Skip to content

Latest commit

 

History

History

2-multitenant

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
envs
envs
 
 
modules/env_baseline
modules/env_baseline
 
 
README.md
README.md
 
 
terraform.example.tfvars
terraform.example.tfvars
 
 
terraform.tfvars
terraform.tfvars
 
 

README.md

2. Multitenant Infrastructure phase

Purpose

This phase deploys the per-environment multitenant resources deployed via the multitenant infrastructure pipeline.

An overview of the multitenant infrastructure pipeline is shown below. Enterprise Application multitenant infrastructure diagram

The following resources are created:

  • GCP Project (cluster project)
  • GKE cluster(s)
  • Cloud Armor
  • App IP addresses (see below for details)

Prerequisites

  1. Provision of the per-environment folder, network project, network, and subnetwork(s).
  2. 1-bootstrap phase executed successfully.

Usage

Deploying with Google Cloud Build

The steps below assume that you are checkout out on the same level as terraform-google-enterprise-application and terraform-example-foundation directories.

.
├── terraform-example-foundation
├── terraform-google-enterprise-application
└── .

  1. Retrieve Multi-tenant administration project variable value from 1-bootstrap:

    export multitenant_admin_project=$(terraform -chdir=./terraform-google-enterprise-application/1-bootstrap output -raw project_id)

echo multitenant_admin_project=$multitenant_admin_project

  2. (CSR) Clone the infrastructure pipeline repository:

    gcloud source repos clone eab-multitenant --project=$multitenant_admin_project

  3. Initialize the git repository, copy 2-multitenant code into the repository, cloudbuild yaml files and terraform wrapper script:

    cd eab-multitenant
git checkout -b plan

cp -r ../terraform-google-enterprise-application/2-multitenant/* .
cp ../terraform-example-foundation/build/cloudbuild-tf-* .
cp ../terraform-example-foundation/build/tf-wrapper.sh .
chmod 755 ./tf-wrapper.sh

cp -RT ../terraform-example-foundation/policy-library/ ./policy-library
sed -i 's/CLOUDSOURCE/FILESYSTEM/g' cloudbuild-tf-*

  4. Disable all policies validation:

    rm -rf policy-library/policies/constraints/*

  5. Rename terraform.example.tfvars to terraform.tfvars.

    mv terraform.example.tfvars terraform.tfvars

  6. Update the file with values for your environment. See any of the envs folder README.md files for additional information on the values in the terraform.tfvars file. In addition to envs from prerequisites, each App must have it's own entry under apps with a list of any dedicated IP address to be provisioned.

    apps = {
  "my-app" : {
    "ip_address_names" : [
      "my-app-ip",
    ]
    "certificates" : {
      "my-app-cert" : ["my-domain-name"]
    }
  }
}

  7. Commit and push changes. Because the plan branch is not a named environment branch, pushing your plan branch triggers terraform plan but not terraform apply. Review the plan output in your Cloud Build project. https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID

    git add .
git commit -m 'Initialize multitenant repo'
git push --set-upstream origin plan

  8. Merge changes to development. Because this is a named environment branch, pushing to this branch triggers both terraform plan and terraform apply. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID

    git checkout -b development
git push origin development

  9. Merge changes to nonproduction. Because this is a named environment branch, pushing to this branch triggers both terraform plan and terraform apply. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID

    git checkout -b nonproduction
git push origin nonproduction

  10. Merge changes to production. Because this is a named environment branch, pushing to this branch triggers both terraform plan and terraform apply. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID

    git checkout -b production
git push origin production

Running Terraform locally

  1. The next instructions assume that you are in the terraform-google-enterprise-application/2-multitenant folder.

    cd ../2-multitenant

  2. Rename terraform.example.tfvars to terraform.tfvars.

    mv terraform.example.tfvars terraform.tfvars

  3. Update the file with values for your environment. See any of the envs folder README.md files for additional information on the values in the terraform.tfvars file. In addition to envs from prerequisites, each App must have it's own entry under apps with a list of any dedicated IP address to be provisioned.

apps = {
  "my-app" : {
    "ip_address_names" : [
      "my-app-ip",
    ]
    "certificates" : {
      "my-app-cert" : ["my-domain"]
    }
  }
}

You can now deploy each of your environments (e.g. production).

  1. Run init and plan and review the output.

    terraform -chdir=./envs/production init
terraform -chdir=./envs/production plan

  2. Run apply production.

    terraform -chdir=./envs/production apply

If you receive any errors or made any changes to the Terraform config or terraform.tfvars, re-run terraform -chdir=./envs/production plan before you run terraform -chdir=./envs/production apply.

  1. Repeat the same series of terraform commands but replace -chdir=./envs/production with -chdir=./envs/nonproduction to deploy the nonproduction environment.

  2. Repeat the same series of terraform commands but replace -chdir=./envs/production with -chdir=./envs/development to deploy the development environment.