zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/fast/stages/03-project-factory/prod
History
Simone Ruffilli 75aff4081f
default=null for `shared_vpc_self_link ` and `vpc_host_project` (#502) 
* Update variables.tf

* Update README.md
 		2022-02-04 19:57:06 +01:00
..
data Merge Fabric FAST (#435) 2022-01-19 14:19:39 +01:00
README.md default=null for `shared_vpc_self_link ` and `vpc_host_project` (#502) 2022-02-04 19:57:06 +01:00
diagram.png Merge Fabric FAST (#435) 2022-01-19 14:19:39 +01:00
diagram.svg Merge Fabric FAST (#435) 2022-01-19 14:19:39 +01:00
main.tf Merge Fabric FAST (#435) 2022-01-19 14:19:39 +01:00
outputs.tf Merge Fabric FAST (#435) 2022-01-19 14:19:39 +01:00
variables.tf default=null for `shared_vpc_self_link ` and `vpc_host_project` (#502) 2022-02-04 19:57:06 +01:00

README.md

Project factory

The Project Factory (or PF) builds on top of your foundations to create and set up projects (and related resources) to be used for your workloads. It is organized in folders representing environments (e.g., "dev", "prod"), each implemented by a stand-alone terraform resource factory.

Design overview and choices

Project factory diagram

A single factory creates projects in a well-defined context, according to your resource management structure. For example, in the diagram above, each Team is structured to have specific folders projects for a given environment, such as Production and Development, per the resource management structure configured in stage 01-resman.

Projects for each environment across different teams are created by dedicated service accounts, as exemplified in the diagram above. While there's no intrinsic limitation regarding where the project factory can create a projects, the IAM bindings for the service account effectively enforce boundaries (e.g., the production service account shouldn't be able to create or have any access to the development projects, and vice versa).

The project factory takes care of the following activities:

  • Project creation
  • API/Services enablement
  • Service accounts creation
  • IAM roles assignment for groups and service accounts
  • KMS keys roles assignment
  • Shared VPC attachment and subnets IAM binding
  • DNS zones creation and visibility configuration
  • Project-level org policies definition
  • Billing setup (billing account attachment and budget configuration)
  • Essential contacts definition (for budget alerts and important notifications)

How to run this stage

This stage is meant to be executed after "foundational stages" (i.e., stages 00-bootstrap, 01-resman, 02-networking (either VPN or NVA) and 02-security) have been run.

It's of course possible to run this stage in isolation, by making sure the architectural prerequisites are satisfied (e.g., networking), and that the Service Account running the stage is granted the roles/permissions below:

  • One service account per environment, each with appropriate permissions
    • at the organization level a custom role for networking operations including the following permissions
      • "compute.organizations.enableXpnResource",
      • "compute.organizations.disableXpnResource",
      • "compute.subnetworks.setIamPolicy",
      • "dns.networks.bindPrivateDNSZone"
      • and role "roles/orgpolicy.policyAdmin"
    • on each folder where projects are created
      • "roles/logging.admin"
      • "roles/owner"
      • "roles/resourcemanager.folderAdmin"
      • "roles/resourcemanager.projectCreator"
    • on the host project for the Shared VPC
      • "roles/browser"
      • "roles/compute.viewer"
      • "roles/dns.admin"
  • If networking is used (e.g., for VMs, GKE Clusters or AppEngine flex), VPC Host projects and their subnets should exist when creating projects
  • If per-environment DNS sub-zones are required, one "root" zone per environment should exist when creating projects (e.g., prod.gcp.example.com.)

Providers configuration

If you're running this on top of Fast, you should run the following commands to create the providers file, and populate the required variables from the previous stage.

# Variable `outputs_location` is set to `../../config` in stage 01-resman
$ cd fabric-fast/stages/03-project-factory/prod
ln -s ../../../config/03-project-factory-prod/providers.tf

Variable configuration

There are two broad sets of variables you will need to fill in:

  • variables shared by other stages (org id, billing account id, etc.), or derived from a resource managed by a different stage (folder id, automation project id, etc.)
  • variables specific to resources managed by this stage

To avoid the tedious job of filling in the first group of variables with values derived from other stages' outputs, the same mechanism used above for the provider configuration can be used to leverage pre-configured .tfvars files.

If you configured a valid path for outputs_location in the bootstrap and networking stage, simply link the relevant terraform-*.auto.tfvars.json files from this stage's outputs folder (under the path you specified), where the * above is set to the name of the stage that produced it. For this stage, a single .tfvars file is available:

# Variable `outputs_location` is set to `../../config` in stages 01-bootstrap and the 02-networking stage in use
ln -s ../../../config/03-project-factory-prod/terraform-bootstrap.auto.tfvars.json
ln -s ../../../config/03-project-factory-prod/terraform-networking.auto.tfvars.json

If you're not using Fast, refer to the Variables table at the bottom of this document for a full list of variables, their origin (e.g., a stage or specific to this one), and descriptions explaining their meaning.

Besides the values above, a project factory takes 2 additional inputs:

  • data/defaults.yaml, manually configured by adapting the prod/data/defaults.yaml.sample, which defines per-environment default values e.g., for billing alerts and labels.
  • data/projects/*.yaml, one file per project (optionally grouped in folders), which configures each project. A prod/data/projects/project.yaml.sample is provided as reference and documentation for the schema. Projects will be named after the filename, e.g., fast-prod-lab0.yaml will create project fast-prod-lab0.

Once the configuration is complete, run the project factory by running

terraform init
terraform apply

Files

name description modules
main.tf Project factory. project-factory
outputs.tf Module outputs.
variables.tf Module variables.

Variables

name description type required default producer
billing_account_id Billing account id. string 00-bootstrap
data_dir Relative path for the folder storing configuration data. string "data/projects"
defaults_file Relative path for the file storing the project factory configuration. string "data/defaults.yaml"
environment_dns_zone DNS zone suffix for environment. string null 02-networking
shared_vpc_self_link Self link for the shared VPC. string null 02-networking
vpc_host_project Host project for the shared VPC. string null 02-networking

Outputs

name description sensitive consumers
projects Created projects and service accounts.