Skip to content

Latest commit

 

History

History

0-bootstrap

0-bootstrap

The purpose of this step is to bootstrap a GCP organization, creating all the required resources & permissions to start using the Cloud Foundation Toolkit (CFT). This step also configures Cloud Build & Cloud Source Repos for foundations code in subsequent stages.

Prerequisites

  1. A GCP Organization
  2. A GCP Billing Account
  3. Cloud Identity / G Suite Google Groups for Organization Admins and Billing Admins already created.
  4. Membership in the group_org_admins group for the user running Terraform.
  5. Grant the roles mentioned in bootstrap README.md, as well as roles/resourcemanager.folderCreator for the user running the step.

Usage

  1. Clone the repo: git clone https://github.com/Burwood/terraform-gcp-greenfield.git (Optional) 1. Change into the correct branch with git checkout [branch_name]
  2. Change into 0-bootstrap folder
  3. Copy tfvars by running cp terraform.tfvars.example terraform.tfvars and update terraform.tfvars with values from your environment.
  4. Run terraform init
  5. Run terraform plan and review output
  6. Run terraform apply
    1. WARNING If using GitHub for source code repo, you must MANUALLY create the connector to the repo. Terraform will fail. Once the connector is built re-run and create the Cloud Build triggers.
  7. Copy the backend by running cp backend.tf.example backend.tf and update backend.tf with your bucket from the apply step (The value from terraform output gcs_bucket_tfstate)
  8. Re-run terraform init agree to copy state to gcs when prompted
    1. (Optional) Run terraform apply to verify state is configured cor

Providers

Name Version
google ~> 3.1
google-beta ~> 3.1
random ~> 2.2

Inputs

Name Description Type Default Required
activate_apis List of APIs to enable in the seed project list(string)
[
"cloudresourcemanager.googleapis.com",
"cloudbilling.googleapis.com",
"billingbudgets.googleapis.com",
"iam.googleapis.com",
"admin.googleapis.com",
"cloudbuild.googleapis.com",
"serviceusage.googleapis.com",
"servicenetworking.googleapis.com",
"compute.googleapis.com",
"logging.googleapis.com",
"bigquery.googleapis.com",
"storage-api.googleapis.com",
"container.googleapis.com"
]
no
branch What branch to pull from string "^master$" no
cloud_triggers Name of triggers to deploy list(string)
[
"1-org",
"1-org-b",
"2-networks"
]
no
cloudbuild_org_iam_permissions List of permissions granted to the CloudBuild service account. list(string)
[
"roles/resourcemanager.organizationAdmin",
"roles/billing.user",
"roles/pubsub.admin",
"roles/iam.organizationRoleAdmin",
"roles/resourcemanager.folderAdmin",
"roles/orgpolicy.policyAdmin",
"roles/resourcemanager.projectCreator",
"roles/compute.xpnAdmin",
"roles/compute.networkAdmin",
"roles/iam.serviceAccountAdmin",
"roles/resourcemanager.projectIamAdmin",
"roles/storage.admin",
"roles/logging.admin"
]
no
cloudops_triggers Name of triggers to deploy list(string)
[
"project-apply"
]
no
deployment_dir The directory that has the deployments / tfvars string "projects" no
disable_services_on_destroy Whether project services will be disabled when the resources are destroyed string true no
disable_trigger To enable or disable the trigger for automatic deployment string false no
filename_path The file path name of where the cloudbuild yaml files are located string "cloudbuild" no
github_name Name of the repository. string n/a yes
github_owner Owner of the repository. string n/a yes
modules_dir The directory that has the modules to deploy string "project_iam_vpc" no
org_admins_org_iam_permissions List of permissions granted to the group supplied in group_org_admins variable across the GCP organization. list(string)
[
"roles/billing.user",
"roles/resourcemanager.organizationAdmin"
]
no
parent_folder Optional - if using a folder for testing. string "" no
project_labels Labels to apply to the project. map(string)
{
"billing_code": "012345",
"envrionment": "prod",
"owner": "its"
}
no
project_prefix Name prefix to use for projects created. string "automation" no
random_project_id Adds a suffix of 4 random characters to the project_id string true no
sa_enable_impersonation Allow org_admins group to impersonate service account & enable APIs required. bool false no
seed_folder_name Name of the folder that will contain the Cloud Control Plane projects. string "Administration" no
skip_gcloud_download Whether to skip downloading gcloud (assumes gcloud is already available outside the module) bool true no
storage_bucket_labels Labels to apply to the storage bucket. map(string) {} no
terraform_tag Dockerhub tag value for Terraform container string "latest" no
tfvars_name Name of the tfvars file string "new-project" no

Outputs

Name Description
cloudbuild_project_id Project where service accounts and core APIs will be enabled.
cloudbuild_service_account The Cloud Build service account
gcs_bucket_tfstate Bucket used for storing terraform state for foundations pipelines in seed project.
seed_folder_id The folder id of the seed folder