" ./access_context.auto.tfvars - export backend_bucket=$(terraform -chdir="../0-bootstrap/" output -raw gcs_bucket_tfstate) + export backend_bucket=$(terraform -chdir="../gcp-bootstrap/" output -raw gcs_bucket_tfstate) echo "remote_state_bucket = ${backend_bucket}" sed -i'' -e "s/REMOTE_STATE_BUCKET/${backend_bucket}/" ./common.auto.tfvars ```` We will now deploy each of our environments(development/production/nonproduction) using this script. -When using Cloud Build or Jenkins as your CI/CD tool each environment corresponds to a branch in the repository for 3-networks-dual-svpc step -and only the corresponding environment is applied. To use the `validate` option of the `tf-wrapper.sh` script, please follow the [instructions](https://cloud.google.com/docs/terraform/policy-validation/validate-policies#install) to install the terraform-tools component. -1. Use `terraform output` to get the Cloud Build project ID and the environment step Terraform Service Account from 0-bootstrap output. An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set using the Terraform Service Account to enable impersonation. +1. Use `terraform output` to get the Seed project ID and the organization step Terraform service account from 0-bootstrap output. An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set using the Terraform Service Account to enable impersonation. ```bash - export CLOUD_BUILD_PROJECT_ID=$(terraform -chdir="../0-bootstrap/" output -raw cloudbuild_project_id) - echo ${CLOUD_BUILD_PROJECT_ID} + export SEED_PROJECT_ID=$(terraform -chdir="../gcp-bootstrap/" output -raw seed_project_id) + echo ${SEED_PROJECT_ID} - export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../0-bootstrap/" output -raw networks_step_terraform_service_account_email) + export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../gcp-bootstrap/" output -raw networks_step_terraform_service_account_email) echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT} ``` -1. Run `init` and `plan` and review output for environment shared. +1. Checkout `shared` branch. Run `init` and `plan` and review output for environment shared. ```bash + git checkout shared ./tf-wrapper.sh init shared ./tf-wrapper.sh plan shared ``` @@ -341,37 +353,45 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i 1. Run `validate` and check for violations. ```bash - ./tf-wrapper.sh validate shared $(pwd)/../policy-library ${CLOUD_BUILD_PROJECT_ID} + ./tf-wrapper.sh validate shared $(pwd)/../gcp-policies ${SEED_PROJECT_ID} ``` 1. Run `apply` shared. ```bash ./tf-wrapper.sh apply shared + git add . + git commit -m "Initial shared commit." ``` -1. Run `init` and `plan` and review output for environment production. +1. Checkout `development` branch and merge `shared` into it. Run `init` and `plan` and review output for environment production. ```bash - ./tf-wrapper.sh init production - ./tf-wrapper.sh plan production + git checkout development + git merge shared + ./tf-wrapper.sh init development + ./tf-wrapper.sh plan development ``` 1. Run `validate` and check for violations. ```bash - ./tf-wrapper.sh validate production $(pwd)/../policy-library ${CLOUD_BUILD_PROJECT_ID} + ./tf-wrapper.sh validate development $(pwd)/../gcp-policies ${SEED_PROJECT_ID} ``` -1. Run `apply` production. +1. Run `apply` development. ```bash - ./tf-wrapper.sh apply production + ./tf-wrapper.sh apply development + git add . + git commit -m "Initial development commit." ``` -1. Run `init` and `plan` and review output for environment nonproduction. +1. Checkout `nonproduction` and merge `development` into it. Run `init` and `plan` and review output for environment nonproduction. ```bash + git checkout nonproduction + git merge development ./tf-wrapper.sh init nonproduction ./tf-wrapper.sh plan nonproduction ``` @@ -379,32 +399,39 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i 1. Run `validate` and check for violations. ```bash - ./tf-wrapper.sh validate nonproduction $(pwd)/../policy-library ${CLOUD_BUILD_PROJECT_ID} + ./tf-wrapper.sh validate nonproduction $(pwd)/../gcp-policies ${SEED_PROJECT_ID} ``` 1. Run `apply` nonproduction. ```bash ./tf-wrapper.sh apply nonproduction + git add . + git commit -m "Initial nonproduction commit." ``` -1. Run `init` and `plan` and review output for environment development. +1. Checkout shared `production`. Run `init` and `plan` and review output for environment development. ```bash - ./tf-wrapper.sh init development - ./tf-wrapper.sh plan development + git checkout production + git merge nonproduction + ./tf-wrapper.sh init production + ./tf-wrapper.sh plan production ``` 1. Run `validate` and check for violations. ```bash - ./tf-wrapper.sh validate development $(pwd)/../policy-library ${CLOUD_BUILD_PROJECT_ID} + ./tf-wrapper.sh validate production $(pwd)/../gcp-policies ${SEED_PROJECT_ID} ``` -1. Run `apply` development. +1. Run `apply` production. ```bash - ./tf-wrapper.sh apply development + ./tf-wrapper.sh apply production + git add . + git commit -m "Initial production commit." + cd ../ ``` If you received any errors or made any changes to the Terraform config or any `.tfvars`, you must re-run `./tf-wrapper.sh plan ` before run `./tf-wrapper.sh apply `. diff --git a/3-networks-hub-and-spoke/README.md b/3-networks-hub-and-spoke/README.md index 22bb16932..dc133a1d3 100644 --- a/3-networks-hub-and-spoke/README.md +++ b/3-networks-hub-and-spoke/README.md @@ -192,6 +192,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get sed -i'' -e "s/REMOTE_STATE_BUCKET/${backend_bucket}/" ./common.auto.tfvars ``` + **Note:** Make sure that you update the `perimeter_additional_members` variable with your user identity in order to be able to view/access resources in the project protected by the VPC Service Controls. 1. Commit changes @@ -234,14 +235,14 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get 1. Push your plan branch to trigger a plan for all environments. Because the _plan_ branch is not a [named environment branch](../docs/FAQ.md#what-is-a-named-branch)), pushing your _plan_ - branch triggers _terraform plan_ but not _terraform apply_. Review the plan output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID + branch triggers _terraform plan_ but not _terraform apply_. Review the plan output in your Cloud Build project ```bash git push --set-upstream origin plan ``` 1. Merge changes to production. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project ```bash git checkout -b production @@ -250,7 +251,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get 1. After production has been applied, apply development. 1. Merge changes to development. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project ```bash git checkout -b development @@ -259,7 +260,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get 1. After development has been applied, apply nonproduction. 1. Merge changes to nonproduction. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project ```bash git checkout -b nonproduction @@ -284,12 +285,25 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s ### Run Terraform locally -1. The next instructions assume that you are at the same level of the `terraform-example-foundation` folder. Change into `3-networks-hub-and-spoke` folder, copy the Terraform wrapper script and ensure it can be executed. +1. The next instructions assume that you are at the same level of the `terraform-example-foundation` folder. Create and change into `gcp-network` folder, copy `3-networks-hub-and-spoke` content, the Terraform wrapper script and ensure it can be executed. Also, initialize git so you can manage versions locally. ```bash - cd terraform-example-foundation/3-networks-hub-and-spoke - cp ../build/tf-wrapper.sh . - chmod 755 ./tf-wrapper.sh + mkdir gcp-network + cp -R terraform-example-foundation/3-networks-hub-and-spoke/* gcp-network + cp terraform-example-foundation/build/tf-wrapper.sh gcp-network/ + cp terraform-example-foundation/.gitignore gcp-network + chmod 755 ./gcp-environments/tf-wrapper.sh + ``` + +1. Navigate to `gcp-network` and initialize a local git repository, so you can manage versions locally. Create the environment branches. + + ```bash + cd gcp-network + git init + git checkout -b shared + git checkout -b development + git checkout -b nonproduction + git checkout -b production ``` 1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`, rename `shared.auto.example.tfvars` to `shared.auto.tfvars` and rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars`. @@ -303,40 +317,39 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s 1. Update `common.auto.tfvars` file with values from your environment and bootstrap. See any of the envs folder [README.md](./envs/production/README.md) files for additional information on the values in the `common.auto.tfvars` file. 1. Update `shared.auto.tfvars` file with the `target_name_server_addresses`. 1. Update `access_context.auto.tfvars` file with the `access_context_manager_policy_id`. -1. Use `terraform output` to get the backend bucket value from 0-bootstrap output. +1. Use `terraform output` to get the backend bucket value from gcp-bootstrap output. ```bash - export ORGANIZATION_ID=$(terraform -chdir="../0-bootstrap/" output -json common_config | jq '.org_id' --raw-output) + export ORGANIZATION_ID=$(terraform -chdir="../gcp-bootstrap/" output -json common_config | jq '.org_id' --raw-output) export ACCESS_CONTEXT_MANAGER_ID=$(gcloud access-context-manager policies list --organization ${ORGANIZATION_ID} --format="value(name)") echo "access_context_manager_policy_id = ${ACCESS_CONTEXT_MANAGER_ID}" sed -i'' -e "s/ACCESS_CONTEXT_MANAGER_ID/${ACCESS_CONTEXT_MANAGER_ID}/" ./access_context.auto.tfvars - export backend_bucket=$(terraform -chdir="../0-bootstrap/" output -raw gcs_bucket_tfstate) + export backend_bucket=$(terraform -chdir="../gcp-bootstrap/" output -raw gcs_bucket_tfstate) echo "remote_state_bucket = ${backend_bucket}" sed -i'' -e "s/REMOTE_STATE_BUCKET/${backend_bucket}/" ./common.auto.tfvars - ``` + ```` We will now deploy each of our environments(development/production/nonproduction) using this script. -When using Cloud Build or Jenkins as your CI/CD tool each environment corresponds to a branch in the repository for 3-networks-hub-and-spoke step -and only the corresponding environment is applied. To use the `validate` option of the `tf-wrapper.sh` script, please follow the [instructions](https://cloud.google.com/docs/terraform/policy-validation/validate-policies#install) to install the terraform-tools component. -1. Use `terraform output` to get the Cloud Build project ID and the networks step Terraform Service Account from 0-bootstrap output. An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set using the Terraform Service Account to enable impersonation. +1. Use `terraform output` to get the Seed project ID and the organization step Terraform service account from 0-bootstrap output. An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set using the Terraform Service Account to enable impersonation. ```bash - export CLOUD_BUILD_PROJECT_ID=$(terraform -chdir="../0-bootstrap/" output -raw cloudbuild_project_id) - echo ${CLOUD_BUILD_PROJECT_ID} + export SEED_PROJECT_ID=$(terraform -chdir="../gcp-bootstrap/" output -raw seed_project_id) + echo ${SEED_PROJECT_ID} - export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../0-bootstrap/" output -raw networks_step_terraform_service_account_email) + export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../gcp-bootstrap/" output -raw networks_step_terraform_service_account_email) echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT} ``` -1. Run `init` and `plan` and review output for environment shared. +1. Checkout `shared` branch. Run `init` and `plan` and review output for environment shared. ```bash + git checkout shared ./tf-wrapper.sh init shared ./tf-wrapper.sh plan shared ``` @@ -344,37 +357,45 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i 1. Run `validate` and check for violations. ```bash - ./tf-wrapper.sh validate shared $(pwd)/../policy-library ${CLOUD_BUILD_PROJECT_ID} + ./tf-wrapper.sh validate shared $(pwd)/../gcp-policies ${SEED_PROJECT_ID} ``` 1. Run `apply` shared. ```bash ./tf-wrapper.sh apply shared + git add . + git commit -m "Initial shared commit." ``` -1. Run `init` and `plan` and review output for environment production. +1. Checkout `development` branch and merge `shared` into it. Run `init` and `plan` and review output for environment production. ```bash - ./tf-wrapper.sh init production - ./tf-wrapper.sh plan production + git checkout development + git merge shared + ./tf-wrapper.sh init development + ./tf-wrapper.sh plan development ``` 1. Run `validate` and check for violations. ```bash - ./tf-wrapper.sh validate production $(pwd)/../policy-library ${CLOUD_BUILD_PROJECT_ID} + ./tf-wrapper.sh validate development $(pwd)/../gcp-policies ${SEED_PROJECT_ID} ``` -1. Run `apply` production. +1. Run `apply` development. ```bash - ./tf-wrapper.sh apply production + ./tf-wrapper.sh apply development + git add . + git commit -m "Initial development commit." ``` -1. Run `init` and `plan` and review output for environment nonproduction. +1. Checkout `nonproduction` and merge `development` into it. Run `init` and `plan` and review output for environment nonproduction. ```bash + git checkout nonproduction + git merge development ./tf-wrapper.sh init nonproduction ./tf-wrapper.sh plan nonproduction ``` @@ -382,32 +403,39 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i 1. Run `validate` and check for violations. ```bash - ./tf-wrapper.sh validate nonproduction $(pwd)/../policy-library ${CLOUD_BUILD_PROJECT_ID} + ./tf-wrapper.sh validate nonproduction $(pwd)/../gcp-policies ${SEED_PROJECT_ID} ``` 1. Run `apply` nonproduction. ```bash ./tf-wrapper.sh apply nonproduction + git add . + git commit -m "Initial nonproduction commit." ``` -1. Run `init` and `plan` and review output for environment development. +1. Checkout shared `production`. Run `init` and `plan` and review output for environment development. ```bash - ./tf-wrapper.sh init development - ./tf-wrapper.sh plan development + git checkout production + git merge nonproduction + ./tf-wrapper.sh init production + ./tf-wrapper.sh plan production ``` 1. Run `validate` and check for violations. ```bash - ./tf-wrapper.sh validate development $(pwd)/../policy-library ${CLOUD_BUILD_PROJECT_ID} + ./tf-wrapper.sh validate production $(pwd)/../gcp-policies ${SEED_PROJECT_ID} ``` -1. Run `apply` development. +1. Run `apply` production. ```bash - ./tf-wrapper.sh apply development + ./tf-wrapper.sh apply production + git add . + git commit -m "Initial production commit." + cd ../ ``` If you received any errors or made any changes to the Terraform config or any `.tfvars`, you must re-run `./tf-wrapper.sh plan ` before run `./tf-wrapper.sh apply `. diff --git a/4-projects/README.md b/4-projects/README.md index 914863ddf..4ff00446b 100644 --- a/4-projects/README.md +++ b/4-projects/README.md @@ -146,7 +146,6 @@ For example, to create a new business unit similar to business_unit_1, run the f grep -rl business_unit_1 business_unit_2/ | xargs sed -i 's/business_unit_1/business_unit_2/g' ``` - 1. Commit changes. ```bash @@ -187,14 +186,14 @@ For example, to create a new business unit similar to business_unit_1, run the f 1. Push your plan branch to trigger a plan for all environments. Because the _plan_ branch is not a [named environment branch](../docs/FAQ.md#what-is-a-named-branch)), pushing your _plan_ - branch triggers _terraform plan_ but not _terraform apply_. Review the plan output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID + branch triggers _terraform plan_ but not _terraform apply_. Review the plan output in your Cloud Build project ```bash git push --set-upstream origin plan ``` 1. Merge changes to production. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project. https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project. ```bash git checkout -b production @@ -203,7 +202,7 @@ For example, to create a new business unit similar to business_unit_1, run the f 1. After production has been applied, apply development. 1. Merge changes to development. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project ```bash git checkout -b development @@ -212,7 +211,7 @@ For example, to create a new business unit similar to business_unit_1, run the f 1. After development has been applied, apply nonproduction. 1. Merge changes to nonproduction. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project. https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project. ```bash git checkout -b nonproduction @@ -237,12 +236,25 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s ### Run Terraform locally -1. The next instructions assume that you are at the same level of the `terraform-example-foundation` folder. Change into `4-projects` folder, copy the Terraform wrapper script and ensure it can be executed. +1. The next instructions assume that you are at the same level of the `terraform-example-foundation` folder. Create and change into `gcp-projects` folder, copy the code, Terraform wrapper script and ensure it can be executed. ```bash - cd terraform-example-foundation/4-projects - cp ../build/tf-wrapper.sh . - chmod 755 ./tf-wrapper.sh + mkdir gcp-projects + cp -R terraform-example-foundation/4-projects/* gcp-projects + cp terraform-example-foundation/build/tf-wrapper.sh gcp-projects/ + cp terraform-example-foundation/.gitignore gcp-projects + chmod 755 ./gcp-environments/tf-wrapper.sh + ``` + +1. Navigate to `gcp-projects` and initialize a local git repository, so you can manage versions locally. Create the environment branches. + + ```bash + cd gcp-projects + git init + git checkout -b shared + git checkout -b development + git checkout -b nonproduction + git checkout -b production ``` 1. Rename `auto.example.tfvars` files to `auto.tfvars`. @@ -257,47 +269,33 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s 1. See any of the envs folder [README.md](./business_unit_1/production/README.md) files for additional information on the values in the `common.auto.tfvars`, `development.auto.tfvars`, `nonproduction.auto.tfvars`, and `production.auto.tfvars` files. See any of the shared folder [README.md](./business_unit_1/shared/README.md) files for additional information on the values in the `shared.auto.tfvars` file. - Use `terraform output` to get the remote state bucket (the backend bucket used by previous steps) value from `0-bootstrap` output. + Use `terraform output` to get the remote state bucket (the backend bucket used by previous steps) value from `gcp-bootstrap` output. ```bash - export remote_state_bucket=$(terraform -chdir="../0-bootstrap/" output -raw gcs_bucket_tfstate) + export remote_state_bucket=$(terraform -chdir="../gcp-bootstrap/" output -raw gcs_bucket_tfstate) echo "remote_state_bucket = ${remote_state_bucket}" sed -i'' -e "s/REMOTE_STATE_BUCKET/${remote_state_bucket}/" ./common.auto.tfvars ``` We will now deploy each of our environments(development/production/nonproduction) using the `tf-wrapper.sh` script. -When using Cloud Build or Jenkins as your CI/CD tool each environment corresponds to a branch is the repository for 4-projects step and only the corresponding environment is applied. Environment shared must be applied first because development, nonproduction, and production depend on it. To use the `validate` option of the `tf-wrapper.sh` script, please follow the [instructions](https://cloud.google.com/docs/terraform/policy-validation/validate-policies#install) to install the terraform-tools component. -1. Use `terraform output` to get the Cloud Build Project ID and the environment step Terraform Service Account from 0-bootstrap output. An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set using the Terraform Service Account to enable impersonation. +1. Use `terraform output` to get the Seed project ID and the organization step Terraform service account from gcp-bootstrap output. An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set using the Terraform Service Account to enable impersonation. ```bash - export CLOUD_BUILD_PROJECT_ID=$(terraform -chdir="../0-bootstrap/" output -raw cloudbuild_project_id) - echo ${CLOUD_BUILD_PROJECT_ID} + export SEED_PROJECT_ID=$(terraform -chdir="../gcp-bootstrap/" output -raw seed_project_id) + echo ${SEED_PROJECT_ID} - export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../0-bootstrap/" output -raw projects_step_terraform_service_account_email) + export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../gcp-bootstrap/" output -raw projects_step_terraform_service_account_email) echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT} ``` -1. (Optional) If you want additional subfolders for separate business units or entities, make additional copies of the folder `business_unit_1` and modify any values that vary across business unit like `business_code`, `business_unit`, or `subnet_ip_range`. - -For example, to create a new business unit similar to business_unit_1, run the following: - - ```bash - #copy the business_unit_1 folder and it's contents to a new folder business_unit_2 - cp -r business_unit_1 business_unit_2 - - # search all files under the folder `business_unit_2` and replace strings for business_unit_1 with strings for business_unit_2 - grep -rl bu1 business_unit_2/ | xargs sed -i 's/bu1/bu2/g' - grep -rl business_unit_1 business_unit_2/ | xargs sed -i 's/business_unit_1/business_unit_2/g' - ``` - - -1. Run `init` and `plan` and review output for environment shared. +1. Checkout `shared` branch. Run `init` and `plan` and review output for environment shared. ```bash + git checkout shared ./tf-wrapper.sh init shared ./tf-wrapper.sh plan shared ``` @@ -305,37 +303,45 @@ For example, to create a new business unit similar to business_unit_1, run the f 1. Run `validate` and check for violations. ```bash - ./tf-wrapper.sh validate shared $(pwd)/../policy-library ${CLOUD_BUILD_PROJECT_ID} + ./tf-wrapper.sh validate shared $(pwd)/../gcp-policies ${SEED_PROJECT_ID} ``` 1. Run `apply` shared. ```bash ./tf-wrapper.sh apply shared + git add . + git commit -m "Initial shared commit." ``` -1. Run `init` and `plan` and review output for environment production. +1. Checkout `development` branch and merge `shared` into it. Run `init` and `plan` and review output for environment production. ```bash - ./tf-wrapper.sh init production - ./tf-wrapper.sh plan production + git checkout development + git merge shared + ./tf-wrapper.sh init development + ./tf-wrapper.sh plan development ``` 1. Run `validate` and check for violations. ```bash - ./tf-wrapper.sh validate production $(pwd)/../policy-library ${CLOUD_BUILD_PROJECT_ID} + ./tf-wrapper.sh validate development $(pwd)/../gcp-policies ${SEED_PROJECT_ID} ``` -1. Run `apply` production. +1. Run `apply` development. ```bash - ./tf-wrapper.sh apply production + ./tf-wrapper.sh apply development + git add . + git commit -m "Initial development commit." ``` -1. Run `init` and `plan` and review output for environment nonproduction. +1. Checkout `nonproduction` and merge `development` into it. Run `init` and `plan` and review output for environment nonproduction. ```bash + git checkout nonproduction + git merge development ./tf-wrapper.sh init nonproduction ./tf-wrapper.sh plan nonproduction ``` @@ -343,35 +349,42 @@ For example, to create a new business unit similar to business_unit_1, run the f 1. Run `validate` and check for violations. ```bash - ./tf-wrapper.sh validate nonproduction $(pwd)/../policy-library ${CLOUD_BUILD_PROJECT_ID} + ./tf-wrapper.sh validate nonproduction $(pwd)/../gcp-policies ${SEED_PROJECT_ID} ``` 1. Run `apply` nonproduction. ```bash ./tf-wrapper.sh apply nonproduction + git add . + git commit -m "Initial nonproduction commit." ``` -1. Run `init` and `plan` and review output for environment development. +1. Checkout shared `production`. Run `init` and `plan` and review output for environment development. ```bash - ./tf-wrapper.sh init development - ./tf-wrapper.sh plan development + git checkout production + git merge nonproduction + ./tf-wrapper.sh init production + ./tf-wrapper.sh plan production ``` 1. Run `validate` and check for violations. ```bash - ./tf-wrapper.sh validate development $(pwd)/../policy-library ${CLOUD_BUILD_PROJECT_ID} + ./tf-wrapper.sh validate production $(pwd)/../gcp-policies ${SEED_PROJECT_ID} ``` -1. Run `apply` development. +1. Run `apply` production. ```bash - ./tf-wrapper.sh apply development + ./tf-wrapper.sh apply production + git add . + git commit -m "Initial production commit." + cd ../ ``` -If you received any errors or made any changes to the Terraform config or any `.tfvars`, you must re-run `./tf-wrapper.sh plan ` before running `./tf-wrapper.sh apply `. +If you received any errors or made any changes to the Terraform config or any `.tfvars`, you must re-run `./tf-wrapper.sh plan ` before run `./tf-wrapper.sh apply `. Before executing the next stages, unset the `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` environment variable. From c854402b5c9d22924473048534d2155afe492dc0 Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Wed, 14 Aug 2024 16:32:13 -0300 Subject: [PATCH 02/11] Apply suggestions from code review Co-authored-by: Caetano Colin <164910343+caetano-colin@users.noreply.github.com> --- 0-bootstrap/README.md | 18 +++++++++--------- 1-org/README.md | 2 +- 2-environments/README.md | 10 +++++----- 3-networks-dual-svpc/README.md | 2 +- 3-networks-hub-and-spoke/README.md | 2 +- 4-projects/README.md | 2 +- 6 files changed, 18 insertions(+), 18 deletions(-) diff --git a/0-bootstrap/README.md b/0-bootstrap/README.md index 3db4c9f74..4ec2e3e9f 100644 --- a/0-bootstrap/README.md +++ b/0-bootstrap/README.md @@ -351,7 +351,7 @@ The following steps introduce the steps to deploy with Cloud Build Alternatively ## Running Terraform locally -The following steps introduce the steps to deploy without Cloud Build. +The following steps will guide you through deploying without using Cloud Build. 1. Clone [terraform-example-foundation](https://github.com/terraform-google-modules/terraform-example-foundation) into your local environment and create to the `gcp-bootstrap` folder at the same level. Copy the `0-bootstrap` content and `.gitignore` to `gcp-bootstrap`. @@ -365,7 +365,7 @@ The following steps introduce the steps to deploy without Cloud Build. cp terraform-example-foundation/.gitignore gcp-bootstrap ``` -1. Navigate to `gcp-bootstrap` and initialize a local git repository, so you can manage versions locally. Create the environment branches. +1. Navigate to `gcp-bootstrap` and initialize a local Git repository to manage versions locally. Then, Create the environment branches. ```bash cd gcp-bootstrap @@ -382,15 +382,15 @@ The following steps introduce the steps to deploy without Cloud Build. mv terraform.example.tfvars terraform.tfvars ``` -1. Rename `cb.tf` to `cb.tf.example` and update the file with values from your environment: +1. Rename `cb.tf` to `cb.tf.example`: ```bash mv cb.tf cb.tf.example ``` -1. Comment Cloud Build outputs related at `outputs.tf`. +1. Comment Cloud Build related outputs at `outputs.tf`. -1. Comment lines related to Cloud Build at `sa.tf`. Search for `cicd_project_iam_member` and comment the module and the depends_on. +1. In `sa.tf` file, comment out lines related to Cloud Build. Specifically, search for `cicd_project_iam_member` and comment out the corresponding module, as well as the "depends_on" meta-argument in any modules that depend on the commented module. 1. Use the helper script [validate-requirements.sh](../scripts/validate-requirements.sh) to validate your environment: @@ -408,7 +408,7 @@ The following steps introduce the steps to deploy without Cloud Build. terraform plan -input=false -out bootstrap.tfplan ``` -1. Copy policy repo and copy contents of policy-library to new folder. Create it the folder at the same level of the `terraform-example-foundation` folder. +1. Create a new folder called gcp-policies at the same directory level as the `terraform-example-foundation` folder. Initialize a Git repository, create a branch called `main`, and copy the contents of the `policy-library` directory from the `terraform-example-foundation` folder into the gcp-policies folder. ```bash cd ../ @@ -421,7 +421,7 @@ The following steps introduce the steps to deploy without Cloud Build. cp -RT ../terraform-example-foundation/policy-library/ . ``` -1. Commit changes at your main branch to the policy repo. This way you can manage versions locally. +1. Commit changes to the main branch of the policy repo. This way you can manage versions locally. ```bash git add . @@ -453,7 +453,7 @@ The following steps introduce the steps to deploy without Cloud Build. git commit -m "Initial version os gcp-bootstrap." ``` -1. Checkout `shared` branch and merge plan into it. Run `terraform apply`. +1. Checkout `shared` branch and merge the `plan` branch into it. Then, Run `terraform apply`. ```bash git checkout shared @@ -499,7 +499,7 @@ The following steps introduce the steps to deploy without Cloud Build. terraform init ``` -1. Commit the applied code, so you can manage versions locally. +1. Commit the new code version, so you can manage versions locally. ```sh git commit -m "Init gcs backend." diff --git a/1-org/README.md b/1-org/README.md index e4d212002..031102c59 100644 --- a/1-org/README.md +++ b/1-org/README.md @@ -225,7 +225,7 @@ Create `gcp-org` folder, copy `1-org` content and Terraform wrapper script; ensu chmod 755 ./tf-wrapper.sh ``` -1. Initialize a local git repository, so you can manage versions locally. Create the environment branches. +1. Initialize a local Git repository to manage versions locally. Then, create the environment branches. ```bash git init diff --git a/2-environments/README.md b/2-environments/README.md index ea0badb9a..580188841 100644 --- a/2-environments/README.md +++ b/2-environments/README.md @@ -189,7 +189,7 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s chmod 755 ./gcp-environments/tf-wrapper.sh ``` -1. Navigate to `gcp-environments` and initialize a local git repository, so you can manage versions locally. Create the environment branches. +1. Navigate to `gcp-environments` and initialize a local Git repository to manage versions locally. Then, create the environment branches. ```bash cd gcp-environments @@ -229,7 +229,7 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT} ``` -1. Checkout development branch. Run `init` and `plan` and review output for environment development. +1. Checkout `development` branch. Run `init` and `plan` and review output for environment development. ```bash git checkout development @@ -243,7 +243,7 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i ./tf-wrapper.sh validate development $(pwd)/../gcp-policies ${SEED_PROJECT_ID} ``` -1. Run `apply` development and commit initial version of development. +1. Run `apply` development and commit the initial version of `development` branch. ```bash ./tf-wrapper.sh apply development @@ -251,7 +251,7 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i git commit -m "Development initial commit." ``` -1. Checkout nonproduction branch and merge development into it. Run `init` and `plan` and review output for environment nonproduction. +1. Checkout `nonproduction` branch and merge `development` branch into it. Run `init` and `plan` and review output for environment nonproduction. ```bash git checkout nonproduction @@ -274,7 +274,7 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i git commit -m "Nonproduction initial commit." ``` -1. Checkout production branch and merge nonproduction into it. Run `init` and `plan` and review output for environment production. +1. Checkout `production` branch and merge `nonproduction` branch into it. Run `init` and `plan` and review output for environment production. ```bash git checkout production diff --git a/3-networks-dual-svpc/README.md b/3-networks-dual-svpc/README.md index 4ec8f435a..6582cc23a 100644 --- a/3-networks-dual-svpc/README.md +++ b/3-networks-dual-svpc/README.md @@ -291,7 +291,7 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s chmod 755 ./gcp-environments/tf-wrapper.sh ``` -1. Navigate to `gcp-network` and initialize a local git repository, so you can manage versions locally. Create the environment branches. +1. Navigate to `gcp-network` and initialize a local Git repository to manage versions locally. Then, create the environment branches. ```bash cd gcp-network diff --git a/3-networks-hub-and-spoke/README.md b/3-networks-hub-and-spoke/README.md index dc133a1d3..2eb0aaf99 100644 --- a/3-networks-hub-and-spoke/README.md +++ b/3-networks-hub-and-spoke/README.md @@ -295,7 +295,7 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s chmod 755 ./gcp-environments/tf-wrapper.sh ``` -1. Navigate to `gcp-network` and initialize a local git repository, so you can manage versions locally. Create the environment branches. +1. Navigate to `gcp-network` and initialize a local Git repository to manage versions locally. Then, create the environment branches. ```bash cd gcp-network diff --git a/4-projects/README.md b/4-projects/README.md index 4ff00446b..cf5ca5d1c 100644 --- a/4-projects/README.md +++ b/4-projects/README.md @@ -246,7 +246,7 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s chmod 755 ./gcp-environments/tf-wrapper.sh ``` -1. Navigate to `gcp-projects` and initialize a local git repository, so you can manage versions locally. Create the environment branches. +1. Navigate to `gcp-projects` and initialize a local Git repository to manage versions locally. Then, create the environment branches. ```bash cd gcp-projects From 9e34acdfda754badf192151d9becfaf9cdac32ee Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Fri, 16 Aug 2024 11:33:48 -0300 Subject: [PATCH 03/11] Moves project state bucket to main.tf file --- 0-bootstrap/cb.tf | 18 ------------------ 0-bootstrap/main.tf | 18 ++++++++++++++++++ 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/0-bootstrap/cb.tf b/0-bootstrap/cb.tf index 8c2ba91b4..86c94540d 100644 --- a/0-bootstrap/cb.tf +++ b/0-bootstrap/cb.tf @@ -22,8 +22,6 @@ locals { cicd_project_id = module.tf_source.cloudbuild_project_id - state_bucket_kms_key = "projects/${module.seed_bootstrap.seed_project_id}/locations/${var.default_region}/keyRings/${var.project_prefix}-keyring/cryptoKeys/${var.project_prefix}-key" - bucket_self_link_prefix = "https://www.googleapis.com/storage/v1/b/" default_state_bucket_self_link = "${local.bucket_self_link_prefix}${module.seed_bootstrap.gcs_bucket_tfstate}" gcp_projects_state_bucket_self_link = module.gcp_projects_state_bucket.bucket.self_link @@ -68,22 +66,6 @@ resource "random_string" "suffix" { upper = false } -module "gcp_projects_state_bucket" { - source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" - version = "~> 6.0" - - name = "${var.bucket_prefix}-${module.seed_bootstrap.seed_project_id}-gcp-projects-tfstate" - project_id = module.seed_bootstrap.seed_project_id - location = var.default_region - force_destroy = var.bucket_force_destroy - - encryption = { - default_kms_key_name = local.state_bucket_kms_key - } - - depends_on = [module.seed_bootstrap.gcs_bucket_tfstate] -} - module "tf_source" { source = "terraform-google-modules/bootstrap/google//modules/tf_cloudbuild_source" version = "~> 8.0" diff --git a/0-bootstrap/main.tf b/0-bootstrap/main.tf index f61eb8c77..7dbf89534 100644 --- a/0-bootstrap/main.tf +++ b/0-bootstrap/main.tf @@ -32,6 +32,9 @@ locals { org_admins_org_iam_permissions = var.org_policy_admin_role == true ? [ "roles/orgpolicy.policyAdmin", "roles/resourcemanager.organizationAdmin", "roles/billing.user" ] : ["roles/resourcemanager.organizationAdmin", "roles/billing.user"] + + state_bucket_kms_key = "projects/${module.seed_bootstrap.seed_project_id}/locations/${var.default_region}/keyRings/${var.project_prefix}-keyring/cryptoKeys/${var.project_prefix}-key" + } resource "google_folder" "bootstrap" { @@ -102,3 +105,18 @@ module "seed_bootstrap" { depends_on = [module.required_group] } +module "gcp_projects_state_bucket" { + source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" + version = "~> 6.0" + + name = "${var.bucket_prefix}-${module.seed_bootstrap.seed_project_id}-gcp-projects-tfstate" + project_id = module.seed_bootstrap.seed_project_id + location = var.default_region + force_destroy = var.bucket_force_destroy + + encryption = { + default_kms_key_name = local.state_bucket_kms_key + } + + depends_on = [module.seed_bootstrap.gcs_bucket_tfstate] +} From 279c39bf9766b95066e598326cb6ef7ff1654324 Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Fri, 16 Aug 2024 10:28:27 -0300 Subject: [PATCH 04/11] Fixes business_unit_2 commands --- 4-projects/README.md | 14 ++++++++------ 4-projects/business_unit_1/development/main.tf | 1 + 4-projects/business_unit_1/nonproduction/main.tf | 1 + 4-projects/business_unit_1/production/main.tf | 1 + 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/4-projects/README.md b/4-projects/README.md index 914863ddf..808d03e0c 100644 --- a/4-projects/README.md +++ b/4-projects/README.md @@ -144,9 +144,10 @@ For example, to create a new business unit similar to business_unit_1, run the f # search all files under the folder `business_unit_2` and replace strings for business_unit_1 with strings for business_unit_2 grep -rl bu1 business_unit_2/ | xargs sed -i 's/bu1/bu2/g' grep -rl business_unit_1 business_unit_2/ | xargs sed -i 's/business_unit_1/business_unit_2/g' + # search subnet_ip_range 10.3.64.0 and replace for the new range 10.4.64.0 + grep -rl 10.3.64.0 business_unit_2/ | xargs sed -i 's/10.3.64.0/10.4.64.0/g' ``` - 1. Commit changes. ```bash @@ -187,14 +188,14 @@ For example, to create a new business unit similar to business_unit_1, run the f 1. Push your plan branch to trigger a plan for all environments. Because the _plan_ branch is not a [named environment branch](../docs/FAQ.md#what-is-a-named-branch)), pushing your _plan_ - branch triggers _terraform plan_ but not _terraform apply_. Review the plan output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID + branch triggers _terraform plan_ but not _terraform apply_. Review the plan output in your Cloud Build project ```bash git push --set-upstream origin plan ``` 1. Merge changes to production. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project. https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project. ```bash git checkout -b production @@ -203,7 +204,7 @@ For example, to create a new business unit similar to business_unit_1, run the f 1. After production has been applied, apply development. 1. Merge changes to development. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project ```bash git checkout -b development @@ -212,7 +213,7 @@ For example, to create a new business unit similar to business_unit_1, run the f 1. After development has been applied, apply nonproduction. 1. Merge changes to nonproduction. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project. https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project. ```bash git checkout -b nonproduction @@ -292,9 +293,10 @@ For example, to create a new business unit similar to business_unit_1, run the f # search all files under the folder `business_unit_2` and replace strings for business_unit_1 with strings for business_unit_2 grep -rl bu1 business_unit_2/ | xargs sed -i 's/bu1/bu2/g' grep -rl business_unit_1 business_unit_2/ | xargs sed -i 's/business_unit_1/business_unit_2/g' + # search subnet_ip_range 10.3.64.0 and replace for the new range 10.4.64.0 + grep -rl 10.3.64.0 business_unit_2/ | xargs sed -i 's/10.3.64.0/10.4.64.0/g' ``` - 1. Run `init` and `plan` and review output for environment shared. ```bash diff --git a/4-projects/business_unit_1/development/main.tf b/4-projects/business_unit_1/development/main.tf index b2efde30d..e03ab8209 100644 --- a/4-projects/business_unit_1/development/main.tf +++ b/4-projects/business_unit_1/development/main.tf @@ -23,6 +23,7 @@ module "env" { remote_state_bucket = var.remote_state_bucket location_kms = coalesce(var.location_kms, local.default_region_kms) location_gcs = coalesce(var.location_gcs, local.default_region_gcs) + keyring_name = "bu1-sample-keyring" gcs_custom_placement_config = { data_locations = [ upper(local.default_region), diff --git a/4-projects/business_unit_1/nonproduction/main.tf b/4-projects/business_unit_1/nonproduction/main.tf index ef954c892..b16bd8a4c 100644 --- a/4-projects/business_unit_1/nonproduction/main.tf +++ b/4-projects/business_unit_1/nonproduction/main.tf @@ -22,6 +22,7 @@ module "env" { business_unit = "business_unit_1" remote_state_bucket = var.remote_state_bucket location_kms = coalesce(var.location_kms, local.default_region_kms) + keyring_name = "bu1-sample-keyring" location_gcs = coalesce(var.location_gcs, local.default_region_gcs) gcs_custom_placement_config = { data_locations = [ diff --git a/4-projects/business_unit_1/production/main.tf b/4-projects/business_unit_1/production/main.tf index cdc136052..fab79745d 100644 --- a/4-projects/business_unit_1/production/main.tf +++ b/4-projects/business_unit_1/production/main.tf @@ -22,6 +22,7 @@ module "env" { business_unit = "business_unit_1" remote_state_bucket = var.remote_state_bucket location_kms = coalesce(var.location_kms, local.default_region_kms) + keyring_name = "bu1-sample-keyring" location_gcs = coalesce(var.location_gcs, local.default_region_gcs) gcs_custom_placement_config = { data_locations = [ From a60b76bbb8d8fa35ae65ee067073477084c4b03e Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Thu, 15 Aug 2024 14:47:56 -0300 Subject: [PATCH 05/11] fix typo, add commit for git init and add some instructions --- 0-bootstrap/README.md | 8 +++++--- 1-org/README.md | 1 + 2-environments/README.md | 1 + 3-networks-dual-svpc/README.md | 3 ++- 4-projects/README.md | 3 ++- 5 files changed, 11 insertions(+), 5 deletions(-) diff --git a/0-bootstrap/README.md b/0-bootstrap/README.md index 4ec2e3e9f..34b5628bd 100644 --- a/0-bootstrap/README.md +++ b/0-bootstrap/README.md @@ -371,6 +371,7 @@ The following steps will guide you through deploying without using Cloud Build. cd gcp-bootstrap git init + git commit -m "initialize empty directory" --allow-empty git checkout -b plan git checkout -b shared @@ -428,10 +429,10 @@ The following steps will guide you through deploying without using Cloud Build. git commit -m 'Initialize policy library repo' ``` -1. Navigate out of the policies repo. +1. Navigate back to `gcp-bootstrap` repo. ```bash - cd .. + cd ../gcp-bootstrap ``` 1. To validate your policies, run `gcloud beta terraform vet`. For installation instructions, see [Install Google Cloud CLI](https://cloud.google.com/docs/terraform/policy-validation/validate-policies#install). @@ -439,7 +440,7 @@ The following steps will guide you through deploying without using Cloud Build. 1. Run the following commands and check for violations: ```bash - export VET_PROJECT_ID=pjr-seed-serverless-test + export VET_PROJECT_ID=A-VALID-PROJECT-ID terraform show -json bootstrap.tfplan > bootstrap.json gcloud beta terraform vet bootstrap.json --policy-library="../terraform-example-foundation/policy-library" --project ${VET_PROJECT_ID} ``` @@ -502,6 +503,7 @@ The following steps will guide you through deploying without using Cloud Build. 1. Commit the new code version, so you can manage versions locally. ```sh + git add backend.tf git commit -m "Init gcs backend." cd ../ ``` diff --git a/1-org/README.md b/1-org/README.md index 031102c59..46c20eeb1 100644 --- a/1-org/README.md +++ b/1-org/README.md @@ -229,6 +229,7 @@ Create `gcp-org` folder, copy `1-org` content and Terraform wrapper script; ensu ```bash git init + git commit -m "initialize empty directory" --allow-empty git checkout -b plan git checkout -b production ``` diff --git a/2-environments/README.md b/2-environments/README.md index 580188841..454920f65 100644 --- a/2-environments/README.md +++ b/2-environments/README.md @@ -194,6 +194,7 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s ```bash cd gcp-environments git init + git commit -m "initialize empty directory" --allow-empty git checkout -b production git checkout -b nonproduction git checkout -b development diff --git a/3-networks-dual-svpc/README.md b/3-networks-dual-svpc/README.md index 6582cc23a..c3e5fadf8 100644 --- a/3-networks-dual-svpc/README.md +++ b/3-networks-dual-svpc/README.md @@ -288,7 +288,7 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s cp -R terraform-example-foundation/3-networks-dual-svpc/* gcp-network cp terraform-example-foundation/build/tf-wrapper.sh gcp-network/ cp terraform-example-foundation/.gitignore gcp-network - chmod 755 ./gcp-environments/tf-wrapper.sh + chmod 755 ./gcp-network/tf-wrapper.sh ``` 1. Navigate to `gcp-network` and initialize a local Git repository to manage versions locally. Then, create the environment branches. @@ -296,6 +296,7 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s ```bash cd gcp-network git init + git commit -m "initialize empty directory" --allow-empty git checkout -b shared git checkout -b development git checkout -b nonproduction diff --git a/4-projects/README.md b/4-projects/README.md index cf5ca5d1c..5eb0d0776 100644 --- a/4-projects/README.md +++ b/4-projects/README.md @@ -243,7 +243,7 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s cp -R terraform-example-foundation/4-projects/* gcp-projects cp terraform-example-foundation/build/tf-wrapper.sh gcp-projects/ cp terraform-example-foundation/.gitignore gcp-projects - chmod 755 ./gcp-environments/tf-wrapper.sh + chmod 755 ./gcp-projects/tf-wrapper.sh ``` 1. Navigate to `gcp-projects` and initialize a local Git repository to manage versions locally. Then, create the environment branches. @@ -251,6 +251,7 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s ```bash cd gcp-projects git init + git commit -m "initialize empty directory" --allow-empty git checkout -b shared git checkout -b development git checkout -b nonproduction From 2bfe7c24617e877a13cc07218b11f236b6f89b6e Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Mon, 19 Aug 2024 16:02:27 -0300 Subject: [PATCH 06/11] Fixes validator step at 0-bootstrap --- 0-bootstrap/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/0-bootstrap/README.md b/0-bootstrap/README.md index 34b5628bd..18c80ff6f 100644 --- a/0-bootstrap/README.md +++ b/0-bootstrap/README.md @@ -442,7 +442,7 @@ The following steps will guide you through deploying without using Cloud Build. ```bash export VET_PROJECT_ID=A-VALID-PROJECT-ID terraform show -json bootstrap.tfplan > bootstrap.json - gcloud beta terraform vet bootstrap.json --policy-library="../terraform-example-foundation/policy-library" --project ${VET_PROJECT_ID} + gcloud beta terraform vet bootstrap.json --policy-library="$(pwd)/../gcp-policies" --project ${VET_PROJECT_ID} ``` *`A-VALID-PROJECT-ID`* must be an existing project you have access to. This is necessary because `gcloud beta terraform vet` needs to link resources to a valid Google Cloud Platform project. From 9e038efaed07aa066c2ce5fb7a803b0226e95665 Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Mon, 19 Aug 2024 16:13:40 -0300 Subject: [PATCH 07/11] Moves projects bucket out cloud build sectin --- 0-bootstrap/outputs.tf | 25 +++++-------------------- 1 file changed, 5 insertions(+), 20 deletions(-) diff --git a/0-bootstrap/outputs.tf b/0-bootstrap/outputs.tf index 81b1f77ab..01e6fe09b 100644 --- a/0-bootstrap/outputs.tf +++ b/0-bootstrap/outputs.tf @@ -49,6 +49,11 @@ output "gcs_bucket_tfstate" { value = module.seed_bootstrap.gcs_bucket_tfstate } +output "projects_gcs_bucket_tfstate" { + description = "Bucket used for storing terraform state for stage 4-projects foundations pipelines in seed project." + value = module.gcp_projects_state_bucket.bucket.name +} + output "common_config" { description = "Common configuration data to be used in other steps." value = { @@ -96,11 +101,6 @@ output "gcs_bucket_cloudbuild_logs" { value = { for key, value in module.tf_workspace : key => replace(value.logs_bucket, local.bucket_self_link_prefix, "") } } -output "projects_gcs_bucket_tfstate" { - description = "Bucket used for storing terraform state for stage 4-projects foundations pipelines in seed project." - value = module.gcp_projects_state_bucket.bucket.name -} - output "cloud_builder_artifact_repo" { description = "Artifact Registry (AR) Repository created to store TF Cloud Builder images." value = "projects/${module.tf_source.cloudbuild_project_id}/locations/${var.default_region}/repositories/${module.tf_cloud_builder.artifact_repo}" @@ -146,11 +146,6 @@ output "cloud_build_peered_network_id" { # value = module.gh_cicd.project_id # } -# output "projects_gcs_bucket_tfstate" { -# description = "Bucket used for storing terraform state for stage 4-projects foundations pipelines in seed project." -# value = module.seed_bootstrap.gcs_bucket_tfstate -# } - /* ---------------------------------------- Specific to jenkins_bootstrap module ---------------------------------------- */ @@ -170,11 +165,6 @@ output "cloud_build_peered_network_id" { # value = module.jenkins_bootstrap.jenkins_agent_vpc_id # } -# output "projects_gcs_bucket_tfstate" { -# description = "Bucket used for storing terraform state for stage 4-projects foundations pipelines in seed project." -# value = module.seed_bootstrap.gcs_bucket_tfstate -# } - # output "jenkins_agent_sa_email" { # description = "Email for privileged custom service account for Jenkins Agent GCE instance." # value = module.jenkins_bootstrap.jenkins_agent_sa_email @@ -199,11 +189,6 @@ output "cloud_build_peered_network_id" { # value = module.gitlab_cicd.project_id # } -# output "projects_gcs_bucket_tfstate" { -# description = "Bucket used for storing terraform state for stage 4-projects foundations pipelines in seed project." -# value = module.seed_bootstrap.gcs_bucket_tfstate -# } - /* ---------------------------------------- Specific to tfc_bootstrap ---------------------------------------- */ From 91b1f2a991c053dde1698f7565a3e88994c81c44 Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Mon, 19 Aug 2024 16:33:09 -0300 Subject: [PATCH 08/11] Undo markdown link modification --- 1-org/README.md | 4 ++-- 2-environments/README.md | 8 ++++---- 3-networks-dual-svpc/README.md | 8 ++++---- 3-networks-hub-and-spoke/README.md | 8 ++++---- 4-projects/README.md | 8 ++++---- 5 files changed, 18 insertions(+), 18 deletions(-) diff --git a/1-org/README.md b/1-org/README.md index 46c20eeb1..84691fde5 100644 --- a/1-org/README.md +++ b/1-org/README.md @@ -180,14 +180,14 @@ If required, run `terraform output cloudbuild_project_id` in the `0-bootstrap` f 1. Push your plan branch to trigger a plan for all environments. Because the _plan_ branch is not a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), pushing your _plan_ - branch triggers _terraform plan_ but not _terraform apply_. Review the plan output in your Cloud Build project. + branch triggers _terraform plan_ but not _terraform apply_. Review the plan output in your Cloud Build project. ```bash git push --set-upstream origin plan ``` 1. Merge changes to the production branch. Because the _production_ branch is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project. + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project. ```bash git checkout -b production diff --git a/2-environments/README.md b/2-environments/README.md index 454920f65..fe45be9b8 100644 --- a/2-environments/README.md +++ b/2-environments/README.md @@ -141,7 +141,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get git push --set-upstream origin plan ``` -1. Review the plan output in your cloud build project +1. Review the plan output in your cloud build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID 1. Merge changes to development branch. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), pushing to this branch triggers both _terraform plan_ and _terraform apply_. @@ -150,9 +150,9 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get git push origin development ``` -1. Review the apply output in your cloud build project +1. Review the apply output in your cloud build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID 1. Merge changes to nonproduction. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your cloud build project + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your cloud build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID ```bash git checkout -b nonproduction @@ -160,7 +160,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get ``` 1. Merge changes to production branch. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your cloud build project + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your cloud build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID ```bash git checkout -b production diff --git a/3-networks-dual-svpc/README.md b/3-networks-dual-svpc/README.md index c3e5fadf8..65546ed8e 100644 --- a/3-networks-dual-svpc/README.md +++ b/3-networks-dual-svpc/README.md @@ -231,14 +231,14 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get 1. Push your plan branch to trigger a plan for all environments. Because the _plan_ branch is not a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), pushing your _plan_ - branch triggers _terraform plan_ but not _terraform apply_. Review the plan output in your Cloud Build project + branch triggers _terraform plan_ but not _terraform apply_. Review the plan output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID ```bash git push --set-upstream origin plan ``` 1. Merge changes to production. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID ```bash git checkout -b production @@ -247,7 +247,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get 1. After production has been applied, apply development. 1. Merge changes to development. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID ```bash git checkout -b development @@ -256,7 +256,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get 1. After development has been applied, apply nonproduction. 1. Merge changes to nonproduction. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID ```bash git checkout -b nonproduction diff --git a/3-networks-hub-and-spoke/README.md b/3-networks-hub-and-spoke/README.md index 2eb0aaf99..7951f0192 100644 --- a/3-networks-hub-and-spoke/README.md +++ b/3-networks-hub-and-spoke/README.md @@ -235,14 +235,14 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get 1. Push your plan branch to trigger a plan for all environments. Because the _plan_ branch is not a [named environment branch](../docs/FAQ.md#what-is-a-named-branch)), pushing your _plan_ - branch triggers _terraform plan_ but not _terraform apply_. Review the plan output in your Cloud Build project + branch triggers _terraform plan_ but not _terraform apply_. Review the plan output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID ```bash git push --set-upstream origin plan ``` 1. Merge changes to production. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID ```bash git checkout -b production @@ -251,7 +251,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get 1. After production has been applied, apply development. 1. Merge changes to development. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID ```bash git checkout -b development @@ -260,7 +260,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get 1. After development has been applied, apply nonproduction. 1. Merge changes to nonproduction. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID ```bash git checkout -b nonproduction diff --git a/4-projects/README.md b/4-projects/README.md index a5795d36b..c38ff9cee 100644 --- a/4-projects/README.md +++ b/4-projects/README.md @@ -188,14 +188,14 @@ For example, to create a new business unit similar to business_unit_1, run the f 1. Push your plan branch to trigger a plan for all environments. Because the _plan_ branch is not a [named environment branch](../docs/FAQ.md#what-is-a-named-branch)), pushing your _plan_ - branch triggers _terraform plan_ but not _terraform apply_. Review the plan output in your Cloud Build project + branch triggers _terraform plan_ but not _terraform apply_. Review the plan output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID ```bash git push --set-upstream origin plan ``` 1. Merge changes to production. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project. + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project. https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID ```bash git checkout -b production @@ -204,7 +204,7 @@ For example, to create a new business unit similar to business_unit_1, run the f 1. After production has been applied, apply development. 1. Merge changes to development. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID ```bash git checkout -b development @@ -213,7 +213,7 @@ For example, to create a new business unit similar to business_unit_1, run the f 1. After development has been applied, apply nonproduction. 1. Merge changes to nonproduction. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), - pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project. + pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project. https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID ```bash git checkout -b nonproduction From b74055cd1528e1b6bc8dfbdbe197dee44e28d7be Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Tue, 20 Aug 2024 16:19:30 -0300 Subject: [PATCH 09/11] add more instructions on sa.tf --- 0-bootstrap/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/0-bootstrap/README.md b/0-bootstrap/README.md index 18c80ff6f..c3d10381d 100644 --- a/0-bootstrap/README.md +++ b/0-bootstrap/README.md @@ -393,6 +393,8 @@ The following steps will guide you through deploying without using Cloud Build. 1. In `sa.tf` file, comment out lines related to Cloud Build. Specifically, search for `cicd_project_iam_member` and comment out the corresponding module, as well as the "depends_on" meta-argument in any modules that depend on the commented module. +1. In `sa.tf` file, search for `local.cicd_project_id` and comment out the corresponding code. + 1. Use the helper script [validate-requirements.sh](../scripts/validate-requirements.sh) to validate your environment: ```bash From abe5bc571cd8512974a76d398ccb88efc56b03ed Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Thu, 29 Aug 2024 15:52:46 -0300 Subject: [PATCH 10/11] Apply suggestions from code review Co-authored-by: Andrew Peabody --- 1-org/README.md | 4 ++-- 2-environments/README.md | 2 +- 3-networks-dual-svpc/README.md | 2 +- 3-networks-hub-and-spoke/README.md | 4 ++-- 4-projects/README.md | 4 ++-- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/1-org/README.md b/1-org/README.md index 080e2df12..cf5eac821 100644 --- a/1-org/README.md +++ b/1-org/README.md @@ -214,8 +214,8 @@ Create `gcp-org` folder, copy `1-org` content and Terraform wrapper script; ensu ```bash mkdir gcp-org cp -R terraform-example-foundation/1-org/* gcp-org/ - cp terraform-example-foundation//build/tf-wrapper.sh gcp-org/ - cp terraform-example-foundation/.gitignore gcp-org + cp terraform-example-foundation/build/tf-wrapper.sh gcp-org/ + cp terraform-example-foundation/.gitignore gcp-org/ cd gcp-org chmod 755 ./tf-wrapper.sh ``` diff --git a/2-environments/README.md b/2-environments/README.md index fe45be9b8..814b89896 100644 --- a/2-environments/README.md +++ b/2-environments/README.md @@ -185,7 +185,7 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s mkdir gcp-environments cp -R terraform-example-foundation/2-environments/* gcp-environments/ cp terraform-example-foundation/build/tf-wrapper.sh gcp-environments/ - cp terraform-example-foundation/.gitignore gcp-environments + cp terraform-example-foundation/.gitignore gcp-environments/ chmod 755 ./gcp-environments/tf-wrapper.sh ``` diff --git a/3-networks-dual-svpc/README.md b/3-networks-dual-svpc/README.md index 65546ed8e..61ade0323 100644 --- a/3-networks-dual-svpc/README.md +++ b/3-networks-dual-svpc/README.md @@ -287,7 +287,7 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s mkdir gcp-network cp -R terraform-example-foundation/3-networks-dual-svpc/* gcp-network cp terraform-example-foundation/build/tf-wrapper.sh gcp-network/ - cp terraform-example-foundation/.gitignore gcp-network + cp terraform-example-foundation/.gitignore gcp-network/ chmod 755 ./gcp-network/tf-wrapper.sh ``` diff --git a/3-networks-hub-and-spoke/README.md b/3-networks-hub-and-spoke/README.md index 7951f0192..2607a7e7c 100644 --- a/3-networks-hub-and-spoke/README.md +++ b/3-networks-hub-and-spoke/README.md @@ -289,9 +289,9 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s ```bash mkdir gcp-network - cp -R terraform-example-foundation/3-networks-hub-and-spoke/* gcp-network + cp -R terraform-example-foundation/3-networks-hub-and-spoke/* gcp-network/ cp terraform-example-foundation/build/tf-wrapper.sh gcp-network/ - cp terraform-example-foundation/.gitignore gcp-network + cp terraform-example-foundation/.gitignore gcp-network/ chmod 755 ./gcp-environments/tf-wrapper.sh ``` diff --git a/4-projects/README.md b/4-projects/README.md index c38ff9cee..d092afb3c 100644 --- a/4-projects/README.md +++ b/4-projects/README.md @@ -242,9 +242,9 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s ```bash mkdir gcp-projects - cp -R terraform-example-foundation/4-projects/* gcp-projects + cp -R terraform-example-foundation/4-projects/* gcp-projects/ cp terraform-example-foundation/build/tf-wrapper.sh gcp-projects/ - cp terraform-example-foundation/.gitignore gcp-projects + cp terraform-example-foundation/.gitignore gcp-projects/ chmod 755 ./gcp-projects/tf-wrapper.sh ``` From 3d6a08db6df0811c496adf333e0f1dba5d2d72e1 Mon Sep 17 00:00:00 2001 From: Amanda Karina Lopes de Oliveira Date: Fri, 20 Dec 2024 13:47:44 -0300 Subject: [PATCH 11/11] Adds retry when service account is not ready yet --- test/integration/testutils/retry.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/integration/testutils/retry.go b/test/integration/testutils/retry.go index 8b86d38f2..e50bc2a45 100644 --- a/test/integration/testutils/retry.go +++ b/test/integration/testutils/retry.go @@ -39,5 +39,8 @@ var ( // Error 403: Compute Engine API has not been used in project {} before or it is disabled. ".*Error 403.*Compute Engine API has not been used in project.*": "Compute Engine API not enabled", + + // Error 400: Service account {} does not exist. + ".*Error 400.*Service account.*does not exist*": "Error setting IAM policy", } )