Skip to content

Latest commit

 

History

History
86 lines (66 loc) · 6.49 KB

README.md

File metadata and controls

86 lines (66 loc) · 6.49 KB

0-bootstrap

The purpose of this step is to bootstrap a GCP organization, creating all the required resources & permissions to start using the Cloud Foundation Toolkit (CFT). This step also configures a CICD pipeline for foundations code in subsequent stages. The CICD pipeline can use either Cloud Build & Cloud Source Repos or Jenkins & your own Git repos (which might live on-prem).

Prerequisites

  1. A GCP Organization
  2. A GCP Billing Account
  3. Cloud Identity / G Suite groups for organization and billing admins
  4. Membership in the group_org_admins group for user running terraform
  5. Grant the roles mentioned in bootstrap README.md, as well as roles/resourcemanager.folderCreator for the user running the step.

Further details of permissions required and resources created, can be found in the bootstrap module documentation.

Note: when running the examples in this repository, you may receive various errors when applying terraform:

  • Error code 8, message: The project cannot be created because you have exceeded your allotted project quota.. That means you have reached your Project creation quota. In this case you can use this Request Project Quota Increase form to request a quota increase. The terraform_sa_email created in 0-bootstrap should also be listed in "Email addresses that will be used to create projects" in that support form. If you face others quota errors, check the Quota documentation for guidence.
  • Error: Error when reading or editing Organization Not Found : <organization-id>: googleapi: Error 403: The caller does not have permission, forbidden.
    • Check that your user have Organization Admin predefined role at the Organization level.
    • If this is the case, try the following: 
      gcloud auth application-default login
gcloud auth list # <- confirm that correct account has a star next to it
    • Re-run terraform after.

0-bootstrap usage to deploy Jenkins

If you are using the jenkins_bootstrap sub-module, please see README-Jenkins for requirements and instructions on how to run the 0-bootstrap step. Using Jenkins requires a few manual steps, including configuring connectivity with your current Jenkins Master environment.

0-bootstrap usage to deploy Cloud Build

  1. Change into 0-bootstrap folder
  2. Copy tfvars by running cp terraform.example.tfvars terraform.tfvars and update terraform.tfvars with values from your environment.
  3. Run terraform init
  4. Run terraform plan and review output
  5. Run terraform apply
  6. Run terraform output gcs_bucket_tfstate to get your GCS bucket from the apply step
  7. Copy the backend by running cp backend.tf.example backend.tf and update backend.tf with your GCS bucket.
  8. Re-run terraform init agree to copy state to GCS when prompted
    1. (Optional) Run terraform apply to verify state is configured correctly

(Optional) State backends for running terraform locally

Currently, the bucket information is replaced in the state backends as a part of the build process when executed by Cloud Build. If you would like to execute terraform locally, you will need to add your GCS bucket to the backend.tf files. You can update all of these files with the following steps:

  1. Change into the main directory for the terraform-example-foundation.
  2. Run this command for i in `find -name 'backend.tf'`; do sed -i 's/UPDATE_ME/GCS_BUCKET_NAME/' $i; done where GCS_BUCKET_NAME is the name of your bucket from the steps executed above.

Inputs

Name Description Type Default Required
billing_account The ID of the billing account to associate projects with. string n/a yes
default_region Default region to create resources where applicable. string "us-central1" no
group_billing_admins Google Group for GCP Billing Administrators string n/a yes
group_org_admins Google Group for GCP Organization Administrators string n/a yes
org_id GCP Organization ID string n/a yes
org_policy_admin_role Additional Org Policy Admin role for admin group. You can use this for testing purposes. bool false no
org_project_creators Additional list of members to have project creator role across the organization. Prefix of group: user: or serviceAccount: is required. list(string) [] no
parent_folder Optional - if using a folder for testing. string "" no
skip_gcloud_download Whether to skip downloading gcloud (assumes gcloud is already available outside the module) bool true no

Outputs

Name Description
cloudbuild_project_id Project where CloudBuild configuration and terraform container image will reside.
csr_repos List of Cloud Source Repos created by the module, linked to Cloud Build triggers.
gcs_bucket_cloudbuild_artifacts Bucket used to store Cloud/Build artefacts in CloudBuild project.
gcs_bucket_tfstate Bucket used for storing terraform state for foundations pipelines in seed project.
kms_crypto_key KMS key created by the module.
kms_keyring KMS Keyring created by the module.
seed_project_id Project where service accounts and core APIs will be enabled.
terraform_sa_email Email for privileged service account for Terraform.
terraform_sa_name Fully qualified name for privileged service account for Terraform.

Requirements

Software

  • gcloud sdk >= 206.0.0
  • Terraform >= 0.12.6
    • You should use the same version in the manual steps during 0-bootstrap to avoid possible Terraform State Snapshot Lock errors caused by differences in terraform versions. This can usually be resolved with a version upgrade.