Merge branch 'master' into fast-dev-dp
This commit is contained in:
commit
b98a093722
|
@ -55,6 +55,7 @@ For same-organization billing, we configure a custom organization role that can
|
|||
For details on configuring the different billing account modes, refer to the [How to run this stage](#how-to-run-this-stage) section below.
|
||||
|
||||
### Organization-level logging
|
||||
|
||||
We create organization-level log sinks early in the bootstrap process to ensure a proper audit trail is in place from the very beginning. By default, we provide log filters to capture [Cloud Audit Logs](https://cloud.google.com/logging/docs/audit) and [VPC Service Controls violations](https://cloud.google.com/vpc-service-controls/docs/troubleshooting#vpc-sc-errors) into a Bigquery dataset in the top-level audit project.
|
||||
|
||||
The [Customizations](#log-sinks-and-log-destinations) section explains how to change the logs captured and their destination.
|
||||
|
@ -100,12 +101,20 @@ The roles that the Organization Admin used in the first `apply` needs to self-gr
|
|||
To quickly self-grant the above roles, run the following code snippet as the initial Organization Admin:
|
||||
|
||||
```bash
|
||||
export BOOTSTRAP_ORG_ID=123456
|
||||
export BOOTSTRAP_USER=$(gcloud config list --format 'value(core.account)')
|
||||
export BOOTSTRAP_ROLES="roles/billing.admin roles/logging.admin roles/iam.organizationRoleAdmin roles/resourcemanager.projectCreator"
|
||||
for role in $BOOTSTRAP_ROLES; do
|
||||
gcloud organizations add-iam-policy-binding $BOOTSTRAP_ORG_ID \
|
||||
--member user:$BOOTSTRAP_USER --role $role
|
||||
# set variable for current logged in user
|
||||
export FAST_BU=$(gcloud config list --format 'value(core.account)')
|
||||
|
||||
# find and set your org id
|
||||
gcloud organizations list --filter display_name:$partofyourdomain
|
||||
export FAST_ORG_ID=123456
|
||||
|
||||
# set needed roles
|
||||
export FAST_ROLES="roles/billing.admin roles/logging.admin \
|
||||
roles/iam.organizationRoleAdmin roles/resourcemanager.projectCreator"
|
||||
|
||||
for role in $FAST_ROLES; do
|
||||
gcloud organizations add-iam-policy-binding $FAST_ORG_ID \
|
||||
--member user:$FAST_BU --role $role
|
||||
done
|
||||
```
|
||||
|
||||
|
@ -120,11 +129,11 @@ If that's not the case, an equivalent role needs to exist, or the predefined `re
|
|||
The identity applying this stage for the first time also needs two roles in billing organization, they can be removed after the first `apply` completes successfully:
|
||||
|
||||
```bash
|
||||
export BILLING_ORG_ID=789012
|
||||
export BILLING_ROLES=(roles/billing.admin roles/resourcemanager.organizationAdmin)
|
||||
for role in $BILLING_ROLES; do
|
||||
gcloud organizations add-iam-policy-binding $BILLING_ORG_ID \
|
||||
--member user:$BOOTSTRAP_USER --role $role
|
||||
export FAST_BILLING_ORG_ID=789012
|
||||
export FAST_ROLES=(roles/billing.admin roles/resourcemanager.organizationAdmin)
|
||||
for role in $FAST_ROLES; do
|
||||
gcloud organizations add-iam-policy-binding $FAST_BILLING_ORG_ID \
|
||||
--member user:$FAST_BU --role $role
|
||||
done
|
||||
```
|
||||
|
||||
|
@ -133,9 +142,9 @@ done
|
|||
If you are using a standalone billing account, the identity applying this stage for the first time needs to be a billing account administrator:
|
||||
|
||||
```bash
|
||||
export BILLING_ACCOUNT_ID=ABCD-01234-ABCD
|
||||
gcloud beta billing accounts add-iam-policy-binding $BILLING_ACCOUNT \
|
||||
--member user:$BOOTSTRAP_USER --role roles/billing.admin
|
||||
export FAST_BILLING_ACCOUNT_ID=ABCD-01234-ABCD
|
||||
gcloud beta billing accounts add-iam-policy-binding $FAST_BILLING_ACCOUNT_ID \
|
||||
--member user:$FAST_BU --role roles/billing.admin
|
||||
```
|
||||
|
||||
#### Groups
|
||||
|
@ -287,10 +296,10 @@ The one exception to this convention is for roles which are part of the delegate
|
|||
|
||||
You can customize organization-level logs through the `log_sinks` variable in two ways:
|
||||
|
||||
* creating additional log sinks to capture more logs
|
||||
* changing the destination of captured logs
|
||||
- creating additional log sinks to capture more logs
|
||||
- changing the destination of captured logs
|
||||
|
||||
By default, all logs are exported to Bigquery, but FAST can create sinks to Cloud Logging Buckets, GCS, or PubSub.
|
||||
By default, all logs are exported to Bigquery, but FAST can create sinks to Cloud Logging Buckets, GCS, or PubSub.
|
||||
|
||||
If you need to capture additional logs, please refer to GCP's documentation on [scenarios for exporting logging data](https://cloud.google.com/architecture/exporting-stackdriver-logging-for-security-and-access-analytics), where you can find ready-made filter expressions for different use cases.
|
||||
|
||||
|
|
|
@ -62,7 +62,7 @@ module "branch-network-gcs" {
|
|||
module "branch-network-prod-folder" {
|
||||
source = "../../../modules/folder"
|
||||
parent = module.branch-network-folder.id
|
||||
name = "prod"
|
||||
name = "Production"
|
||||
iam = {
|
||||
"roles/compute.xpnAdmin" = [
|
||||
module.branch-teams-prod-projectfactory-sa.iam_email
|
||||
|
@ -73,7 +73,7 @@ module "branch-network-prod-folder" {
|
|||
module "branch-network-dev-folder" {
|
||||
source = "../../../modules/folder"
|
||||
parent = module.branch-network-folder.id
|
||||
name = "dev"
|
||||
name = "Development"
|
||||
iam = {
|
||||
"roles/compute.xpnAdmin" = [
|
||||
module.branch-teams-dev-projectfactory-sa.iam_email
|
||||
|
|
|
@ -93,14 +93,13 @@ Spoke VPCs also define and reserve three "special" CIDR ranges, derived from the
|
|||
|
||||
- [PSA (Private Service Access)](https://cloud.google.com/vpc/docs/private-services-access):
|
||||
|
||||
+ The second-last /24 range is used for PSA (CloudSQL, Postrgres)
|
||||
- The second-last /24 range is used for PSA (CloudSQL, Postrgres)
|
||||
|
||||
+ The third-last /24 range is used for PSA (CloudSQL, MySQL)
|
||||
- The third-last /24 range is used for PSA (CloudSQL, MySQL)
|
||||
|
||||
- [Internal HTTPs Load Balancers (L7ILB)](https://cloud.google.com/load-balancing/docs/l7-internal):
|
||||
|
||||
+ The last /24 range
|
||||
|
||||
- The last /24 range
|
||||
|
||||
This is a summary of the subnets allocated by default in this setup:
|
||||
|
||||
|
@ -229,6 +228,7 @@ If you have set a valid value for `outputs_location` in the bootstrap and in the
|
|||
ln -s ../../configs/example/02-networking/terraform-bootstrap.auto.tfvars.json
|
||||
ln -s ../../configs/example/02-networking/terraform-resman.auto.tfvars.json
|
||||
```
|
||||
|
||||
If you want to continue to rely on `outputs_location` logic, create a `terraform.tfvars` file and configure it as described [here](../00-bootstrap/#output-files-and-cross-stage-variables).
|
||||
|
||||
Please, refer to the [variables](#variables) table below for a map of the variable origins, and use the sections below to understand how to adapt this stage to your networking configuration.
|
||||
|
@ -284,7 +284,7 @@ DNS queries sent to the on-premise infrastructure come from the `35.199.192.0/19
|
|||
|
||||
#### On-premises to cloud
|
||||
|
||||
The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in the *trusted landing VPC module* ([`vpc-landing.tf`](./vpc-landing.tf)) automatically reserves the first available IP address on each subnet (typically the third one in a CIDR) to expose the Cloud DNS service, so that it can be consumed from outside of GCP.
|
||||
The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in the *trusted landing VPC module* ([`landing.tf`](./landing.tf)) automatically reserves the first available IP address on each subnet (typically the third one in a CIDR) to expose the Cloud DNS service, so that it can be consumed from outside of GCP.
|
||||
|
||||
### Private Google Access
|
||||
|
||||
|
@ -296,7 +296,7 @@ For PGA to work:
|
|||
Subnets created using the `net-vpc` module are PGA-enabled by default.
|
||||
|
||||
- 199.36.153.4/30 (`restricted.googleapis.com`) and 199.36.153.8/30 (`private.googleapis.com`) should be routed from on-premises to the trusted landing VPC, and from there to the `default-internet-gateway`. \
|
||||
The `vpn_onprem_configs` variable contains the ranges advertised from GCP to on-premises. Furthermore, the trusted landing VPC (e.g. see `landing-trusted-vpc` in [`vpc-landing.tf`](./vpc-landing.tf)) has explicit routes to send traffic destined to restricted and private - googleapis.com to the Internet gateway (which works for Google APIs only, and not for the whole Internet, since Cloud NAT is not configured in the trusted landing VPC).
|
||||
The `vpn_onprem_configs` variable contains the ranges advertised from GCP to on-premises. Furthermore, the trusted landing VPC (e.g. see `landing-trusted-vpc` in [`landing.tf`](./landing.tf)) has explicit routes to send traffic destined to restricted and private - googleapis.com to the Internet gateway (which works for Google APIs only, and not for the whole Internet, since Cloud NAT is not configured in the trusted landing VPC).
|
||||
|
||||
- On-premises, a private DNS zone for `googleapis.com` should be created and configured per [this article](https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid#config-domain). Its configuration can be copied from the module `googleapis-private-zone` in [`dns.tf`](./dns.tf)
|
||||
|
||||
|
@ -320,9 +320,9 @@ You're now ready to run `terraform init` and `terraform apply`.
|
|||
|
||||
To create a new environment (e.g. `staging`), a few changes are required:
|
||||
|
||||
Create a `vpc-spoke-staging.tf` file by copying `vpc-spoke-prod.tf` file.
|
||||
Create a `spoke-staging.tf` file by copying `spoke-prod.tf` file.
|
||||
Adapt the new file by replacing the value "prod" with the value "staging".
|
||||
Running `diff vpc-spoke-dev.tf vpc-spoke-prod.tf` can help to see how environment files differ.
|
||||
Running `diff spoke-dev.tf spoke-prod.tf` can help to see how environment files differ.
|
||||
|
||||
The new VPC requires a set of dedicated CIDRs, one per region, added to variable `custom_adv` (for example as `spoke_staging_ew1` and `spoke_staging_ew4`).
|
||||
>`custom_adv` is a map that "resolves" CIDR names to the actual addresses, and will be used later to configure routing.
|
||||
|
@ -348,15 +348,15 @@ Don't forget to add a peering zone in the landing project and point it to the ne
|
|||
| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | <code>dns</code> | |
|
||||
| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> | |
|
||||
| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> | |
|
||||
| [landing.tf](./landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> | |
|
||||
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | <code>google_monitoring_dashboard</code> |
|
||||
| [nva.tf](./nva.tf) | None | <code>compute-mig</code> · <code>compute-vm</code> · <code>net-ilb</code> | |
|
||||
| [outputs.tf](./outputs.tf) | Module outputs. | | <code>local_file</code> |
|
||||
| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-address</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> | |
|
||||
| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-address</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> | |
|
||||
| [test-resources.tf](./test-resources.tf) | temporary instances for testing | <code>compute-vm</code> | |
|
||||
| [variables.tf](./variables.tf) | Module variables. | | |
|
||||
| [vpc-landing.tf](./vpc-landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||
| [vpc-spoke-dev.tf](./vpc-spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-address</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> | |
|
||||
| [vpc-spoke-prod.tf](./vpc-spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-address</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> | |
|
||||
| [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | <code>net-vpn-ha</code> | |
|
||||
|
||||
## Variables
|
||||
|
|
|
@ -226,7 +226,7 @@ DNS queries sent to the on-premises infrastructure come from the `35.199.192.0/1
|
|||
|
||||
#### On-prem to cloud
|
||||
|
||||
The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in module `landing-vpc` ([`landing.tf`](./vpc-landing.tf)) automatically reserves the first available IP address on each created subnet (typically the third one in a CIDR) to expose the Cloud DNS service so that it can be consumed from outside of GCP.
|
||||
The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in module `landing-vpc` ([`landing.tf`](./landing.tf)) automatically reserves the first available IP address on each created subnet (typically the third one in a CIDR) to expose the Cloud DNS service so that it can be consumed from outside of GCP.
|
||||
|
||||
### Private Google Access
|
||||
|
||||
|
@ -262,9 +262,9 @@ You're now ready to run `terraform init` and `apply`.
|
|||
|
||||
To create a new environment (e.g. `staging`), a few changes are required.
|
||||
|
||||
Create a `vpc-spoke-staging.tf` file by copying `vpc-spoke-prod.tf` file,
|
||||
Create a `spoke-staging.tf` file by copying `spoke-prod.tf` file,
|
||||
and adapt the new file by replacing the value "prod" with the value "staging".
|
||||
Running `diff vpc-spoke-dev.tf vpc-spoke-prod.tf` can help to see how environment files differ.
|
||||
Running `diff spoke-dev.tf spoke-prod.tf` can help to see how environment files differ.
|
||||
|
||||
The new VPC requires a set of dedicated CIDRs, one per region, added to variable `custom_adv` (for example as `spoke_staging_ew1` and `spoke_staging_ew4`).
|
||||
>`custom_adv` is a map that "resolves" CIDR names to actual addresses, and will be used later to configure routing.
|
||||
|
@ -292,14 +292,14 @@ DNS configurations are centralised in the `dns.tf` file. Spokes delegate DNS res
|
|||
| [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | <code>dns</code> | |
|
||||
| [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> | |
|
||||
| [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> | |
|
||||
| [landing.tf](./landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||
| [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> | |
|
||||
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | <code>google_monitoring_dashboard</code> |
|
||||
| [outputs.tf](./outputs.tf) | Module outputs. | | <code>local_file</code> |
|
||||
| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-address</code> · <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | <code>google_project_iam_binding</code> |
|
||||
| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-address</code> · <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | <code>google_project_iam_binding</code> |
|
||||
| [test-resources.tf](./test-resources.tf) | temporary instances for testing | <code>compute-vm</code> | |
|
||||
| [variables.tf](./variables.tf) | Module variables. | | |
|
||||
| [vpc-landing.tf](./vpc-landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | |
|
||||
| [vpc-spoke-dev.tf](./vpc-spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-address</code> · <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | <code>google_project_iam_binding</code> |
|
||||
| [vpc-spoke-prod.tf](./vpc-spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-address</code> · <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | <code>google_project_iam_binding</code> |
|
||||
| [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | <code>net-vpn-ha</code> | |
|
||||
| [vpn-spoke-dev.tf](./vpn-spoke-dev.tf) | VPN between landing and development spoke. | <code>net-vpn-ha</code> | |
|
||||
| [vpn-spoke-prod.tf](./vpn-spoke-prod.tf) | VPN between landing and production spoke. | <code>net-vpn-ha</code> | |
|
||||
|
|
|
@ -108,11 +108,12 @@ terraform apply
|
|||
| name | description | type | required | default | producer |
|
||||
|---|---|:---:|:---:|:---:|:---:|
|
||||
| [billing_account_id](variables.tf#L19) | Billing account id. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [prefix](variables.tf#L44) | Prefix used for resources that need unique names. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [data_dir](variables.tf#L25) | Relative path for the folder storing configuration data. | <code>string</code> | | <code>"data/projects"</code> | |
|
||||
| [defaults_file](variables.tf#L38) | Relative path for the file storing the project factory configuration. | <code>string</code> | | <code>"data/defaults.yaml"</code> | |
|
||||
| [environment_dns_zone](variables.tf#L31) | DNS zone suffix for environment. | <code>string</code> | | <code>null</code> | <code>02-networking</code> |
|
||||
| [shared_vpc_self_link](variables.tf#L44) | Self link for the shared VPC. | <code>string</code> | | <code>null</code> | <code>02-networking</code> |
|
||||
| [vpc_host_project](variables.tf#L51) | Host project for the shared VPC. | <code>string</code> | | <code>null</code> | <code>02-networking</code> |
|
||||
| [shared_vpc_self_link](variables.tf#L50) | Self link for the shared VPC. | <code>string</code> | | <code>null</code> | <code>02-networking</code> |
|
||||
| [vpc_host_project](variables.tf#L57) | Host project for the shared VPC. | <code>string</code> | | <code>null</code> | <code>02-networking</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -33,24 +33,25 @@ locals {
|
|||
}
|
||||
|
||||
module "projects" {
|
||||
source = "../../../../examples/factories/project-factory"
|
||||
for_each = local.projects
|
||||
defaults = local.defaults
|
||||
project_id = each.key
|
||||
billing_account_id = try(each.value.billing_account_id, null)
|
||||
billing_alert = try(each.value.billing_alert, null)
|
||||
dns_zones = try(each.value.dns_zones, [])
|
||||
essential_contacts = try(each.value.essential_contacts, [])
|
||||
folder_id = each.value.folder_id
|
||||
group_iam = try(each.value.group_iam, {})
|
||||
iam = try(each.value.iam, {})
|
||||
kms_service_agents = try(each.value.kms, {})
|
||||
labels = try(each.value.labels, {})
|
||||
org_policies = try(each.value.org_policies, null)
|
||||
service_accounts = try(each.value.service_accounts, {})
|
||||
services = try(each.value.services, [])
|
||||
services_iam = try(each.value.services_iam, {})
|
||||
vpc = try(each.value.vpc, null)
|
||||
source = "../../../../examples/factories/project-factory"
|
||||
for_each = local.projects
|
||||
defaults = local.defaults
|
||||
project_id = each.key
|
||||
billing_account_id = try(each.value.billing_account_id, null)
|
||||
billing_alert = try(each.value.billing_alert, null)
|
||||
dns_zones = try(each.value.dns_zones, [])
|
||||
essential_contacts = try(each.value.essential_contacts, [])
|
||||
folder_id = each.value.folder_id
|
||||
group_iam = try(each.value.group_iam, {})
|
||||
iam = try(each.value.iam, {})
|
||||
kms_service_agents = try(each.value.kms, {})
|
||||
labels = try(each.value.labels, {})
|
||||
org_policies = try(each.value.org_policies, null)
|
||||
prefix = var.prefix
|
||||
service_accounts = try(each.value.service_accounts, {})
|
||||
services = try(each.value.services, [])
|
||||
service_identities_iam = try(each.value.services_iam, {})
|
||||
vpc = try(each.value.vpc, null)
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -41,6 +41,12 @@ variable "defaults_file" {
|
|||
default = "data/defaults.yaml"
|
||||
}
|
||||
|
||||
variable "prefix" {
|
||||
# tfdoc:variable:source 00-bootstrap
|
||||
description = "Prefix used for resources that need unique names."
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "shared_vpc_self_link" {
|
||||
# tfdoc:variable:source 02-networking
|
||||
description = "Self link for the shared VPC."
|
||||
|
|
Loading…
Reference in New Issue