725f7effce
* preliminary support for wif in stage 0 * IAM wif role * IAM wif role TODO * add support for external SA IAM to SA module * add name output to SA module * separate cicd SA * tfdoc * GITLAB principal (untested) * make GCS name output static * outputs bucket * fix stage 1 test * tweak outputs * tfdoc * move wif_pool to automation variable * add support for top-level and repository providers * add missing boilerplate * fix branchless principal * initial workflow * symlink provider template in stages * remove service accounts from stage 0 cicd tfvars * add cicd interface variable to resman stage * fix cicd variable in resman stage * better condition on outputs_location * fix last change * change outputs_location type * revert outputs_location change * split outputs in stage 0 * update ci/cd temporary notes * rename additive IAM resource in SA module * split outputs in stage 1 * remove unused locals * fix stage 1 tests * tfdoc * Upload action files to outputs_bucket * Fix tests and README * rename template, streamline outputs * local templates and gcs output for all stage 2 * add workflows to local output files * Use lowercase WIF providers everywhere * Bring back suffix for workflow files * Remove unused files * Update READMEs * preliminary CI/CD implementation for stage 1 * fix stage 1 * stage 1 cicd * tfdoc * fix tests * readme and links for cicd and wif * refactor wif providers * refactor cicd for stage 1 * fix stage 1 * wif org policies * split identity provider configuration from cicd * add type attribute to cicd repositories * valid cicd repositories have a workflow template * refactor stage 01 * fix stage 01 tests * minimal CI/CD documentation * better check_links error reporting * fix links * Added Gitlab specific configurations Set the default issuer_uri for Gitlab. Added allowed audiences to OIDC configuration. * Fixed TF formatting in identity providers. * Changing identity provider audience to null Changing identity provider audience to default to null. * add instructions for renaming workflows * address Julio's comments Co-authored-by: Julio Castillo <jccb@google.com> Co-authored-by: alexmeissner <alexmeissner@google.com> |
||
|---|---|---|
| .github/workflows | ||
| assets/logos | ||
| examples | ||
| fast | ||
| modules | ||
| tests | ||
| tools | ||
| .gitignore | ||
| CHANGELOG.md | ||
| CONTRIBUTING.md | ||
| LICENSE | ||
| MANIFESTO.md | ||
| README.md | ||
| REFERENCES.md | ||
| default-versions.tf | ||
| stages.png | ||
README.md
Terraform Examples and Modules for Google Cloud
This repository provides end-to-end examples and a suite of Terraform modules for Google Cloud, which support different use cases:
- organization-wide landing zone blueprint used to bootstrap real-world cloud foundations
- reference examples used to deep dive on network patterns or product features
- a comprehensive source of lean modules that lend themselves well to changes
The whole repository is meant to be cloned as a single unit, and then forked into separate owned repositories to seed production usage, or used as-is and periodically updated as a complete toolkit for prototyping. You can read more on this approach in our manifesto.
Organization blueprint (Fabric FAST)
Setting up a production-ready GCP organization is often a time-consuming process. Fabric FAST aims to speed up this process via two complementary goals. On the one hand, FAST provides a design of a GCP organization that includes the typical elements required by enterprise customers. Secondly, we provide a reference implementation of the FAST design using Terraform.
Modules
The suite of modules in this repository are designed for rapid composition and reuse, and to be reasonably simple and readable so that they can be forked and changed where use of third party code and sources is not allowed.
All modules share a similar interface where each module tries to stay close to the underlying provider resources, support IAM together with resource creation and modification, offer the option of creating multiple resources where it makes sense (eg not for projects), and be completely free of side-effects (eg no external commands).
The current list of modules supports most of the core foundational and networking components used to design end-to-end infrastructure, with more modules in active development for specialized compute, security, and data scenarios.
Currently available modules:
- foundational - folder, organization, project, service accounts, logging bucket, billing budget, naming convention, projects-data-source
- networking - VPC, VPC firewall, VPC peering, VPN static, VPN dynamic, HA VPN, NAT, address reservation, DNS, L4 ILB, L7 ILB, Service Directory, Cloud Endpoints
- compute - VM/VM group, MIG, GKE cluster, GKE nodepool, GKE hub, COS container (coredns, mysql, onprem, squid)
- data - GCS, BigQuery dataset, Pub/Sub, Datafusion, Bigtable instance, Cloud SQL instance, Data Catalog Policy Tag
- development - Cloud Source Repository, Container Registry, Artifact Registry, Apigee Organization, Apigee X Instance, API Gateway
- security - KMS, SecretManager, VPC Service Control
- serverless - Cloud Function, Cloud Run
For more information and usage examples see each module's README file.
End-to-end examples
The examples in this repository are split in several main sections: foundational examples that bootstrap the organizational hierarchy and automation prerequisites, networking examples that implement core patterns or features, data solutions examples that demonstrate how to integrate data services in complete scenarios, cloud operations examples that leverage specific products to meet specific operational needs and factories that implement resource factories for the repetitive creation of specific resources.