Merge pull request #809 from GoogleCloudPlatform/jccb/serverless-rename
Renaming and moving blueprints
|
@ -41,4 +41,4 @@ For more information and usage examples see each module's README file.
|
||||||
|
|
||||||
## End-to-end blueprints
|
## End-to-end blueprints
|
||||||
|
|
||||||
The [blueprints](./blueprints/) in this repository are split in several main sections: **[foundational blueprints](./blueprints/foundations/)** that bootstrap the organizational hierarchy and automation prerequisites, **[networking blueprints](./blueprints/networking/)** that implement core patterns or features, **[data solutions blueprints](./blueprints/data-solutions/)** that demonstrate how to integrate data services in complete scenarios, **[cloud operations blueprints](./blueprints/cloud-operations/)** that leverage specific products to meet specific operational needs and **[factories](./blueprints/factories/)** that implement resource factories for the repetitive creation of specific resources.
|
The [blueprints](./blueprints/) in this repository are split in several main sections: **[networking blueprints](./blueprints/networking/)** that implement core patterns or features, **[data solutions blueprints](./blueprints/data-solutions/)** that demonstrate how to integrate data services in complete scenarios, **[cloud operations blueprints](./blueprints/cloud-operations/)** that leverage specific products to meet specific operational needs and **[factories](./blueprints/factories/)** that implement resource factories for the repetitive creation of specific resources, and finally **[GKE](./blueprints/gke)** and **[serverless](./blueprints/serverless)** design blueprints.
|
||||||
|
|
|
@ -1,14 +1,15 @@
|
||||||
# Terraform end-to-end blueprints for Google Cloud
|
# Terraform end-to-end blueprints for Google Cloud
|
||||||
|
|
||||||
This section contains **[foundational blueprints](./foundations/)** that bootstrap the organizational hierarchy and automation prerequisites, **[networking blueprints](./networking/)** that implement core patterns or features, **[data solutions blueprints](./data-solutions/)** that demonstrate how to integrate data services in complete scenarios, **[cloud operations blueprints](./cloud-operations/)** that leverage specific products to meet specific operational needs and **[factories](./factories/)** that implement resource factories for the repetitive creation of specific resources.
|
This section **[networking blueprints](./networking/)** that implement core patterns or features, **[data solutions blueprints](./data-solutions/)** that demonstrate how to integrate data services in complete scenarios, **[cloud operations blueprints](./cloud-operations/)** that leverage specific products to meet specific operational needs, **[GKE](./gke/)** and **[Serverless](./serverless/)** blueprints, and **[factories](./factories/)** that implement resource factories for the repetitive creation of specific resources.
|
||||||
|
|
||||||
Currently available blueprints:
|
Currently available blueprints:
|
||||||
|
|
||||||
- **cloud operations** - [Resource tracking and remediation via Cloud Asset feeds](./cloud-operations/asset-inventory-feed-remediation), [Granular Cloud DNS IAM via Service Directory](./cloud-operations/dns-fine-grained-iam), [Granular Cloud DNS IAM for Shared VPC](./cloud-operations/dns-shared-vpc), [Compute Engine quota monitoring](./cloud-operations/quota-monitoring), [Scheduled Cloud Asset Inventory Export to Bigquery](./cloud-operations/scheduled-asset-inventory-export-bq), [Packer image builder](./cloud-operations/packer-image-builder), [On-prem SA key management](./cloud-operations/onprem-sa-key-management), [TCP healthcheck for unmanaged GCE instances](./cloud-operations/unmanaged-instances-healthcheck), [HTTP Load Balancer with Cloud Armor](./cloud-operations/glb_and_armor)
|
- **cloud operations** - [Resource tracking and remediation via Cloud Asset feeds](./cloud-operations/asset-inventory-feed-remediation), [Granular Cloud DNS IAM via Service Directory](./cloud-operations/dns-fine-grained-iam), [Granular Cloud DNS IAM for Shared VPC](./cloud-operations/dns-shared-vpc), [Compute Engine quota monitoring](./cloud-operations/quota-monitoring), [Scheduled Cloud Asset Inventory Export to Bigquery](./cloud-operations/scheduled-asset-inventory-export-bq), [Packer image builder](./cloud-operations/packer-image-builder), [On-prem SA key management](./cloud-operations/onprem-sa-key-management), [TCP healthcheck for unmanaged GCE instances](./cloud-operations/unmanaged-instances-healthcheck), [HTTP Load Balancer with Cloud Armor](./cloud-operations/glb_and_armor)
|
||||||
- **data solutions** - [GCE/GCS CMEK via centralized Cloud KMS](./data-solutions/gcs-to-bq-with-least-privileges/), [Cloud Storage to Bigquery with Cloud Dataflow with least privileges](./data-solutions/gcs-to-bq-with-least-privileges/), [Data Platform Foundations](./data-solutions/data-platform-foundations/), [SQL Server AlwaysOn availability groups blueprint](./data-solutions/sqlserver-alwayson), [Cloud SQL instance with multi-region read replicas](./data-solutions/cloudsql-multiregion/)
|
- **data solutions** - [GCE/GCS CMEK via centralized Cloud KMS](./data-solutions/gcs-to-bq-with-least-privileges/), [Cloud Storage to Bigquery with Cloud Dataflow with least privileges](./data-solutions/gcs-to-bq-with-least-privileges/), [Data Platform Foundations](./data-solutions/data-platform-foundations/), [SQL Server AlwaysOn availability groups blueprint](./data-solutions/sqlserver-alwayson), [Cloud SQL instance with multi-region read replicas](./data-solutions/cloudsql-multiregion/)
|
||||||
- **factories** - [The why and the how of resource factories](./factories/README.md)
|
- **factories** - [The why and the how of resource factories](./factories/README.md)
|
||||||
- **foundations** - [single level hierarchy](./foundations/environments/) (environments), [multiple level hierarchy](./foundations/business-units/) (business units + environments)
|
- **GKE** - [GKE multitenant fleet](./gke/multitenant-fleet/), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [Binary Authorization Pipeline](./gke/binauthz/), [Multi-cluster mesh on GKE (fleet API)](./gke/multi-cluster-mesh-gke-fleet-api/)
|
||||||
- **networking** - [hub and spoke via peering](./networking/hub-and-spoke-peering/), [hub and spoke via VPN](./networking/hub-and-spoke-vpn/), [DNS and Google Private Access for on-premises](./networking/onprem-google-access-dns/), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [ILB as next hop](./networking/ilb-next-hop), [PSC for on-premises Cloud Function invocation](./networking/private-cloud-function-from-onprem/), [decentralized firewall](./networking/decentralized-firewall)
|
- **networking** - [hub and spoke via peering](./networking/hub-and-spoke-peering/), [hub and spoke via VPN](./networking/hub-and-spoke-vpn/), [DNS and Google Private Access for on-premises](./networking/onprem-google-access-dns/), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [ILB as next hop](./networking/ilb-next-hop), [PSC for on-premises Cloud Function invocation](./networking/private-cloud-function-from-onprem/), [decentralized firewall](./networking/decentralized-firewall)
|
||||||
|
- **serverless** - [Multi-region deployments for API Gateway](./serverless/api-gateway/)
|
||||||
- **third party solutions** - [OpenShift cluster on Shared VPC](./third-party-solutions/openshift)
|
- **third party solutions** - [OpenShift cluster on Shared VPC](./third-party-solutions/openshift)
|
||||||
|
|
||||||
For more information see the README files in the [foundations](./foundations/), [networking](./networking/), [data solutions](./data-solutions/), [cloud operations](./cloud-operations/) and [factories](./factories/) folders.
|
For more information see the individual README files in each section.
|
||||||
|
|
|
@ -1,48 +0,0 @@
|
||||||
# Cloud foundation blueprints
|
|
||||||
|
|
||||||
The blueprints in this folder deal with cloud foundations: the set of resources used to **create the organizational hierarchy** (folders and specific IAM roles), **implement top-level initial best practices** (audit log exports, policies) and **bootstrap infrastructure automation** (GCS buckets, service accounts and IAM roles).
|
|
||||||
|
|
||||||
The blueprints are derived from actual production use cases, and are meant to be used as-is, or extended to create more complex hierarchies. The guiding principles they implement are:
|
|
||||||
|
|
||||||
- divide the hierarchy in separate partitions along environment/organization boundaries, to enforce separation of duties and decouple organization admin permissions from the day-to-day running of infrastructure
|
|
||||||
- keep top-level Terraform code minimal and encapsulate complexity in modules, to ensure readability and allow using code as high level documentation
|
|
||||||
|
|
||||||
## Blueprints
|
|
||||||
|
|
||||||
### Environment Hierarchy
|
|
||||||
|
|
||||||
<a href="./environments/" title="Environments blueprint"><img src="./environments/diagram.png" align="left" width="280px"></a> This [blueprint](./environments/) implements a simple one-level organizational layout, which is commonly used to bootstrap small infrastructures, or in situations where lower level folders are managed with separate, more granular Terraform setups.
|
|
||||||
|
|
||||||
One authoritative service account, one bucket and one folder are created for each environment, together with top-level shared resources. This blueprint's simplicity makes it a good starting point to understand and prototype foundational design.
|
|
||||||
|
|
||||||
<br clear="left">
|
|
||||||
|
|
||||||
### Business Unit / Environment Hierarchy
|
|
||||||
|
|
||||||
<a href="./business-units/" title="Business Units blueprint"><img src="./business-units/diagram.png" align="left" width="280px"></a> This [blueprint](./business-units/) implements a two-level organizational layout, with a first level usually mapped to business units, and a second level implementing identical environments (prod, test, etc.) under each first-level folder.
|
|
||||||
|
|
||||||
This approach maps well to medium sized infrastructures, and can be used as a starting point for more complex scenarios. Separate Terraform stages are then usually implemented for each business unit, implementing fine-grained project and service account creation for individual application teams.
|
|
||||||
<br clear="left">
|
|
||||||
|
|
||||||
## Operational considerations
|
|
||||||
|
|
||||||
These blueprints are always used manually, as they require very high-level permissions and are updated infrequently.
|
|
||||||
|
|
||||||
The IAM roles needed are:
|
|
||||||
|
|
||||||
- Project Creator, Folder Administrator, Logging Administrator on the root node (org or folder)
|
|
||||||
- Billing Account Administrator on the billing account or org
|
|
||||||
- Organization Administrator if Shared VPC roles have to be granted to the automation service accounts created for each scope
|
|
||||||
|
|
||||||
State is local on the first run, then it should be moved to the GCS bucket created by the blueprints for this specific purpose:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# first apply
|
|
||||||
terraform apply
|
|
||||||
# create backend file
|
|
||||||
cp backend.tf.sample backend.tf
|
|
||||||
# edit backend.tf and use bootstrap_tf_gcs_bucket output for GCS bucket name
|
|
||||||
vi backend.tf
|
|
||||||
# once done, move local state to GCS bucket
|
|
||||||
terraform init
|
|
||||||
```
|
|
|
@ -1,59 +0,0 @@
|
||||||
# Business-units based organizational sample
|
|
||||||
|
|
||||||
This sample creates an organizational layout with two folder levels, where the first level is usually mapped to one business unit or team (infra, data, analytics) and the second level represents environments (prod, test). It also sets up all prerequisites for automation (GCS state buckets, service accounts, etc.), and the correct roles on those to enforce separation of duties at the environment level.
|
|
||||||
|
|
||||||
This layout is well suited for medium-sized infrastructures managed by different sets of teams, and in cases where the core infrastructure is managed centrally, as the top-level automation service accounts for each environment allow cross-team management of the base resources (projects, IAM, etc.).
|
|
||||||
|
|
||||||
![High-level diagram](diagram.png "High-level diagram")
|
|
||||||
|
|
||||||
Refer to the [section-level README](../README.md) for general considerations about this type of samples, and usage instructions.
|
|
||||||
|
|
||||||
## Managed resources and services
|
|
||||||
|
|
||||||
This sample creates several distinct groups of resources:
|
|
||||||
|
|
||||||
- one top-level folder per business unit/team
|
|
||||||
- one top-level folder for shared services
|
|
||||||
- one second-level folder for each environment in all the business unit top-level folders
|
|
||||||
- one project in the shared folder to hold Terraform-related resources
|
|
||||||
- one project in the shared folder to set up and host centralized audit log exports
|
|
||||||
- one project in the shared folder to hold services used across environments like GCS, GCR, KMS, Cloud Build, etc.
|
|
||||||
|
|
||||||
The number of resources in this sample is kept to a minimum so as to make it generally applicable, more resources can be easily added by leveraging other [modules from our bundle](../../../modules/), or from other sources like the [CFT suite](https://github.com/terraform-google-modules).
|
|
||||||
|
|
||||||
## Shared services
|
|
||||||
|
|
||||||
This sample uses a top-level folder to encapsulate projects that host resources that are not specific to a single environment. If no shared services are needed,the Terraform and audit modules can be easily attached to the root node, and the shared services folder and project removed from `main.tf`.
|
|
||||||
<!-- BEGIN TFDOC -->
|
|
||||||
|
|
||||||
## Variables
|
|
||||||
|
|
||||||
| name | description | type | required | default |
|
|
||||||
|---|---|:---:|:---:|:---:|
|
|
||||||
| [billing_account_id](variables.tf#L27) | Billing account id used as default for new projects. | <code>string</code> | ✓ | |
|
|
||||||
| [organization_id](variables.tf#L69) | Organization id in organizations/nnnnnnn format. | <code>string</code> | ✓ | |
|
|
||||||
| [prefix](variables.tf#L74) | Prefix used for resources that need unique names. | <code>string</code> | ✓ | |
|
|
||||||
| [root_node](variables.tf#L88) | Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'. | <code>string</code> | ✓ | |
|
|
||||||
| [audit_filter](variables.tf#L17) | Audit log filter used for the log sink. | <code>string</code> | | <code title="" logName: "/logs/cloudaudit.googleapis.com%2Factivity" OR logName: "/logs/cloudaudit.googleapis.com%2Fsystem_event""">…</code> |
|
|
||||||
| [environments](variables.tf#L32) | Environment short names. | <code>map(string)</code> | | <code title="{ dev = "Development", test = "Testing", prod = "Production" }">{…}</code> |
|
|
||||||
| [gcs_defaults](variables.tf#L42) | Defaults use for the state GCS buckets. | <code>map(string)</code> | | <code title="{ location = "EU" storage_class = "MULTI_REGIONAL" }">{…}</code> |
|
|
||||||
| [iam_audit_viewers](variables.tf#L51) | Audit project viewers, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
|
||||||
| [iam_shared_owners](variables.tf#L57) | Shared services project owners, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
|
||||||
| [iam_terraform_owners](variables.tf#L63) | Terraform project owners, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
|
||||||
| [project_services](variables.tf#L79) | Service APIs enabled by default in new projects. | <code>list(string)</code> | | <code title="[ "container.googleapis.com", "stackdriver.googleapis.com", ]">[…]</code> |
|
|
||||||
|
|
||||||
## Outputs
|
|
||||||
|
|
||||||
| name | description | sensitive |
|
|
||||||
|---|---|:---:|
|
|
||||||
| [audit_logs_project](outputs.tf#L17) | Project that holds the audit logs export resources. | |
|
|
||||||
| [bootstrap_tf_gcs_bucket](outputs.tf#L22) | GCS bucket used for the bootstrap Terraform state. | |
|
|
||||||
| [bu_business_intelligence](outputs.tf#L27) | Business Intelligence attributes. | |
|
|
||||||
| [bu_business_intelligence_keys](outputs.tf#L37) | Business Intelligence service account keys. | ✓ |
|
|
||||||
| [bu_machine_learning](outputs.tf#L43) | Machine Learning attributes. | |
|
|
||||||
| [bu_machine_learning_keys](outputs.tf#L53) | Machine Learning service account keys. | ✓ |
|
|
||||||
| [shared_folder_id](outputs.tf#L59) | Shared folder id. | |
|
|
||||||
| [shared_resources_project](outputs.tf#L64) | Project that holdes resources shared across business units. | |
|
|
||||||
| [terraform_project](outputs.tf#L69) | Project that holds the base Terraform resources. | |
|
|
||||||
|
|
||||||
<!-- END TFDOC -->
|
|
|
@ -1,22 +0,0 @@
|
||||||
# Copyright 2022 Google LLC
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# https://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
terraform {
|
|
||||||
backend "gcs" {
|
|
||||||
# once initial apply has completed, copy this file to `backend.tf` then
|
|
||||||
# set the `bucket` value to the `bootstrap_tf_gcs_bucket` output, then
|
|
||||||
# run apply again to transfer state
|
|
||||||
bucket = ""
|
|
||||||
}
|
|
||||||
}
|
|
Before Width: | Height: | Size: 63 KiB |
|
@ -1,175 +0,0 @@
|
||||||
/**
|
|
||||||
* Copyright 2022 Google LLC
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
locals {
|
|
||||||
logging_sinks = {
|
|
||||||
audit-logs = {
|
|
||||||
type = "bigquery"
|
|
||||||
destination = module.audit-dataset.id
|
|
||||||
filter = var.audit_filter
|
|
||||||
iam = true
|
|
||||||
include_children = true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
root_node_type = split("/", var.root_node)[0]
|
|
||||||
}
|
|
||||||
|
|
||||||
###############################################################################
|
|
||||||
# Terraform top-level resources #
|
|
||||||
###############################################################################
|
|
||||||
|
|
||||||
# Shared folder
|
|
||||||
|
|
||||||
module "shared-folder" {
|
|
||||||
source = "../../../modules/folder"
|
|
||||||
parent = var.root_node
|
|
||||||
name = "shared"
|
|
||||||
}
|
|
||||||
|
|
||||||
# Terraform project
|
|
||||||
|
|
||||||
module "tf-project" {
|
|
||||||
source = "../../../modules/project"
|
|
||||||
name = "terraform"
|
|
||||||
parent = module.shared-folder.id
|
|
||||||
prefix = var.prefix
|
|
||||||
billing_account = var.billing_account_id
|
|
||||||
iam_additive = {
|
|
||||||
for name in var.iam_terraform_owners : (name) => ["roles/owner"]
|
|
||||||
}
|
|
||||||
services = var.project_services
|
|
||||||
}
|
|
||||||
|
|
||||||
# Bootstrap Terraform state GCS bucket
|
|
||||||
|
|
||||||
module "tf-gcs-bootstrap" {
|
|
||||||
source = "../../../modules/gcs"
|
|
||||||
project_id = module.tf-project.project_id
|
|
||||||
name = "tf-bootstrap"
|
|
||||||
prefix = "${var.prefix}-tf"
|
|
||||||
location = var.gcs_defaults.location
|
|
||||||
}
|
|
||||||
|
|
||||||
###############################################################################
|
|
||||||
# Business units #
|
|
||||||
###############################################################################
|
|
||||||
|
|
||||||
module "bu-business-intelligence" {
|
|
||||||
source = "../../../modules/folders-unit"
|
|
||||||
name = "Business Intelligence"
|
|
||||||
short_name = "bi"
|
|
||||||
automation_project_id = module.tf-project.project_id
|
|
||||||
billing_account_id = var.billing_account_id
|
|
||||||
environments = var.environments
|
|
||||||
gcs_defaults = var.gcs_defaults
|
|
||||||
organization_id = var.organization_id
|
|
||||||
root_node = var.root_node
|
|
||||||
prefix = var.prefix
|
|
||||||
# extra variables from the folders-unit module can be used here to grant
|
|
||||||
# IAM roles to the bu users, configure the automation service accounts, etc.
|
|
||||||
# iam_roles = ["viewer"]
|
|
||||||
# iam_members = { viewer = ["user:user@example.com"] }
|
|
||||||
}
|
|
||||||
|
|
||||||
module "bu-machine-learning" {
|
|
||||||
source = "../../../modules/folders-unit"
|
|
||||||
name = "Machine Learning"
|
|
||||||
short_name = "ml"
|
|
||||||
automation_project_id = module.tf-project.project_id
|
|
||||||
billing_account_id = var.billing_account_id
|
|
||||||
environments = var.environments
|
|
||||||
gcs_defaults = var.gcs_defaults
|
|
||||||
organization_id = var.organization_id
|
|
||||||
root_node = var.root_node
|
|
||||||
prefix = var.prefix
|
|
||||||
# extra variables from the folders-unit module can be used here to grant
|
|
||||||
# IAM roles to the bu users, configure the automation service accounts, etc.
|
|
||||||
}
|
|
||||||
|
|
||||||
###############################################################################
|
|
||||||
# Audit log exports #
|
|
||||||
###############################################################################
|
|
||||||
|
|
||||||
# Audit logs project
|
|
||||||
|
|
||||||
module "audit-project" {
|
|
||||||
source = "../../../modules/project"
|
|
||||||
name = "audit"
|
|
||||||
parent = module.shared-folder.id
|
|
||||||
prefix = var.prefix
|
|
||||||
billing_account = var.billing_account_id
|
|
||||||
iam = {
|
|
||||||
"roles/viewer" = var.iam_audit_viewers
|
|
||||||
}
|
|
||||||
services = concat(var.project_services, [
|
|
||||||
"bigquery.googleapis.com",
|
|
||||||
])
|
|
||||||
}
|
|
||||||
|
|
||||||
# audit logs dataset and sink
|
|
||||||
|
|
||||||
module "audit-dataset" {
|
|
||||||
source = "../../../modules/bigquery-dataset"
|
|
||||||
project_id = module.audit-project.project_id
|
|
||||||
id = "audit_export"
|
|
||||||
friendly_name = "Audit logs export."
|
|
||||||
# disable delete on destroy for actual use
|
|
||||||
options = {
|
|
||||||
default_table_expiration_ms = null
|
|
||||||
default_partition_expiration_ms = null
|
|
||||||
delete_contents_on_destroy = true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# uncomment the next two modules to create the logging sinks
|
|
||||||
|
|
||||||
# module "root_org" {
|
|
||||||
# count = local.root_node_type == "organizations" ? 1 : 0
|
|
||||||
# source = "../../../modules/organization"
|
|
||||||
# organization_id = var.root_node
|
|
||||||
# logging_sinks = local.logging_sinks
|
|
||||||
# exclusions = {}
|
|
||||||
# }
|
|
||||||
|
|
||||||
# module "root_folder" {
|
|
||||||
# count = local.root_node_type == "folders" ? 1 : 0
|
|
||||||
# source = "../../../modules/folder"
|
|
||||||
# id = var.root_node
|
|
||||||
# folder_create = false
|
|
||||||
# logging_sinks = local.logging_sinks
|
|
||||||
# exclusions = {}
|
|
||||||
# }
|
|
||||||
|
|
||||||
###############################################################################
|
|
||||||
# Shared resources (GCR, GCS, KMS, etc.) #
|
|
||||||
###############################################################################
|
|
||||||
|
|
||||||
# Shared resources project
|
|
||||||
|
|
||||||
module "shared-project" {
|
|
||||||
source = "../../../modules/project"
|
|
||||||
name = "shared"
|
|
||||||
parent = module.shared-folder.id
|
|
||||||
prefix = var.prefix
|
|
||||||
billing_account = var.billing_account_id
|
|
||||||
iam_additive = {
|
|
||||||
for name in var.iam_shared_owners : (name) => ["roles/owner"]
|
|
||||||
}
|
|
||||||
services = var.project_services
|
|
||||||
}
|
|
||||||
|
|
||||||
# Add further modules here for resources that are common to all business units
|
|
||||||
# like GCS buckets (used to hold shared assets), Container Registry, KMS, etc.
|
|
|
@ -1,75 +0,0 @@
|
||||||
/**
|
|
||||||
* Copyright 2022 Google LLC
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
output "audit_logs_project" {
|
|
||||||
description = "Project that holds the audit logs export resources."
|
|
||||||
value = module.audit-project.project_id
|
|
||||||
}
|
|
||||||
|
|
||||||
output "bootstrap_tf_gcs_bucket" {
|
|
||||||
description = "GCS bucket used for the bootstrap Terraform state."
|
|
||||||
value = module.tf-gcs-bootstrap.name
|
|
||||||
}
|
|
||||||
|
|
||||||
output "bu_business_intelligence" {
|
|
||||||
description = "Business Intelligence attributes."
|
|
||||||
value = {
|
|
||||||
unit_folder = module.bu-business-intelligence.unit_folder,
|
|
||||||
env_gcs_buckets = module.bu-business-intelligence.env_gcs_buckets
|
|
||||||
env_folders = module.bu-business-intelligence.env_folders
|
|
||||||
env_service_accounts = module.bu-business-intelligence.env_service_accounts
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
output "bu_business_intelligence_keys" {
|
|
||||||
description = "Business Intelligence service account keys."
|
|
||||||
sensitive = true
|
|
||||||
value = module.bu-business-intelligence.env_sa_keys
|
|
||||||
}
|
|
||||||
|
|
||||||
output "bu_machine_learning" {
|
|
||||||
description = "Machine Learning attributes."
|
|
||||||
value = {
|
|
||||||
unit_folder = module.bu-machine-learning.unit_folder,
|
|
||||||
env_gcs_buckets = module.bu-machine-learning.env_gcs_buckets
|
|
||||||
env_folders = module.bu-machine-learning.env_folders
|
|
||||||
env_service_accounts = module.bu-machine-learning.env_service_accounts
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
output "bu_machine_learning_keys" {
|
|
||||||
description = "Machine Learning service account keys."
|
|
||||||
sensitive = true
|
|
||||||
value = module.bu-machine-learning.env_sa_keys
|
|
||||||
}
|
|
||||||
|
|
||||||
output "shared_folder_id" {
|
|
||||||
description = "Shared folder id."
|
|
||||||
value = module.shared-folder.id
|
|
||||||
}
|
|
||||||
|
|
||||||
output "shared_resources_project" {
|
|
||||||
description = "Project that holdes resources shared across business units."
|
|
||||||
value = module.shared-project.project_id
|
|
||||||
}
|
|
||||||
|
|
||||||
output "terraform_project" {
|
|
||||||
description = "Project that holds the base Terraform resources."
|
|
||||||
value = module.tf-project.project_id
|
|
||||||
}
|
|
||||||
|
|
||||||
# Add further outputs here for the additional modules that manage shared
|
|
||||||
# resources, like GCR, GCS buckets, KMS, etc.
|
|
|
@ -1,19 +0,0 @@
|
||||||
# Copyright 2022 Google LLC
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# https://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
billing_account_id = "014617-19UCBC-AF02D9"
|
|
||||||
organization_id= "500001140800"
|
|
||||||
prefix = "xyz"
|
|
||||||
root_node = "folders/9572793983696"
|
|
||||||
generate_keys = true
|
|
|
@ -1,91 +0,0 @@
|
||||||
/**
|
|
||||||
* Copyright 2022 Google LLC
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
variable "audit_filter" {
|
|
||||||
description = "Audit log filter used for the log sink."
|
|
||||||
type = string
|
|
||||||
default = <<END
|
|
||||||
logName: "/logs/cloudaudit.googleapis.com%2Factivity"
|
|
||||||
OR
|
|
||||||
logName: "/logs/cloudaudit.googleapis.com%2Fsystem_event"
|
|
||||||
END
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "billing_account_id" {
|
|
||||||
description = "Billing account id used as default for new projects."
|
|
||||||
type = string
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "environments" {
|
|
||||||
description = "Environment short names."
|
|
||||||
type = map(string)
|
|
||||||
default = {
|
|
||||||
dev = "Development",
|
|
||||||
test = "Testing",
|
|
||||||
prod = "Production"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "gcs_defaults" {
|
|
||||||
description = "Defaults use for the state GCS buckets."
|
|
||||||
type = map(string)
|
|
||||||
default = {
|
|
||||||
location = "EU"
|
|
||||||
storage_class = "MULTI_REGIONAL"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "iam_audit_viewers" {
|
|
||||||
description = "Audit project viewers, in IAM format."
|
|
||||||
type = list(string)
|
|
||||||
default = []
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "iam_shared_owners" {
|
|
||||||
description = "Shared services project owners, in IAM format."
|
|
||||||
type = list(string)
|
|
||||||
default = []
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "iam_terraform_owners" {
|
|
||||||
description = "Terraform project owners, in IAM format."
|
|
||||||
type = list(string)
|
|
||||||
default = []
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "organization_id" {
|
|
||||||
description = "Organization id in organizations/nnnnnnn format."
|
|
||||||
type = string
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "prefix" {
|
|
||||||
description = "Prefix used for resources that need unique names."
|
|
||||||
type = string
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "project_services" {
|
|
||||||
description = "Service APIs enabled by default in new projects."
|
|
||||||
type = list(string)
|
|
||||||
default = [
|
|
||||||
"container.googleapis.com",
|
|
||||||
"stackdriver.googleapis.com",
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "root_node" {
|
|
||||||
description = "Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'."
|
|
||||||
type = string
|
|
||||||
}
|
|
|
@ -1,29 +0,0 @@
|
||||||
# Copyright 2022 Google LLC
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# https://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
terraform {
|
|
||||||
required_version = ">= 1.1.0"
|
|
||||||
required_providers {
|
|
||||||
google = {
|
|
||||||
source = "hashicorp/google"
|
|
||||||
version = ">= 4.32.0" # tftest
|
|
||||||
}
|
|
||||||
google-beta = {
|
|
||||||
source = "hashicorp/google-beta"
|
|
||||||
version = ">= 4.32.0" # tftest
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
|
@ -1,65 +0,0 @@
|
||||||
# Environment-based organizational sample
|
|
||||||
|
|
||||||
This sample creates an organizational layout with a single level, where each folder is usually mapped to one infrastructure environment (test, dev, etc.). It also sets up all prerequisites for automation (GCS state buckets, service accounts, etc.), and the correct roles on those to enforce separation of duties at the environment level.
|
|
||||||
|
|
||||||
This layout is well suited for medium-sized infrastructures managed by a small set of teams, where the complexity in application resource ownership and access roles is mostly dealt with at the project level, and/or in the individual services (GKE, Cloud SQL, etc.). Its simplicity also makes it a good starting point for more complex or specialized layouts.
|
|
||||||
|
|
||||||
![High-level diagram](diagram.png "High-level diagram")
|
|
||||||
|
|
||||||
Refer to the [section-level README](../README.md) for general considerations about this type of samples, and usage instructions.
|
|
||||||
|
|
||||||
## Managed resources and services
|
|
||||||
|
|
||||||
This sample creates several distinct groups of resources:
|
|
||||||
|
|
||||||
- one folder per environment
|
|
||||||
- one top-level project to hold Terraform-related resources
|
|
||||||
- one top-level project to set up and host centralized audit log exports (optional)
|
|
||||||
- one top-level shared services project
|
|
||||||
|
|
||||||
The number of resources in this sample is kept to a minimum so as to make it generally applicable, more resources can be easily added by leveraging other [modules from our bundle](../../../modules/), or from other sources like the [CFT suite](https://github.com/terraform-google-modules).
|
|
||||||
|
|
||||||
## Shared services project
|
|
||||||
|
|
||||||
This sample contains a single, top-level project used to host services shared across environments (eg GCS, GCR, KMS, Cloud Build, etc.). In our experience, that is enough for many customers, especially those using this organizational layout.
|
|
||||||
|
|
||||||
For more complex setups where multiple shared services projects are needed to encapsulate a larger number of resources, shared services should be treated as an extra environment so that they can be managed by a dedicated set of Terraform files, using a separate service account and GCS bucket, with a folder to contain shared projects.
|
|
||||||
|
|
||||||
If no shared services are needed, the shared service project module can of course be removed from `main.tf`.
|
|
||||||
<!-- BEGIN TFDOC -->
|
|
||||||
|
|
||||||
## Variables
|
|
||||||
|
|
||||||
| name | description | type | required | default |
|
|
||||||
|---|---|:---:|:---:|:---:|
|
|
||||||
| [billing_account_id](variables.tf#L25) | Billing account id used as to create projects. | <code>string</code> | ✓ | |
|
|
||||||
| [environments](variables.tf#L30) | Environment short names. | <code>set(string)</code> | ✓ | |
|
|
||||||
| [organization_id](variables.tf#L94) | Organization id in organizations/nnnnnnnn format. | <code>string</code> | ✓ | |
|
|
||||||
| [prefix](variables.tf#L99) | Prefix used for resources that need unique names. | <code>string</code> | ✓ | |
|
|
||||||
| [root_node](variables.tf#L113) | Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'. | <code>string</code> | ✓ | |
|
|
||||||
| [audit_filter](variables.tf#L15) | Audit log filter used for the log sink. | <code>string</code> | | <code title="" logName: "/logs/cloudaudit.googleapis.com%2Factivity" OR logName: "/logs/cloudaudit.googleapis.com%2Fsystem_event""">…</code> |
|
|
||||||
| [gcs_location](variables.tf#L35) | GCS bucket location. | <code>string</code> | | <code>"EU"</code> |
|
|
||||||
| [iam_audit_viewers](variables.tf#L41) | Audit project viewers, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
|
||||||
| [iam_billing_config](variables.tf#L47) | Control granting billing user role to service accounts. Target the billing account by default. | <code title="object({ grant = bool target_org = bool })">object({…})</code> | | <code title="{ grant = true target_org = false }">{…}</code> |
|
|
||||||
| [iam_folder_roles](variables.tf#L59) | List of roles granted to each service account on its respective folder (excluding XPN roles). | <code>list(string)</code> | | <code title="[ "roles/compute.networkAdmin", "roles/owner", "roles/resourcemanager.folderViewer", "roles/resourcemanager.projectCreator", ]">[…]</code> |
|
|
||||||
| [iam_shared_owners](variables.tf#L70) | Shared services project owners, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
|
||||||
| [iam_terraform_owners](variables.tf#L76) | Terraform project owners, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
|
||||||
| [iam_xpn_config](variables.tf#L82) | Control granting Shared VPC creation roles to service accounts. Target the root node by default. | <code title="object({ grant = bool target_org = bool })">object({…})</code> | | <code title="{ grant = true target_org = true }">{…}</code> |
|
|
||||||
| [project_services](variables.tf#L104) | Service APIs enabled by default in new projects. | <code>list(string)</code> | | <code title="[ "container.googleapis.com", "stackdriver.googleapis.com", ]">[…]</code> |
|
|
||||||
| [service_account_keys](variables.tf#L118) | Generate and store service account keys in the state file. | <code>bool</code> | | <code>true</code> |
|
|
||||||
|
|
||||||
## Outputs
|
|
||||||
|
|
||||||
| name | description | sensitive |
|
|
||||||
|---|---|:---:|
|
|
||||||
| [audit_logs_bq_dataset](outputs.tf#L15) | Bigquery dataset for the audit logs export. | |
|
|
||||||
| [audit_logs_project](outputs.tf#L20) | Project that holds the audit logs export resources. | |
|
|
||||||
| [bootstrap_tf_gcs_bucket](outputs.tf#L25) | GCS bucket used for the bootstrap Terraform state. | |
|
|
||||||
| [environment_folders](outputs.tf#L30) | Top-level environment folders. | |
|
|
||||||
| [environment_service_account_keys](outputs.tf#L35) | Service account keys used to run each environment Terraform modules. | ✓ |
|
|
||||||
| [environment_service_accounts](outputs.tf#L40) | Service accounts used to run each environment Terraform modules. | |
|
|
||||||
| [environment_tf_gcs_buckets](outputs.tf#L45) | GCS buckets used for each environment Terraform state. | |
|
|
||||||
| [shared_services_project](outputs.tf#L50) | Project that holdes resources shared across environments. | |
|
|
||||||
| [terraform_project](outputs.tf#L55) | Project that holds the base Terraform resources. | |
|
|
||||||
|
|
||||||
<!-- END TFDOC -->
|
|
|
@ -1,23 +0,0 @@
|
||||||
# Copyright 2022 Google LLC
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# https://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
|
|
||||||
terraform {
|
|
||||||
backend "gcs" {
|
|
||||||
# once initial apply has completed, copy this file to `backend.tf` then
|
|
||||||
# set the `bucket` value to the `bootstrap_tf_gcs_bucket` output, then
|
|
||||||
# run apply again to transfer state
|
|
||||||
bucket = ""
|
|
||||||
}
|
|
||||||
}
|
|
Before Width: | Height: | Size: 56 KiB |
|
@ -1,50 +0,0 @@
|
||||||
/**
|
|
||||||
* Copyright 2022 Google LLC
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
locals {
|
|
||||||
folder_roles = concat(var.iam_folder_roles, local.sa_xpn_folder_role)
|
|
||||||
organization_id = element(split("/", var.organization_id), 1)
|
|
||||||
sa_billing_account_role = (
|
|
||||||
var.iam_billing_config.target_org ? [] : ["roles/billing.user"]
|
|
||||||
)
|
|
||||||
sa_billing_org_role = (
|
|
||||||
!var.iam_billing_config.target_org ? [] : ["roles/billing.user"]
|
|
||||||
)
|
|
||||||
sa_xpn_folder_role = (
|
|
||||||
local.sa_xpn_target_org ? [] : ["roles/compute.xpnAdmin"]
|
|
||||||
)
|
|
||||||
sa_xpn_org_roles = (
|
|
||||||
local.sa_xpn_target_org
|
|
||||||
? ["roles/compute.xpnAdmin", "roles/resourcemanager.organizationViewer"]
|
|
||||||
: ["roles/resourcemanager.organizationViewer"]
|
|
||||||
)
|
|
||||||
sa_xpn_target_org = (
|
|
||||||
var.iam_xpn_config.target_org
|
|
||||||
||
|
|
||||||
substr(var.root_node, 0, 13) == "organizations"
|
|
||||||
)
|
|
||||||
logging_sinks = {
|
|
||||||
audit-logs = {
|
|
||||||
type = "bigquery"
|
|
||||||
destination = module.audit-dataset.id
|
|
||||||
filter = var.audit_filter
|
|
||||||
iam = true
|
|
||||||
include_children = true
|
|
||||||
exclusions = {}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
root_node_type = split("/", var.root_node)[0]
|
|
||||||
}
|
|
|
@ -1,168 +0,0 @@
|
||||||
# Copyright 2022 Google LLC
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# https://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
###############################################################################
|
|
||||||
# Terraform top-level resources #
|
|
||||||
###############################################################################
|
|
||||||
|
|
||||||
# Terraform project
|
|
||||||
|
|
||||||
module "tf-project" {
|
|
||||||
source = "../../../modules/project"
|
|
||||||
name = "terraform"
|
|
||||||
parent = var.root_node
|
|
||||||
prefix = var.prefix
|
|
||||||
billing_account = var.billing_account_id
|
|
||||||
iam_additive = {
|
|
||||||
"roles/owner" = var.iam_terraform_owners
|
|
||||||
}
|
|
||||||
services = var.project_services
|
|
||||||
}
|
|
||||||
|
|
||||||
# per-environment service accounts
|
|
||||||
|
|
||||||
module "tf-service-accounts" {
|
|
||||||
source = "../../../modules/iam-service-account"
|
|
||||||
for_each = var.environments
|
|
||||||
project_id = module.tf-project.project_id
|
|
||||||
name = each.value
|
|
||||||
prefix = var.prefix
|
|
||||||
iam_billing_roles = {
|
|
||||||
(var.billing_account_id) = (
|
|
||||||
var.iam_billing_config.grant ? local.sa_billing_account_role : []
|
|
||||||
)
|
|
||||||
}
|
|
||||||
# folder roles are set in the folders module using authoritative bindings
|
|
||||||
iam_organization_roles = {
|
|
||||||
(local.organization_id) = concat(
|
|
||||||
var.iam_billing_config.grant ? local.sa_billing_org_role : [],
|
|
||||||
var.iam_xpn_config.grant ? local.sa_xpn_org_roles : []
|
|
||||||
)
|
|
||||||
}
|
|
||||||
generate_key = var.service_account_keys
|
|
||||||
}
|
|
||||||
|
|
||||||
# bootstrap Terraform state GCS bucket
|
|
||||||
|
|
||||||
module "tf-gcs-bootstrap" {
|
|
||||||
source = "../../../modules/gcs"
|
|
||||||
project_id = module.tf-project.project_id
|
|
||||||
name = "tf-bootstrap"
|
|
||||||
prefix = "${var.prefix}-tf"
|
|
||||||
location = var.gcs_location
|
|
||||||
}
|
|
||||||
|
|
||||||
# per-environment Terraform state GCS buckets
|
|
||||||
|
|
||||||
module "tf-gcs-environments" {
|
|
||||||
source = "../../../modules/gcs"
|
|
||||||
for_each = var.environments
|
|
||||||
project_id = module.tf-project.project_id
|
|
||||||
name = each.value
|
|
||||||
prefix = "${var.prefix}-tf"
|
|
||||||
location = var.gcs_location
|
|
||||||
iam = {
|
|
||||||
"roles/storage.objectAdmin" = [module.tf-service-accounts[each.value].iam_email]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
###############################################################################
|
|
||||||
# Top-level folders #
|
|
||||||
###############################################################################
|
|
||||||
|
|
||||||
module "environment-folders" {
|
|
||||||
source = "../../../modules/folder"
|
|
||||||
for_each = var.environments
|
|
||||||
parent = var.root_node
|
|
||||||
name = each.value
|
|
||||||
iam = {
|
|
||||||
for role in local.folder_roles :
|
|
||||||
(role) => [module.tf-service-accounts[each.value].iam_email]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
###############################################################################
|
|
||||||
# Audit log exports #
|
|
||||||
###############################################################################
|
|
||||||
|
|
||||||
# audit logs project
|
|
||||||
|
|
||||||
module "audit-project" {
|
|
||||||
source = "../../../modules/project"
|
|
||||||
name = "audit"
|
|
||||||
parent = var.root_node
|
|
||||||
prefix = var.prefix
|
|
||||||
billing_account = var.billing_account_id
|
|
||||||
iam = {
|
|
||||||
"roles/viewer" = var.iam_audit_viewers
|
|
||||||
}
|
|
||||||
services = concat(var.project_services, [
|
|
||||||
"bigquery.googleapis.com",
|
|
||||||
])
|
|
||||||
}
|
|
||||||
|
|
||||||
# audit logs dataset and sink
|
|
||||||
|
|
||||||
module "audit-dataset" {
|
|
||||||
source = "../../../modules/bigquery-dataset"
|
|
||||||
project_id = module.audit-project.project_id
|
|
||||||
id = "audit_export"
|
|
||||||
friendly_name = "Audit logs export."
|
|
||||||
# disable delete on destroy for actual use
|
|
||||||
options = {
|
|
||||||
default_table_expiration_ms = null
|
|
||||||
default_partition_expiration_ms = null
|
|
||||||
delete_contents_on_destroy = true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# uncomment the next two modules to create the logging sinks
|
|
||||||
|
|
||||||
# module "root_org" {
|
|
||||||
# count = local.root_node_type == "organizations" ? 1 : 0
|
|
||||||
# source = "../../../modules/organization"
|
|
||||||
# organization_id = var.root_node
|
|
||||||
# logging_sinks = local.logging_sinks
|
|
||||||
# }
|
|
||||||
|
|
||||||
# module "root_folder" {
|
|
||||||
# count = local.root_node_type == "folders" ? 1 : 0
|
|
||||||
# source = "../../../modules/folder"
|
|
||||||
# id = var.root_node
|
|
||||||
# folder_create = false
|
|
||||||
# logging_sinks = local.logging_sinks
|
|
||||||
# }
|
|
||||||
|
|
||||||
|
|
||||||
###############################################################################
|
|
||||||
# Shared resources (GCR, GCS, KMS, etc.) #
|
|
||||||
###############################################################################
|
|
||||||
|
|
||||||
# shared resources project
|
|
||||||
# see the README file for additional options on managing shared services
|
|
||||||
|
|
||||||
module "sharedsvc-project" {
|
|
||||||
source = "../../../modules/project"
|
|
||||||
name = "sharedsvc"
|
|
||||||
parent = var.root_node
|
|
||||||
prefix = var.prefix
|
|
||||||
billing_account = var.billing_account_id
|
|
||||||
iam_additive = {
|
|
||||||
"roles/owner" = var.iam_shared_owners
|
|
||||||
}
|
|
||||||
services = var.project_services
|
|
||||||
}
|
|
||||||
|
|
||||||
# Add further modules here for resources that are common to all environments
|
|
||||||
# like GCS buckets (used to hold shared assets), Container Registry, KMS, etc.
|
|
|
@ -1,61 +0,0 @@
|
||||||
# Copyright 2022 Google LLC
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# https://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
output "audit_logs_bq_dataset" {
|
|
||||||
description = "Bigquery dataset for the audit logs export."
|
|
||||||
value = module.audit-dataset.id
|
|
||||||
}
|
|
||||||
|
|
||||||
output "audit_logs_project" {
|
|
||||||
description = "Project that holds the audit logs export resources."
|
|
||||||
value = module.audit-project.project_id
|
|
||||||
}
|
|
||||||
|
|
||||||
output "bootstrap_tf_gcs_bucket" {
|
|
||||||
description = "GCS bucket used for the bootstrap Terraform state."
|
|
||||||
value = module.tf-gcs-bootstrap.name
|
|
||||||
}
|
|
||||||
|
|
||||||
output "environment_folders" {
|
|
||||||
description = "Top-level environment folders."
|
|
||||||
value = { for folder in module.environment-folders : folder.name => folder.id }
|
|
||||||
}
|
|
||||||
|
|
||||||
output "environment_service_account_keys" {
|
|
||||||
description = "Service account keys used to run each environment Terraform modules."
|
|
||||||
sensitive = true
|
|
||||||
value = { for env, sa in module.tf-service-accounts : env => sa.key }
|
|
||||||
}
|
|
||||||
output "environment_service_accounts" {
|
|
||||||
description = "Service accounts used to run each environment Terraform modules."
|
|
||||||
value = { for env, sa in module.tf-service-accounts : env => sa.email }
|
|
||||||
}
|
|
||||||
|
|
||||||
output "environment_tf_gcs_buckets" {
|
|
||||||
description = "GCS buckets used for each environment Terraform state."
|
|
||||||
value = { for env, bucket in module.tf-gcs-environments : env => bucket.name }
|
|
||||||
}
|
|
||||||
|
|
||||||
output "shared_services_project" {
|
|
||||||
description = "Project that holdes resources shared across environments."
|
|
||||||
value = module.sharedsvc-project.project_id
|
|
||||||
}
|
|
||||||
|
|
||||||
output "terraform_project" {
|
|
||||||
description = "Project that holds the base Terraform resources."
|
|
||||||
value = module.tf-project.project_id
|
|
||||||
}
|
|
||||||
|
|
||||||
# Add further outputs here for the additional modules that manage shared
|
|
||||||
# resources, like GCR, GCS buckets, KMS, etc.
|
|
|
@ -1,122 +0,0 @@
|
||||||
# Copyright 2022 Google LLC
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# https://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
variable "audit_filter" {
|
|
||||||
description = "Audit log filter used for the log sink."
|
|
||||||
type = string
|
|
||||||
default = <<END
|
|
||||||
logName: "/logs/cloudaudit.googleapis.com%2Factivity"
|
|
||||||
OR
|
|
||||||
logName: "/logs/cloudaudit.googleapis.com%2Fsystem_event"
|
|
||||||
END
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "billing_account_id" {
|
|
||||||
description = "Billing account id used as to create projects."
|
|
||||||
type = string
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "environments" {
|
|
||||||
description = "Environment short names."
|
|
||||||
type = set(string)
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "gcs_location" {
|
|
||||||
description = "GCS bucket location."
|
|
||||||
type = string
|
|
||||||
default = "EU"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "iam_audit_viewers" {
|
|
||||||
description = "Audit project viewers, in IAM format."
|
|
||||||
type = list(string)
|
|
||||||
default = []
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "iam_billing_config" {
|
|
||||||
description = "Control granting billing user role to service accounts. Target the billing account by default."
|
|
||||||
type = object({
|
|
||||||
grant = bool
|
|
||||||
target_org = bool
|
|
||||||
})
|
|
||||||
default = {
|
|
||||||
grant = true
|
|
||||||
target_org = false
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "iam_folder_roles" {
|
|
||||||
description = "List of roles granted to each service account on its respective folder (excluding XPN roles)."
|
|
||||||
type = list(string)
|
|
||||||
default = [
|
|
||||||
"roles/compute.networkAdmin",
|
|
||||||
"roles/owner",
|
|
||||||
"roles/resourcemanager.folderViewer",
|
|
||||||
"roles/resourcemanager.projectCreator",
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "iam_shared_owners" {
|
|
||||||
description = "Shared services project owners, in IAM format."
|
|
||||||
type = list(string)
|
|
||||||
default = []
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "iam_terraform_owners" {
|
|
||||||
description = "Terraform project owners, in IAM format."
|
|
||||||
type = list(string)
|
|
||||||
default = []
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "iam_xpn_config" {
|
|
||||||
description = "Control granting Shared VPC creation roles to service accounts. Target the root node by default."
|
|
||||||
type = object({
|
|
||||||
grant = bool
|
|
||||||
target_org = bool
|
|
||||||
})
|
|
||||||
default = {
|
|
||||||
grant = true
|
|
||||||
target_org = true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "organization_id" {
|
|
||||||
description = "Organization id in organizations/nnnnnnnn format."
|
|
||||||
type = string
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "prefix" {
|
|
||||||
description = "Prefix used for resources that need unique names."
|
|
||||||
type = string
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "project_services" {
|
|
||||||
description = "Service APIs enabled by default in new projects."
|
|
||||||
type = list(string)
|
|
||||||
default = [
|
|
||||||
"container.googleapis.com",
|
|
||||||
"stackdriver.googleapis.com",
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "root_node" {
|
|
||||||
description = "Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'."
|
|
||||||
type = string
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "service_account_keys" {
|
|
||||||
description = "Generate and store service account keys in the state file."
|
|
||||||
type = bool
|
|
||||||
default = true
|
|
||||||
}
|
|
|
@ -1,29 +0,0 @@
|
||||||
# Copyright 2022 Google LLC
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# https://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
terraform {
|
|
||||||
required_version = ">= 1.1.0"
|
|
||||||
required_providers {
|
|
||||||
google = {
|
|
||||||
source = "hashicorp/google"
|
|
||||||
version = ">= 4.32.0" # tftest
|
|
||||||
}
|
|
||||||
google-beta = {
|
|
||||||
source = "hashicorp/google-beta"
|
|
||||||
version = ">= 4.32.0" # tftest
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
|
@ -1,12 +0,0 @@
|
||||||
# GKE and Serverless blueprints
|
|
||||||
|
|
||||||
The blueprints in this folder show implement **end-to-end scenarios** for GKE or Serveless topologies that show how to automate common configurations or leverage specific products.
|
|
||||||
|
|
||||||
They are meant to be used as minimal but complete starting points to create actual infrastructure, and as playgrounds to experiment with Google Cloud features.
|
|
||||||
|
|
||||||
## Blueprints
|
|
||||||
|
|
||||||
### Multitenant GKE fleet
|
|
||||||
|
|
||||||
<a href="./multitenant-fleet/" title="GKE multitenant fleet"><img src="./multitenant-fleet/diagram.png" align="left" width="280px"></a> This [blueprint](./multitenant-fleet/) allows simple centralized management of similar sets of GKE clusters and their nodepools in a single project, and optional fleet management via GKE Hub templated configurations.
|
|
||||||
<br clear="left">
|
|
|
@ -0,0 +1,29 @@
|
||||||
|
# GKE blueprints
|
||||||
|
|
||||||
|
The blueprints in this folder show implement **end-to-end scenarios** for GKE topologies that show how to automate common configurations or leverage specific products.
|
||||||
|
|
||||||
|
They are meant to be used as minimal but complete starting points to create actual infrastructure, and as playgrounds to experiment with Google Cloud features.
|
||||||
|
|
||||||
|
## Blueprints
|
||||||
|
|
||||||
|
### Multitenant GKE fleet
|
||||||
|
|
||||||
|
<a href="./multitenant-fleet/" title="GKE multitenant fleet"><img src="./multitenant-fleet/diagram.png" align="left" width="280px"></a> This [blueprint](./multitenant-fleet/) allows simple centralized management of similar sets of GKE clusters and their nodepools in a single project, and optional fleet management via GKE Hub templated configurations.
|
||||||
|
<br clear="left">
|
||||||
|
|
||||||
|
### Shared VPC with GKE and per-subnet support
|
||||||
|
|
||||||
|
<a href="../networking/shared-vpc-gke/" title="Shared VPC with GKE"><img src="../networking/shared-vpc-gke/diagram.png" align="left" width="280px"></a> This [blueprint](../networking/shared-vpc-gke/) shows how to configure a Shared VPC, including the specific IAM configurations needed for GKE, and to give different level of access to the VPC subnets to different identities.
|
||||||
|
|
||||||
|
It is meant to be used as a starting point for most Shared VPC configurations, and to be integrated to the above blueprints where Shared VPC is needed in more complex network topologies.
|
||||||
|
<br clear="left">
|
||||||
|
|
||||||
|
### Binary Authorization Pipeline
|
||||||
|
|
||||||
|
<a href="../gke/binauthz/" title="Binary Authorization Pipeline"><img src="../gke/binauthz/diagram.png" align="left" width="280px"></a> This [blueprint](../gke/binauthz/) shows how to create a CI and a CD pipeline in Cloud Build for the deployment of an application to a private GKE cluster with unrestricted access to a public endpoint. The blueprint enables a Binary Authorization policy in the project so only images that have been attested can be deployed to the cluster. The attestations are created using a cryptographic key pair that has been provisioned in KMS.
|
||||||
|
<br clear="left">
|
||||||
|
|
||||||
|
### Multi-cluster mesh on GKE (fleet API)
|
||||||
|
|
||||||
|
<a href="../gke/multi-cluster-mesh-gke-fleet-api/" title="Binary Authorization Pipeline"><img src="../gke/multi-cluster-mesh-gke-fleet-api/diagram.png" align="left" width="280px"></a> This [blueprint](../gke/multi-cluster-mesh-gke-fleet-api/) shows how to create a multi-cluster mesh for two private clusters on GKE. Anthos Service Mesh with automatic control plane management is set up for clusters using the Fleet API. This can only be done if the clusters are in a single project and in the same VPC. In this particular case both clusters having being deployed to different subnets in a shared VPC.
|
||||||
|
<br clear="left">
|
|
@ -1,4 +1,4 @@
|
||||||
# Binary Authorization
|
# Binary Authorization Pipeline Blueprint
|
||||||
|
|
||||||
The following blueprint shows to how to create a CI and a CD pipeline in Cloud Build for the deployment of an application to a private GKE cluster with unrestricted access to a public endpoint. The blueprint enables a Binary Authorization policy in the project so only images that have been attested can be deployed to the cluster. The attestations are created using a cryptographic key pair that has been provisioned in KMS.
|
The following blueprint shows to how to create a CI and a CD pipeline in Cloud Build for the deployment of an application to a private GKE cluster with unrestricted access to a public endpoint. The blueprint enables a Binary Authorization policy in the project so only images that have been attested can be deployed to the cluster. The attestations are created using a cryptographic key pair that has been provisioned in KMS.
|
||||||
|
|
Before Width: | Height: | Size: 51 KiB After Width: | Height: | Size: 51 KiB |
|
@ -4,7 +4,7 @@ The following blueprint shows how to create a multi-cluster mesh for two private
|
||||||
|
|
||||||
The diagram below depicts the architecture of the blueprint.
|
The diagram below depicts the architecture of the blueprint.
|
||||||
|
|
||||||
![Architecture](architecture.png)
|
![Architecture diagram](diagram.png)
|
||||||
|
|
||||||
Terraform is used to provision the required infrastructure, create the IAM binding and register the clusters to the fleet.
|
Terraform is used to provision the required infrastructure, create the IAM binding and register the clusters to the fleet.
|
||||||
|
|
Before Width: | Height: | Size: 45 KiB After Width: | Height: | Size: 45 KiB |
|
@ -45,7 +45,7 @@ The following example shows how to deploy a single cluster and a single node poo
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
module "gke" {
|
module "gke" {
|
||||||
source = "./fabric/blueprints/gke-serverless/multitenant-fleet/"
|
source = "./fabric/blueprints/gke/multitenant-fleet/"
|
||||||
project_id = var.project_id
|
project_id = var.project_id
|
||||||
billing_account_id = var.billing_account_id
|
billing_account_id = var.billing_account_id
|
||||||
folder_id = var.folder_id
|
folder_id = var.folder_id
|
||||||
|
@ -106,10 +106,9 @@ The first cluster `cluster-euw1` defines the mandatory configuration parameters
|
||||||
|
|
||||||
On the other hand, the second cluster (`cluster-euw3`) defines its own configuration by providing a value to the `overrides` key.
|
On the other hand, the second cluster (`cluster-euw3`) defines its own configuration by providing a value to the `overrides` key.
|
||||||
|
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
module "gke" {
|
module "gke" {
|
||||||
source = "./fabric/blueprints/gke-serverless/multitenant-fleet/"
|
source = "./fabric/blueprints/gke/multitenant-fleet/"
|
||||||
project_id = var.project_id
|
project_id = var.project_id
|
||||||
billing_account_id = var.billing_account_id
|
billing_account_id = var.billing_account_id
|
||||||
folder_id = var.folder_id
|
folder_id = var.folder_id
|
||||||
|
@ -200,7 +199,7 @@ This example deploys two clusters and configures several GKE Fleet features:
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
module "gke" {
|
module "gke" {
|
||||||
source = "./fabric/blueprints/gke-serverless/multitenant-fleet/"
|
source = "./fabric/blueprints/gke/multitenant-fleet/"
|
||||||
project_id = var.project_id
|
project_id = var.project_id
|
||||||
billing_account_id = var.billing_account_id
|
billing_account_id = var.billing_account_id
|
||||||
folder_id = var.folder_id
|
folder_id = var.folder_id
|
Before Width: | Height: | Size: 43 KiB After Width: | Height: | Size: 43 KiB |
|
@ -0,0 +1 @@
|
||||||
|
../networking/shared-vpc-gke
|
|
@ -0,0 +1,12 @@
|
||||||
|
# Serverless blueprints
|
||||||
|
|
||||||
|
The blueprints in this folder show implement **end-to-end scenarios** for Serveless topologies that show how to automate common configurations or leverage specific products.
|
||||||
|
|
||||||
|
They are meant to be used as minimal but complete starting points to create actual infrastructure, and as playgrounds to experiment with Google Cloud features.
|
||||||
|
|
||||||
|
## Blueprints
|
||||||
|
|
||||||
|
### Multi-region deployments for API Gateway
|
||||||
|
|
||||||
|
<a href="./api-gateway/" title="Multi-region deployments for API Gateway"><img src="./api-gateway/diagram.png" align="left" width="280px"></a> This [blueprint](./api-gateway/) shows how to configure a load balancer to enable multi-region deployments for API Gateway. For more details on how this set up work have a look at the article [here](https://cloud.google.com/api-gateway/docs/multi-region-deployment)
|
||||||
|
<br clear="left">
|
|
@ -4,7 +4,7 @@ This tutorial shows you how to configure an HTTP(S) load balancer to enable mult
|
||||||
|
|
||||||
The diagram below depicts the architecture that this blueprint sets up.
|
The diagram below depicts the architecture that this blueprint sets up.
|
||||||
|
|
||||||
![Architecture](architecture.png)
|
![Architecture diagram](diagram.png)
|
||||||
|
|
||||||
# Running the blueprint
|
# Running the blueprint
|
||||||
|
|
||||||
|
|
Before Width: | Height: | Size: 52 KiB After Width: | Height: | Size: 52 KiB |
|
@ -6,4 +6,4 @@ The Terraform code follows the same general approach used for the [project facto
|
||||||
|
|
||||||
The [`dev` folder](./dev/) contains an example setup for a generic development environment, and can be used as-is or cloned to implement other environments, or more specialized setups
|
The [`dev` folder](./dev/) contains an example setup for a generic development environment, and can be used as-is or cloned to implement other environments, or more specialized setups
|
||||||
|
|
||||||
Refer to [the `dev` documentation](./dev/README.md) configuration details, and to [the `gke-serverless` documentation](../../../blueprints/gke-serverless/multitenant-fleet) for the architectural design and decisions taken.
|
Refer to [the `dev` documentation](./dev/README.md) configuration details, and to [the `gke-serverless` documentation](../../../blueprints/gke/multitenant-fleet) for the architectural design and decisions taken.
|
||||||
|
|
|
@ -10,7 +10,7 @@ The following diagram illustrates the high-level design of created resources, wh
|
||||||
|
|
||||||
## Design overview and choices
|
## Design overview and choices
|
||||||
|
|
||||||
> The detailed architecture of the underlying resources is explained in the documentation of [GKE multitenant module](../../../../blueprints/gke-serverless/multitenant-fleet/README.md).
|
> The detailed architecture of the underlying resources is explained in the documentation of [GKE multitenant module](../../../../blueprints/gke/multitenant-fleet/README.md).
|
||||||
|
|
||||||
This stage creates a project containing and as many clusters and node pools as requested by the user through the [variables](#variables) explained below. The GKE clusters are created with the with the following setup:
|
This stage creates a project containing and as many clusters and node pools as requested by the user through the [variables](#variables) explained below. The GKE clusters are created with the with the following setup:
|
||||||
|
|
||||||
|
@ -37,7 +37,6 @@ This stage creates a project containing and as many clusters and node pools as r
|
||||||
- [Use of the GCE persistent disk CSI driver](https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/gce-pd-csi-driver)
|
- [Use of the GCE persistent disk CSI driver](https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/gce-pd-csi-driver)
|
||||||
- Node [auto-upgrade](https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-upgrades) and [auto-repair](https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-repair) for all node pools
|
- Node [auto-upgrade](https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-upgrades) and [auto-repair](https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-repair) for all node pools
|
||||||
|
|
||||||
|
|
||||||
## How to run this stage
|
## How to run this stage
|
||||||
|
|
||||||
This stage is meant to be executed after "foundational stages" (i.e., stages [`00-bootstrap`](../../00-bootstrap), [`01-resman`](../../01-resman), 02-networking (either [VPN](../../02-networking-vpn) or [NVA](../../02-networking-nva)) and [`02-security`](../../02-security)) have been run.
|
This stage is meant to be executed after "foundational stages" (i.e., stages [`00-bootstrap`](../../00-bootstrap), [`01-resman`](../../01-resman), 02-networking (either [VPN](../../02-networking-vpn) or [NVA](../../02-networking-nva)) and [`02-security`](../../02-security)) have been run.
|
||||||
|
|
|
@ -17,7 +17,7 @@
|
||||||
# tfdoc:file:description GKE multitenant for development environment.
|
# tfdoc:file:description GKE multitenant for development environment.
|
||||||
|
|
||||||
module "gke-multitenant" {
|
module "gke-multitenant" {
|
||||||
source = "../../../../blueprints/gke-serverless/multitenant-fleet"
|
source = "../../../../blueprints/gke/multitenant-fleet"
|
||||||
billing_account_id = var.billing_account.id
|
billing_account_id = var.billing_account.id
|
||||||
folder_id = var.folder_ids.gke-dev
|
folder_id = var.folder_ids.gke-dev
|
||||||
project_id = "gke-clusters-0"
|
project_id = "gke-clusters-0"
|
||||||
|
|
|
@ -1,23 +0,0 @@
|
||||||
/**
|
|
||||||
* Copyright 2022 Google LLC
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
module "test" {
|
|
||||||
source = "../../../../../blueprints/foundations/business-units"
|
|
||||||
billing_account_id = var.billing_account_id
|
|
||||||
organization_id = var.organization_id
|
|
||||||
prefix = var.prefix
|
|
||||||
root_node = var.root_node
|
|
||||||
}
|
|
|
@ -1,35 +0,0 @@
|
||||||
# Copyright 2022 Google LLC
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# https://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
variable "billing_account_id" {
|
|
||||||
type = string
|
|
||||||
default = "1234-5678-9012"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "organization_id" {
|
|
||||||
type = string
|
|
||||||
default = "organizations/1234567890"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "prefix" {
|
|
||||||
description = "Prefix used for resources that need unique names."
|
|
||||||
type = string
|
|
||||||
default = "test"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "root_node" {
|
|
||||||
description = "Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'."
|
|
||||||
type = string
|
|
||||||
default = "folders/1234567890"
|
|
||||||
}
|
|
|
@ -1,28 +0,0 @@
|
||||||
/**
|
|
||||||
* Copyright 2022 Google LLC
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
module "test" {
|
|
||||||
source = "../../../../../blueprints/foundations/environments"
|
|
||||||
billing_account_id = var.billing_account_id
|
|
||||||
environments = var.environments
|
|
||||||
iam_audit_viewers = var.iam_audit_viewers
|
|
||||||
iam_shared_owners = var.iam_shared_owners
|
|
||||||
iam_terraform_owners = var.iam_terraform_owners
|
|
||||||
iam_xpn_config = var.iam_xpn_config
|
|
||||||
organization_id = var.organization_id
|
|
||||||
prefix = var.prefix
|
|
||||||
root_node = var.root_node
|
|
||||||
}
|
|
|
@ -1,66 +0,0 @@
|
||||||
# Copyright 2022 Google LLC
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# https://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
variable "billing_account_id" {
|
|
||||||
type = string
|
|
||||||
default = "1234-5678-9012"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "environments" {
|
|
||||||
type = list(string)
|
|
||||||
default = ["test", "prod"]
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "iam_audit_viewers" {
|
|
||||||
type = list(string)
|
|
||||||
default = ["user:audit-1@example.org", "user:audit2@example.org"]
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "iam_shared_owners" {
|
|
||||||
type = list(string)
|
|
||||||
default = ["user:shared-1@example.org", "user:shared-2@example.org"]
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "iam_terraform_owners" {
|
|
||||||
type = list(string)
|
|
||||||
default = ["user:tf-1@example.org", "user:tf-2@example.org"]
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "iam_xpn_config" {
|
|
||||||
type = object({
|
|
||||||
grant = bool
|
|
||||||
target_org = bool
|
|
||||||
})
|
|
||||||
default = {
|
|
||||||
grant = true
|
|
||||||
target_org = false
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "organization_id" {
|
|
||||||
type = string
|
|
||||||
default = ""
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "prefix" {
|
|
||||||
description = "Prefix used for resources that need unique names."
|
|
||||||
type = string
|
|
||||||
default = "test"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "root_node" {
|
|
||||||
description = "Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'."
|
|
||||||
type = string
|
|
||||||
default = "folders/1234567890"
|
|
||||||
}
|
|
|
@ -1,51 +0,0 @@
|
||||||
# Copyright 2022 Google LLC
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
|
|
||||||
def test_folder_roles(e2e_plan_runner):
|
|
||||||
"Test folder roles."
|
|
||||||
modules, _ = e2e_plan_runner(refresh=False)
|
|
||||||
for env in ['test', 'prod']:
|
|
||||||
resources = modules[f'module.test.module.environment-folders["{env}"]']
|
|
||||||
folders = [r for r in resources if r['type'] == 'google_folder']
|
|
||||||
assert len(folders) == 1
|
|
||||||
folder = folders[0]
|
|
||||||
assert folder['values']['display_name'] == env
|
|
||||||
|
|
||||||
bindings = [r['index']
|
|
||||||
for r in resources if r['type'] == 'google_folder_iam_binding']
|
|
||||||
assert len(bindings) == 5
|
|
||||||
|
|
||||||
|
|
||||||
def test_org_roles(e2e_plan_runner):
|
|
||||||
"Test folder roles."
|
|
||||||
tf_vars = {
|
|
||||||
'organization_id': 'organizations/123',
|
|
||||||
'iam_xpn_config': '{grant = true, target_org = true}'
|
|
||||||
}
|
|
||||||
modules, _ = e2e_plan_runner(refresh=False, **tf_vars)
|
|
||||||
for env in ['test', 'prod']:
|
|
||||||
resources = modules[f'module.test.module.environment-folders["{env}"]']
|
|
||||||
folder_bindings = [r['index']
|
|
||||||
for r in resources if r['type'] == 'google_folder_iam_binding']
|
|
||||||
assert len(folder_bindings) == 4
|
|
||||||
|
|
||||||
resources = modules[f'module.test.module.tf-service-accounts["{env}"]']
|
|
||||||
org_bindings = [r for r in resources
|
|
||||||
if r['type'] == 'google_organization_iam_member']
|
|
||||||
assert len(org_bindings) == 2
|
|
||||||
assert {b['values']['role'] for b in org_bindings} == {
|
|
||||||
'roles/resourcemanager.organizationViewer',
|
|
||||||
'roles/compute.xpnAdmin'
|
|
||||||
}
|
|
|
@ -15,7 +15,7 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
module "test" {
|
module "test" {
|
||||||
source = "../../../../../blueprints/cloud-operations/binauthz"
|
source = "../../../../../blueprints/gke/binauthz"
|
||||||
project_create = var.project_create
|
project_create = var.project_create
|
||||||
project_id = var.project_id
|
project_id = var.project_id
|
||||||
}
|
}
|
|
@ -15,7 +15,7 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
module "test" {
|
module "test" {
|
||||||
source = "../../../../../blueprints/cloud-operations/multi-cluster-mesh-gke-fleet-api"
|
source = "../../../../../blueprints/gke/multi-cluster-mesh-gke-fleet-api"
|
||||||
billing_account_id = var.billing_account_id
|
billing_account_id = var.billing_account_id
|
||||||
parent = var.parent
|
parent = var.parent
|
||||||
host_project_id = var.host_project_id
|
host_project_id = var.host_project_id
|
|
@ -0,0 +1,54 @@
|
||||||
|
/**
|
||||||
|
* Copyright 2022 Google LLC
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
module "test" {
|
||||||
|
source = "../../../../../blueprints/gke/multitenant-fleet"
|
||||||
|
project_id = "test-prj"
|
||||||
|
billing_account_id = "ABCDEF-0123456-ABCDEF"
|
||||||
|
folder_id = "folders/1234567890"
|
||||||
|
prefix = "test"
|
||||||
|
vpc_config = {
|
||||||
|
host_project_id = "my-host-project-id"
|
||||||
|
vpc_self_link = "projects/my-host-project-id/global/networks/my-network"
|
||||||
|
}
|
||||||
|
clusters = {
|
||||||
|
mycluster = {
|
||||||
|
cluster_autoscaling = null
|
||||||
|
description = "My cluster"
|
||||||
|
dns_domain = null
|
||||||
|
location = "europe-west1"
|
||||||
|
labels = {}
|
||||||
|
net = {
|
||||||
|
master_range = "172.17.16.0/28"
|
||||||
|
pods = "pods"
|
||||||
|
services = "services"
|
||||||
|
subnet = "projects/my-host-project-id/regions/europe-west1/subnetworks/mycluster-subnet"
|
||||||
|
}
|
||||||
|
overrides = null
|
||||||
|
}
|
||||||
|
}
|
||||||
|
nodepools = {
|
||||||
|
mycluster = {
|
||||||
|
mynodepool = {
|
||||||
|
initial_node_count = 1
|
||||||
|
node_count = 1
|
||||||
|
node_type = "n2-standard-4"
|
||||||
|
overrides = null
|
||||||
|
spot = false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -12,8 +12,9 @@
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
|
|
||||||
def test_resources(e2e_plan_runner):
|
def test_resources(e2e_plan_runner):
|
||||||
"Test that plan works and the numbers of resources is as expected."
|
"Test that plan works and the numbers of resources is as expected."
|
||||||
modules, resources = e2e_plan_runner()
|
modules, resources = e2e_plan_runner()
|
||||||
assert len(modules) == 8
|
assert len(modules) == 4
|
||||||
assert len(resources) == 83
|
assert len(resources) == 24
|
|
@ -11,7 +11,6 @@
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
"Shared fixtures"
|
"Shared fixtures"
|
||||||
|
|
||||||
import inspect
|
import inspect
|
||||||
|
@ -21,28 +20,39 @@ import types
|
||||||
import pytest
|
import pytest
|
||||||
import tftest
|
import tftest
|
||||||
|
|
||||||
|
|
||||||
BASEDIR = os.path.dirname(os.path.dirname(__file__))
|
BASEDIR = os.path.dirname(os.path.dirname(__file__))
|
||||||
|
|
||||||
|
|
||||||
@pytest.fixture(scope='session')
|
@pytest.fixture(scope='session')
|
||||||
def fast_e2e_plan_runner(_plan_runner):
|
def fast_e2e_plan_runner(_plan_runner):
|
||||||
"Plan runner for end-to-end root module, returns modules and resources."
|
"Plan runner for end-to-end root module, returns modules and resources."
|
||||||
|
|
||||||
def run_plan(fixture_path=None, targets=None, refresh=True,
|
def run_plan(fixture_path=None, targets=None, refresh=True,
|
||||||
include_bare_resources=False, compute_sums=True, **tf_vars):
|
include_bare_resources=False, compute_sums=True, **tf_vars):
|
||||||
"Runs Terraform plan on a root module using defaults, returns data."
|
"Runs Terraform plan on a root module using defaults, returns data."
|
||||||
plan = _plan_runner(fixture_path, targets=targets, refresh=refresh,
|
plan = _plan_runner(fixture_path, targets=targets, refresh=refresh,
|
||||||
**tf_vars)
|
**tf_vars)
|
||||||
root_module = plan.root_module['child_modules'][0]
|
root_module = plan.root_module['child_modules'][0]
|
||||||
modules = {
|
|
||||||
m['address'].removeprefix(root_module['address'])[1:]: m['resources']
|
# Count all modules and resources up to 2 levels deep. We include
|
||||||
for m in root_module['child_modules']
|
# the second level to account for wrapper modules used by stages 3
|
||||||
}
|
modules = {}
|
||||||
|
for m in root_module['child_modules']:
|
||||||
|
key = m['address'].removeprefix(root_module['address'])[1:]
|
||||||
|
modules[key] = m.get('resources', [])
|
||||||
|
if m.get('child_modules'):
|
||||||
|
for m2 in m['child_modules']:
|
||||||
|
key2 = m2['address'].removeprefix(root_module['address'])[1:]
|
||||||
|
modules[key2] = m2.get('resources', [])
|
||||||
|
|
||||||
resources = [r for m in modules.values() for r in m]
|
resources = [r for m in modules.values() for r in m]
|
||||||
if include_bare_resources:
|
if include_bare_resources:
|
||||||
bare_resources = root_module['resources']
|
bare_resources = root_module['resources']
|
||||||
resources.extend(bare_resources)
|
resources.extend(bare_resources)
|
||||||
if compute_sums:
|
if compute_sums:
|
||||||
return len(modules), len(resources), {k: len(v) for k, v in modules.items()}
|
return len(modules), len(resources), {
|
||||||
|
k: len(v) for k, v in modules.items()
|
||||||
|
}
|
||||||
return modules, resources
|
return modules, resources
|
||||||
|
|
||||||
return run_plan
|
return run_plan
|
||||||
|
|
|
@ -0,0 +1,65 @@
|
||||||
|
/**
|
||||||
|
* Copyright 2022 Google LLC
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
# tfdoc: Data platform stage test
|
||||||
|
|
||||||
|
module "stage" {
|
||||||
|
source = "../../../../../fast/stages/03-gke-multitenant/dev/"
|
||||||
|
automation = {
|
||||||
|
outputs_bucket = "test"
|
||||||
|
}
|
||||||
|
billing_account = {
|
||||||
|
id = "012345-67890A-BCDEF0",
|
||||||
|
organization_id = 123456
|
||||||
|
}
|
||||||
|
clusters = {
|
||||||
|
mycluster = {
|
||||||
|
cluster_autoscaling = null
|
||||||
|
description = "My cluster"
|
||||||
|
dns_domain = null
|
||||||
|
location = "europe-west1"
|
||||||
|
labels = {}
|
||||||
|
net = {
|
||||||
|
master_range = "172.17.16.0/28"
|
||||||
|
pods = "pods"
|
||||||
|
services = "services"
|
||||||
|
subnet = "projects/my-host-project-id/regions/europe-west1/subnetworks/mycluster-subnet"
|
||||||
|
}
|
||||||
|
overrides = null
|
||||||
|
}
|
||||||
|
}
|
||||||
|
nodepools = {
|
||||||
|
mycluster = {
|
||||||
|
mynodepool = {
|
||||||
|
initial_node_count = 1
|
||||||
|
node_count = 1
|
||||||
|
node_type = "n2-standard-4"
|
||||||
|
overrides = null
|
||||||
|
spot = false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
folder_ids = {
|
||||||
|
gke-dev = "folders/12345678"
|
||||||
|
}
|
||||||
|
host_project_ids = {
|
||||||
|
dev-spoke-0 = "fast-dev-net-spoke-0"
|
||||||
|
}
|
||||||
|
prefix = "fast"
|
||||||
|
vpc_self_links = {
|
||||||
|
dev-spoke-0 = "projects/fast-dev-net-spoke-0/global/networks/dev-spoke-0"
|
||||||
|
}
|
||||||
|
}
|
|
@ -11,3 +11,10 @@
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
|
|
||||||
|
def test_counts(fast_e2e_plan_runner):
|
||||||
|
"Test stage."
|
||||||
|
num_modules, num_resources, _ = fast_e2e_plan_runner()
|
||||||
|
# TODO: to re-enable per-module resource count check print _, then test
|
||||||
|
assert num_modules > 0 and num_resources > 0
|