cloud-foundation-fabric/foundations/README.md

# Organization-level bootstrap samples

This set of Terraform root modules is designed with two main purposes in mind: automating the organizational layout, and bootstrapping the initial resources and the corresponding IAM roles, which will then be used to automate the actual infrastructure.

Despite being fairly generic, these modules closely match some of the initial automation stages we have implemented in actual customer engagements, and are purposely kept simple to offer a good starting point for further customizations.

There are several advantages in using an initial stage like the ones provided here:

- automate and parameterize creation of the organizational layout, documenting it through code
- use a single declarative tool to create and manage both prerequisites and the actual infrastructure, eliminating the need for manual commands, scripts or external tools
- enforce separation of duties at the environment (or tenant in multi-tenant architectures) level, by automating creation of per-environment Terraform service accounts, their IAM roles, and GCS buckets to hold state
- decouple and document the use of organization-level permissions from the day to day management of the actual infrastructure, by assigning a minimum but sufficient set of high level IAM roles to Terraform service accounts in an initial stage
- provide a sane place for the creation and management of shared resources that are not tied to a specific environment

## Operational considerations

This specific type of preliminary automation stage is usually fairly static, only changing when a new environment or shared resource is added or modified, and lends itself well to being applied manually by organization administrators. One secondary advantage of running this initial stage manually, is eliminating the need to create and manage automation credentials that embed sensitive permissions scoped at the organization or root folder level.

### IAM roles

This type of automation stage needs very specific IAM roles on the root node (organization or folder), and additional roles at the organization level if the generated service accounts for automation need to be able to create and manage Shared VPC. The needed roles are:

- on the root node Project Creator, Folder Administrator, Logging Administrator
- on the billing account or organization Billing Account Administrator
- on the organization Organization Administrator, if Shared VPC needs to be managed by the automation service accounts

### State

This type of stage creates the prerequisites for Terraform automation including the GCS bucket used for its own remote state, so some care needs to be used when running it for the first time, when its GCS bucket has not yet been created.

After the first successful `terraform apply`, copy the `backend.tf.sample` file
to `backend.tf`, then set the bucket name to the one shown in the `bootstrap_tf_gcs_bucket` output in the new file. Once that is done, run `terraform apply` again to transfer local state to the remote GCS bucket. From then on, state will be remote.

### Things to be aware of

Using `count` in Terraform resources has the [well-known limitation](https://github.com/hashicorp/terraform/issues/18767) that changing the variable controlling `count` results in the potential unwanted deletion of resources.

These samples use `count` on the `environments` list variable to manage multiples for key resources like service accounts, GCS buckets, and IAM roles. Environment names are usually stable, but care must still be taken in defining the initial list so that names are final, and names for temporary environments (if any are needed) are last so they don't trigger recreation of resources based on the following elements in the list.

This issue will be addressed in a future release of these examples, by replacing `count` with the new `foreach` construct [introduced in Terraform 0.12.6](https://twitter.com/mitchellh/status/1156661893789966336?lang=en) that uses key-based indexing.
Organization sample: environments (Almanac bootstrap port) * add gitignore file * data and infra skeletons * org skeleton * org environments sample skeleton * Organization teams sample skeleton. * Organization env sample GCS for tf state. * org env: service accounts and GCS roles * org env: folders * org env: audit export * org env: shared project * org env: switch to released 3.1.0 project module version * rename organization top-level folder to organization-bootstrap * org env: use folders module with better outputs, module outputs * org env: switch the service accounts module to v2.0.0. * Merge ludo's branch from forked repo (#2) * org env: update gcs, sa, project modules * Use correct folder ID in format without prefix * org env: update folders module version, improve comments * org env: initial work on README, diagram, add variable for xpn roles * org env: update roles in README, backend file * org env: README changes * org env: README changes * org env: README changes * org env: README changes * org env: add IAM variables for audit and shared projects * org env: address README TODOs * org env: minor README changes * org env: minor README changes * org env: minor README changes * org env: simplify the sample's README by moving general considerations into the section README * Org examples README changes * org env: simplify initial state management, add comment for shared folder * org env: change state instructions to copy and rename instead of renaming backend file * org env: add a section in the README file to explain shared services, and detail options * fix comment for shared services project 2019-09-06 20:44:24 -07:00			`# Organization-level bootstrap samples`

			`This set of Terraform root modules is designed with two main purposes in mind: automating the organizational layout, and bootstrapping the initial resources and the corresponding IAM roles, which will then be used to automate the actual infrastructure.`

			`Despite being fairly generic, these modules closely match some of the initial automation stages we have implemented in actual customer engagements, and are purposely kept simple to offer a good starting point for further customizations.`

			`There are several advantages in using an initial stage like the ones provided here:`

			`- automate and parameterize creation of the organizational layout, documenting it through code`
			`- use a single declarative tool to create and manage both prerequisites and the actual infrastructure, eliminating the need for manual commands, scripts or external tools`
			`- enforce separation of duties at the environment (or tenant in multi-tenant architectures) level, by automating creation of per-environment Terraform service accounts, their IAM roles, and GCS buckets to hold state`
			`- decouple and document the use of organization-level permissions from the day to day management of the actual infrastructure, by assigning a minimum but sufficient set of high level IAM roles to Terraform service accounts in an initial stage`
			`- provide a sane place for the creation and management of shared resources that are not tied to a specific environment`

			`## Operational considerations`

			`This specific type of preliminary automation stage is usually fairly static, only changing when a new environment or shared resource is added or modified, and lends itself well to being applied manually by organization administrators. One secondary advantage of running this initial stage manually, is eliminating the need to create and manage automation credentials that embed sensitive permissions scoped at the organization or root folder level.`

			`### IAM roles`

			`This type of automation stage needs very specific IAM roles on the root node (organization or folder), and additional roles at the organization level if the generated service accounts for automation need to be able to create and manage Shared VPC. The needed roles are:`

			`- on the root node Project Creator, Folder Administrator, Logging Administrator`
			`- on the billing account or organization Billing Account Administrator`
			`- on the organization Organization Administrator, if Shared VPC needs to be managed by the automation service accounts`

			`### State`

			`This type of stage creates the prerequisites for Terraform automation including the GCS bucket used for its own remote state, so some care needs to be used when running it for the first time, when its GCS bucket has not yet been created.`

			After the first successful `terraform apply`, copy the `backend.tf.sample` file
			to `backend.tf`, then set the bucket name to the one shown in the `bootstrap_tf_gcs_bucket` output in the new file. Once that is done, run `terraform apply` again to transfer local state to the remote GCS bucket. From then on, state will be remote.

			`### Things to be aware of`

			Using `count` in Terraform resources has the [well-known limitation](https://github.com/hashicorp/terraform/issues/18767) that changing the variable controlling `count` results in the potential unwanted deletion of resources.

			These samples use `count` on the `environments` list variable to manage multiples for key resources like service accounts, GCS buckets, and IAM roles. Environment names are usually stable, but care must still be taken in defining the initial list so that names are final, and names for temporary environments (if any are needed) are last so they don't trigger recreation of resources based on the following elements in the list.

			This issue will be addressed in a future release of these examples, by replacing `count` with the new `foreach` construct [introduced in Terraform 0.12.6](https://twitter.com/mitchellh/status/1156661893789966336?lang=en) that uses key-based indexing.