zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update FAQ.md

This commit is contained in:
agutta 2022-12-29 09:37:17 -06:00 committed by GitHub
parent 5120df1615
commit 7c3768d338
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
fast/stages/FAQ.md
View File

@ -1,5 +1,6 @@
## 00-bootstrap ## 00-bootstrap
1. How to handle requests where automation, logging and/or billing export projects are not under organization but in different folders. 1. How to handle requests where automation, logging and/or billing export projects are not under organization but in different folders.
- Run bootstrap stage and let automation, logging and/or billing projects be created under organization. - Run bootstrap stage and let automation, logging and/or billing projects be created under organization.
- Run resource manager stage or any other custom stage which creates the folders where these projects will reside. - Run resource manager stage or any other custom stage which creates the folders where these projects will reside.
@ -7,19 +8,19 @@
- This step will move the projects from organization to the parent folders specificed. - This step will move the projects from organization to the parent folders specificed.
## cicd ## cicd
1. Why do we need two seperate ServiceAccounts when configuring cicd pipelines (cicd SA and IaC SA) 1. Why do we need two seperate ServiceAccounts when configuring cicd pipelines (cicd SA and IaC SA)
- Having seperate service accounts helps shutdown the pipeline incase of any issues and still keep IaC SA and ability to run terraform plan/apply manually. - Having seperate service accounts helps shutdown the pipeline incase of any issues and still keep IaC SA and ability to run terraform plan/apply manually.
- A pipeline can only generate a token that can get access to an SA. It cannot directly call a provider file to impersonate IaC SA. - A pipeline can only generate a token that can get access to an SA. It cannot directly call a provider file to impersonate IaC SA.
- Having providers file that allows impersonation to IaC SA allows flexibility to run terraform manually or from CICD Pipelines. - Having providers file that allows impersonation to IaC SA allows flexibility to run terraform manually or from CICD Pipelines.
<p align="center"> ![CICD SA and IaC SA](IaC_SA.png)
<img src="IaC_SA.png" alt="CICD SA and IaC SA">
</p> ## Authenciation
## Authenciation
1. If you are seeing "Permission Issues" when doing terraform apply and the identity with which you are running terraform has correct permissions; 1. If you are seeing "Permission Issues" when doing terraform apply and the identity with which you are running terraform has correct permissions;
run below command so that correct auth credentials are picked by ADC when terraform commands are executed run below command so that correct auth credentials are picked by ADC when terraform commands are executed
```` ````bash
gcloud auth application-default login gcloud auth application-default login
```` ````