zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update bootstrap commands (#536)

This commit is contained in:
Ludovico Magnocavallo 2022-02-11 08:20:33 +01:00 committed by GitHub
parent 765f291259
commit 53144713aa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 26 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
fast/stages/00-bootstrap/README.md
View File

@ -55,6 +55,7 @@ For same-organization billing, we configure a custom organization role that can
For details on configuring the different billing account modes, refer to the [How to run this stage](#how-to-run-this-stage) section below.
### Organization-level logging
We create organization-level log sinks early in the bootstrap process to ensure a proper audit trail is in place from the very beginning. By default, we provide log filters to capture [Cloud Audit Logs](https://cloud.google.com/logging/docs/audit) and [VPC Service Controls violations](https://cloud.google.com/vpc-service-controls/docs/troubleshooting#vpc-sc-errors) into a Bigquery dataset in the top-level audit project.
The [Customizations](#log-sinks-and-log-destinations) section explains how to change the logs captured and their destination.
@ -100,12 +101,20 @@ The roles that the Organization Admin used in the first `apply` needs to self-gr
To quickly self-grant the above roles, run the following code snippet as the initial Organization Admin:
```bash
export BOOTSTRAP_ORG_ID=123456
export BOOTSTRAP_USER=$(gcloud config list --format 'value(core.account)')
export BOOTSTRAP_ROLES="roles/billing.admin roles/logging.admin roles/iam.organizationRoleAdmin roles/resourcemanager.projectCreator"
for role in $BOOTSTRAP_ROLES; do
gcloud organizations add-iam-policy-binding $BOOTSTRAP_ORG_ID \
--member user:$BOOTSTRAP_USER --role $role
# set variable for current logged in user
export FAST_BU=$(gcloud config list --format 'value(core.account)')
# find and set your org id
gcloud organizations list --filter display_name:$partofyourdomain
export FAST_ORG_ID=123456
# set needed roles
export FAST_ROLES="roles/billing.admin roles/logging.admin \
roles/iam.organizationRoleAdmin roles/resourcemanager.projectCreator"
for role in $FAST_ROLES; do
gcloud organizations add-iam-policy-binding $FAST_ORG_ID \
--member user:$FAST_BU --role $role
done
```
@ -120,11 +129,11 @@ If that's not the case, an equivalent role needs to exist, or the predefined `re
The identity applying this stage for the first time also needs two roles in billing organization, they can be removed after the first `apply` completes successfully:
```bash
export BILLING_ORG_ID=789012
export BILLING_ROLES=(roles/billing.admin roles/resourcemanager.organizationAdmin)
for role in $BILLING_ROLES; do
gcloud organizations add-iam-policy-binding $BILLING_ORG_ID \
--member user:$BOOTSTRAP_USER --role $role
export FAST_BILLING_ORG_ID=789012
export FAST_ROLES=(roles/billing.admin roles/resourcemanager.organizationAdmin)
for role in $FAST_ROLES; do
gcloud organizations add-iam-policy-binding $FAST_BILLING_ORG_ID \
--member user:$FAST_BU --role $role
done
```
@ -133,9 +142,9 @@ done
If you are using a standalone billing account, the identity applying this stage for the first time needs to be a billing account administrator:
```bash
export BILLING_ACCOUNT_ID=ABCD-01234-ABCD
gcloud beta billing accounts add-iam-policy-binding $BILLING_ACCOUNT \
--member user:$BOOTSTRAP_USER --role roles/billing.admin
export FAST_BILLING_ACCOUNT_ID=ABCD-01234-ABCD
gcloud beta billing accounts add-iam-policy-binding $FAST_BILLING_ACCOUNT_ID \
--member user:$FAST_BU --role roles/billing.admin
```
#### Groups
@ -287,10 +296,10 @@ The one exception to this convention is for roles which are part of the delegate
You can customize organization-level logs through the `log_sinks` variable in two ways:
* creating additional log sinks to capture more logs
* changing the destination of captured logs
- creating additional log sinks to capture more logs
- changing the destination of captured logs
By default, all logs are exported to Bigquery, but FAST can create sinks to Cloud Logging Buckets, GCS, or PubSub.
By default, all logs are exported to Bigquery, but FAST can create sinks to Cloud Logging Buckets, GCS, or PubSub.
If you need to capture additional logs, please refer to GCP's documentation on [scenarios for exporting logging data](https://cloud.google.com/architecture/exporting-stackdriver-logging-for-security-and-access-analytics), where you can find ready-made filter expressions for different use cases.