cloud-foundation-fabric/examples/cloud-operations/README.md

# Operations examples

The examples in this folder show how to wire together different Google Cloud services to simplify operations, and are meant for testing, or as minimal but sufficiently complete starting points for actual use.

## Resource tracking and remediation via Cloud Asset feeds

<a href="./asset-inventory-feed-remediation" title="Resource tracking and remediation via Cloud Asset feeds"><img src="./asset-inventory-feed-remediation/diagram.png" align="left" width="280px"></a> This [example](./asset-inventory-feed-remediation) shows how to leverage [Cloud Asset Inventory feeds](https://cloud.google.com/asset-inventory/docs/monitoring-asset-changes) to stream resource changes in real time, and how to programmatically use the feed change notifications for alerting or remediation, via a Cloud Function wired to the feed PubSub queue.

The example's feed tracks changes to Google Compute instances, and the Cloud Function enforces policy compliance on each change so that tags match a set of simple rules. The obious use case is when instance tags are used to scope firewall rules, but the example can easily be adapted to suit different use cases.

<br clear="left">

## Scheduled Cloud Asset Inventory Export to Bigquery

<a href="./scheduled-asset-inventory-export-bq" title="Scheduled Cloud Asset Inventory Export to Bigquery"><img src="./scheduled-asset-inventory-export-bq/diagram.png" align="left" width="280px"></a> This [example](./scheduled-asset-inventory-export-bq) shows how to leverage the [Cloud Asset Inventory Exporting to Bigquery](https://cloud.google.com/asset-inventory/docs/exporting-to-bigquery) feature, to keep track of your organization's assets over time storing information in Bigquery. Data stored in Bigquery can then be used for different purposes like dashboarding or analysis.

<br clear="left">

## Granular Cloud DNS IAM via Service Directory

<a href="./dns-fine-grained-iam" title="Fine-grained Cloud DNS IAM with Service Directory"><img src="./dns-fine-grained-iam/diagram.png" align="left" width="280px"></a> This [example](./dns-fine-grained-iam) shows how to leverage [Service Directory](https://cloud.google.com/blog/products/networking/introducing-service-directory) and Cloud DNS Service Directory private zones, to implement fine-grained IAM controls on DNS. The example creates a Service Directory namespace, a Cloud DNS private zone that uses it as its authoritative source, service accounts with different levels of permissions, and VMs to test them.

<br clear="left">

## Granular Cloud DNS IAM for Shared VPC

<a href="./dns-shared-vpc" title="Fine-grained Cloud DNS IAM via Shared VPC"><img src="./dns-shared-vpc/diagram.png" align="left" width="280px"></a> This [example](./dns-shared-vpc) shows how to create reusable and modular Cloud DNS architectures, by provisioning dedicated Cloud DNS instances for application teams that want to manage their own DNS records, and configuring DNS peering to ensure name resolution works in a common Shared VPC.

<br clear="left">

## Compute Engine quota monitoring

<a href="./quota-monitoring" title="Compute Engine quota monitoring"><img src="./quota-monitoring/diagram.png" align="left" width="280px"></a> This [example](./quota-monitoring) shows a practical way of collecting and monitoring [Compute Engine resource quotas](https://cloud.google.com/compute/quotas) via Cloud Monitoring metrics as an alternative to the recently released [built-in quota metrics](https://cloud.google.com/monitoring/alerts/using-quota-metrics). A simple alert on quota thresholds is also part of the example.

<br clear="left">

## Delegated Role Grants

<a href="./iam-delegated-role-grants" title="Delegated Role Grants"><img src="./iam-delegated-role-grants/diagram.png" align="left" width="280px"></a> This [example](./iam-delegated-role-grants) shows how to use delegated role grants to restrict service usage.

<br clear="left">

## Packer image builder

<a href="./packer-image-builder" title="Packer image builder"><img src="./packer-image-builder/diagram.png" align="left" width="280px"></a> This [example](./packer-image-builder) shows how to deploy infrastructure for a Compute Engine image builder based on [Hashicorp's Packer tool](https://www.packer.io).

<br clear="left">

## On-prem Service Account key management


This [example](./onprem-sa-key-management) shows how to manage IAM Service Account Keys by manually generating a key pair and uploading the public part of the key to GCP.

<br clear="left">

## Migrate for Compute Engine (v5)
<a href="./vm-migration" title="Packer image builder"><img src="./vm-migration/host-target-projects/diagram.png" align="left" width="280px"></a> This set of [examples](./vm-migration) shows how to deploy Migrate for Compute Engine (v5) on top of existing Cloud Foundations on different scenarios. An example on how to deploy the M4CE connector on VMWare ESXi is also part of the examples.

<br clear="left">
Cloud Asset feed operations example (#110) * first working example for asset inventory feeds * move tf files out of the tf folder * add input/outputs to README * smaller diagram * use narrow scoped service account for cf, account for gke tags in code * Update README.md * new top-level folder README * Update README.md * add TODO for DNS example in operations README * fix README conflict * Update README.md * Update README.md * update diagram * cloud shell * cloud shell * Update README.md * rename outputs, first complete README draft * Update main.py * Update README.md * Update README.md * better error handling in the cloud function * remove branch from cloud shell link 2020-07-05 10:08:24 -07:00			`# Operations examples`

			`The examples in this folder show how to wire together different Google Cloud services to simplify operations, and are meant for testing, or as minimal but sufficiently complete starting points for actual use.`

			`## Resource tracking and remediation via Cloud Asset feeds`

			<a href="./asset-inventory-feed-remediation" title="Resource tracking and remediation via Cloud Asset feeds"><img src="./asset-inventory-feed-remediation/diagram.png" align="left" width="280px"></a> This [example](./asset-inventory-feed-remediation) shows how to leverage [Cloud Asset Inventory feeds](https://cloud.google.com/asset-inventory/docs/monitoring-asset-changes) to stream resource changes in real time, and how to programmatically use the feed change notifications for alerting or remediation, via a Cloud Function wired to the feed PubSub queue.

Fix typo 2021-07-05 13:56:23 -07:00			`The example's feed tracks changes to Google Compute instances, and the Cloud Function enforces policy compliance on each change so that tags match a set of simple rules. The obious use case is when instance tags are used to scope firewall rules, but the example can easily be adapted to suit different use cases.`
Cloud Asset feed operations example (#110) * first working example for asset inventory feeds * move tf files out of the tf folder * add input/outputs to README * smaller diagram * use narrow scoped service account for cf, account for gke tags in code * Update README.md * new top-level folder README * Update README.md * add TODO for DNS example in operations README * fix README conflict * Update README.md * Update README.md * update diagram * cloud shell * cloud shell * Update README.md * rename outputs, first complete README draft * Update main.py * Update README.md * Update README.md * better error handling in the cloud function * remove branch from cloud shell link 2020-07-05 10:08:24 -07:00
			`<br clear="left">`

update changelog, readmes 2020-09-17 08:38:27 -07:00			`## Scheduled Cloud Asset Inventory Export to Bigquery`

minimal Markdown syntax fixes and lang tweaks to READMEs 2020-09-17 11:06:54 -07:00			<a href="./scheduled-asset-inventory-export-bq" title="Scheduled Cloud Asset Inventory Export to Bigquery"><img src="./scheduled-asset-inventory-export-bq/diagram.png" align="left" width="280px"></a> This [example](./scheduled-asset-inventory-export-bq) shows how to leverage the [Cloud Asset Inventory Exporting to Bigquery](https://cloud.google.com/asset-inventory/docs/exporting-to-bigquery) feature, to keep track of your organization's assets over time storing information in Bigquery. Data stored in Bigquery can then be used for different purposes like dashboarding or analysis.
update changelog, readmes 2020-09-17 08:38:27 -07:00
			`<br clear="left">`

Cloud Asset feed operations example (#110) * first working example for asset inventory feeds * move tf files out of the tf folder * add input/outputs to README * smaller diagram * use narrow scoped service account for cf, account for gke tags in code * Update README.md * new top-level folder README * Update README.md * add TODO for DNS example in operations README * fix README conflict * Update README.md * Update README.md * update diagram * cloud shell * cloud shell * Update README.md * rename outputs, first complete README draft * Update main.py * Update README.md * Update README.md * better error handling in the cloud function * remove branch from cloud shell link 2020-07-05 10:08:24 -07:00			`## Granular Cloud DNS IAM via Service Directory`

Update README.md 2020-08-31 06:13:28 -07:00			<a href="./dns-fine-grained-iam" title="Fine-grained Cloud DNS IAM with Service Directory"><img src="./dns-fine-grained-iam/diagram.png" align="left" width="280px"></a> This [example](./dns-fine-grained-iam) shows how to leverage [Service Directory](https://cloud.google.com/blog/products/networking/introducing-service-directory) and Cloud DNS Service Directory private zones, to implement fine-grained IAM controls on DNS. The example creates a Service Directory namespace, a Cloud DNS private zone that uses it as its authoritative source, service accounts with different levels of permissions, and VMs to test them.
Update README.md 2020-08-01 09:30:09 -07:00
			`<br clear="left">`

Aurelien's SVPC DNS example (#186) * Cloud DNS and Shared VPC (#184) * Cloud DNS and Shared VPC module to allow application teams to have their own Cloud DNS configuration. * Cleaning up README.md * Improving Formating. * Adding license to all .tf files. * Removing dead code. * Moving this example into the Cloud Operations folder. * Using fabric resources and refactoring. Only the 'test.example' file is not using the proper modules now. * normalize README, use autogenerated vars table, add types to variables * refactor * simple tests * add diagram, update READMEs Co-authored-by: Aurélien Legrand <aurelien.legrand01@gmail.com> 2021-01-11 02:57:57 -08:00			`## Granular Cloud DNS IAM for Shared VPC`

			`<a href="./dns-shared-vpc" title="Fine-grained Cloud DNS IAM via Shared VPC"><img src="./dns-shared-vpc/diagram.png" align="left" width="280px"></a> This [example](./dns-shared-vpc) shows how to create reusable and modular Cloud DNS architectures, by provisioning dedicated Cloud DNS instances for application teams that want to manage their own DNS records, and configuring DNS peering to ensure name resolution works in a common Shared VPC.`

			`<br clear="left">`

Quota monitor end to end example (#125) * working example, README missing * add missing boilerplate to outputs file * README * fix dynamic resources in IAM binding for_each * add tests * update input/output table in README * add example to READMEs 2020-08-29 02:29:46 -07:00			`## Compute Engine quota monitoring`

			<a href="./quota-monitoring" title="Compute Engine quota monitoring"><img src="./quota-monitoring/diagram.png" align="left" width="280px"></a> This [example](./quota-monitoring) shows a practical way of collecting and monitoring [Compute Engine resource quotas](https://cloud.google.com/compute/quotas) via Cloud Monitoring metrics as an alternative to the recently released [built-in quota metrics](https://cloud.google.com/monitoring/alerts/using-quota-metrics). A simple alert on quota thresholds is also part of the example.

			`<br clear="left">`
Add diagram to delegated role grants example 2021-09-22 04:14:32 -07:00
			`## Delegated Role Grants`

Fix typo 2021-09-22 04:15:56 -07:00			`<a href="./iam-delegated-role-grants" title="Delegated Role Grants"><img src="./iam-delegated-role-grants/diagram.png" align="left" width="280px"></a> This [example](./iam-delegated-role-grants) shows how to use delegated role grants to restrict service usage.`
Add diagram to delegated role grants example 2021-09-22 04:14:32 -07:00
			`<br clear="left">`
Introduced packer image builder example (#313) 2021-10-04 08:10:19 -07:00
			`## Packer image builder`

			`<a href="./packer-image-builder" title="Packer image builder"><img src="./packer-image-builder/diagram.png" align="left" width="280px"></a> This [example](./packer-image-builder) shows how to deploy infrastructure for a Compute Engine image builder based on [Hashicorp's Packer tool](https://www.packer.io).`

			`<br clear="left">`
Finalize onprem-sa-ket-mgmt example 2021-12-13 13:36:42 -08:00
			`## On-prem Service Account key management`


Rewording, fix typos 2021-12-15 09:26:44 -08:00			`This [example](./onprem-sa-key-management) shows how to manage IAM Service Account Keys by manually generating a key pair and uploading the public part of the key to GCP.`
M4CE (v5) Examples (#413) * M4CE (v5) Examples * vm-migration new parent folder * New vm-migration section * Updated variables description * Updated variables description * Fixed broken link * Updated variables description * Fix lines spacing * Added output variable * Updated Variables description * New variables layout * fixed new line * M4CE (v5) Examples * vm-migration new parent folder * New vm-migration section * Updated variables description * Updated variables description * Fixed broken link * Updated variables description * Fix lines spacing * Added output variable * Updated Variables description * New variables layout * fixed new line * added test * move test on new folder * Updated variables order and description * Added output file * vm-migration example tests * Updated output description * Updated output description * Fixed Typo Co-authored-by: Simone Ruffilli <sruffilli@google.com> Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com> 2022-02-02 06:21:10 -08:00
			`<br clear="left">`

			`## Migrate for Compute Engine (v5)`
			`<a href="./vm-migration" title="Packer image builder"><img src="./vm-migration/host-target-projects/diagram.png" align="left" width="280px"></a> This set of [examples](./vm-migration) shows how to deploy Migrate for Compute Engine (v5) on top of existing Cloud Foundations on different scenarios. An example on how to deploy the M4CE connector on VMWare ESXi is also part of the examples.`

Finalize onprem-sa-ket-mgmt example 2021-12-13 13:36:42 -08:00			`<br clear="left">`