Skip to content

Latest commit

 

History

History
 
 

0-bootstrap

README.md

0-bootstrap

This repo is part of a multi-part guide that shows how to configure and deploy the example.com reference architecture described in Google Cloud security foundations guide. The following table lists the parts of the guide.

0-bootstrap (this file) Bootstraps a Google Cloud organization, creating all the required resources and permissions to start using the Cloud Foundation Toolkit (CFT). This step also configures a CI/CD pipeline for foundations code in subsequent stages.
1-org Sets up top level shared folders, monitoring and networking projects, and organization-level logging, and sets baseline security settings through organizational policy.
2-environments Sets up development, non-production, and production environments within the Google Cloud organization that you've created.
3-networks-dual-svpc Sets up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, on-premises Dedicated Interconnect, and baseline firewall rules for each environment. It also sets up the global DNS hub.
3-networks-hub-and-spoke Sets up base and restricted shared VPCs with all the default configuration found on step 3-networks-dual-svpc, but here the architecture will be based on the Hub and Spoke network model. It also sets up the global DNS hub
4-projects Set up a folder structure, projects, and application infrastructure pipeline for applications, which are connected as service projects to the shared VPC created in the previous stage.
5-app-infra Deploy a simple Compute Engine instance in one of the business unit projects using the infra pipeline set up in 4-projects.

For an overview of the architecture and the parts, see the terraform-example-foundation README file.

Purpose

The purpose of this step is to bootstrap a Google Cloud organization, creating all the required resources & permissions to start using the Cloud Foundation Toolkit (CFT). This step also configures a CI/CD pipeline for foundations code in subsequent stages. The CI/CD pipeline can use either Cloud Build and Cloud Source Repos or Jenkins and your own Git repos (which might live on-premises).

Prerequisites

To run the commands described in this document, you need to have the following installed:

Note: Make sure that you use version 1.0.0 of Terraform throughout this series. Otherwise, you might experience Terraform state snapshot lock errors.

Also make sure that you've done the following:

  1. Set up a Google Cloud organization.
  2. Set up a Google Cloud billing account.
  3. Created Cloud Identity or Google Workspace (formerly G Suite) groups for organization and billing admins.
  4. Added the user who will use Terraform to the group_org_admins group. They must be in this group, or they won't have roles/resourcemanager.projectCreator access.
  5. For the user who will run the procedures in this document, granted the following roles:
    • The roles/resourcemanager.organizationAdmin role on the Google Cloud organization.
    • The roles/orgpolicy.policyAdmin role on the Google Cloud organization.
    • The roles/billing.admin role on the billing account.
    • The roles/resourcemanager.folderCreator role.

If other users need to be able to run these procedures, add them to the group represented by the org_project_creators variable. For more information about the permissions that are required, and the resources that are created, see the organization bootstrap module documentation.

Use the helper script validate-requirements.sh to validate your environment:

./scripts/validate-requirements.sh  -o <ORGANIZATION_ID> -b <BILLING_ACCOUNT_ID> -u <END_USER_EMAIL>

Note: The script is not able to validate if the user is in a Cloud Identity or Google Workspace group with the required roles.

Optional - Automatic creation of Google Cloud Identity groups

Google Cloud Identity groups are used for authentication and access management in the foundation.

To enable automatic creation of the required groups you need to:

  • Have an existing project for Cloud Identity API billing.
  • Enable the Cloud Identity API(cloudidentity.googleapis.com) on the billing project.
  • Grant role roles/serviceusage.serviceUsageConsumer to the user running Terraform on the billing project.
  • Provide values for the groups and billing project in the variable groups.

All groups in the groups.required_groups are required.

All groups in the groups.optional_groups are optional.

Troubleshooting

Please refer to troubleshooting if you run into issues during this step.

Deploying with Jenkins

If you are using the jenkins_bootstrap sub-module, see README-Jenkins for requirements and instructions on how to run the 0-bootstrap step. Using Jenkins requires a few manual steps, including configuring connectivity with your current Jenkins manager (controller) environment.

Deploying with Cloud Build

  1. Go to the 0-bootstrap folder.
  2. Rename terraform.example.tfvars to terraform.tfvars and update the file with values from your environment: 
    mv terraform.example.tfvars terraform.tfvars
  3. Run terraform init.
  4. Run terraform plan and review the output.
  5. To run gcloud beta terraform vet steps please follow the instructions to install the terraform-tools component.
    1. Run terraform plan -input=false -out bootstrap.tfplan
    2. Run terraform show -json bootstrap.tfplan > bootstrap.json
    3. Run gcloud beta terraform vet bootstrap.json --policy-library="../policy-library" --project <A-VALID-PROJECT-ID> and check for violations (<A-VALID-PROJECT-ID> must be an existing project you have access to, this is necessary because Terraform-validator needs to link resources to a valid Google Cloud Platform project).
  6. Run terraform apply.
  7. Run terraform output organization_step_terraform_service_account_email to get the email address of the admin of step 1-org. You need this address in a later procedure.
  8. Run terraform output environment_step_terraform_service_account_email to get the email address of the admin of step 2-environments. You need this address in a later procedure.
  9. Run terraform output networks_step_terraform_service_account_email to get the email address of the admin of steps 3-networks-dual-svpc and 3-networks-hub-and-spoke. You need this address in a later procedure.
  10. Run terraform output projects_step_terraform_service_account_email to get the email address of the admin of step 4-projects. You need this address in a later procedure.
  11. Run terraform output cloudbuild_project_id to get the ID of your Cloud Build project.
  12. Run terraform output gcs_bucket_tfstate to get your Google Cloud bucket name from Terraform's state.
  13. Copy the backend: 
    cp backend.tf.example backend.tf
  14. Update backend.tf with the name of your Cloud Storage bucket.
  15. Re-run terraform init. When you're prompted, agree to copy state to Cloud Storage.
  16. (Optional) Run terraform apply to verify that state is configured correctly. You should see no changes from the previous state.

Note 1: The stages after 0-bootstrap use terraform_remote_state data source to read common configuration like the organization ID from the output of the 0-bootstrap stage. They will fail if the state is not copied to the Cloud Storage bucket.

Note 2: After the deploy, even if you did not receive the project quota error described in the Troubleshooting guide, we recommend that you request 50 additional projects for the four service accounts created in this step.

Running Terraform locally

If you deploy using Cloud Build, the bucket information is replaced in the state backends as a part of the build process when the build is executed by Cloud Build. If you want to execute Terraform locally, you need to add your Cloud Storage bucket to the backend.tf files. You can update all of these files with the following steps:

  1. Go to the terraform-example-foundation directory.
  2. Run the following command: 
    for i in `find -name 'backend.tf'`; do sed -i 's/UPDATE_ME/GCS_BUCKET_NAME/' $i; done
    where GCS_BUCKET_NAME is the name of your bucket from the steps you ran earlier.

Inputs

Name Description Type Default Required
billing_account The ID of the billing account to associate projects with. string n/a yes
bucket_force_destroy When deleting a bucket, this boolean option will delete all contained objects. If false, Terraform will fail to delete buckets which contain objects. bool false no
bucket_prefix Name prefix to use for state bucket created. string "bkt" no
default_region Default region to create resources where applicable. string "us-central1" no
folder_prefix Name prefix to use for folders created. Should be the same in all steps. string "fldr" no
group_billing_admins Google Group for GCP Billing Administrators string n/a yes
group_org_admins Google Group for GCP Organization Administrators string n/a yes
groups Contain the details of the Groups to be created. 
object({
    create_groups   = bool
    billing_project = string
    required_groups = object({
      group_org_admins           = string
      group_billing_admins       = string
      billing_data_users         = string
      audit_data_users           = string
      monitoring_workspace_users = string
    })
    optional_groups = object({
      gcp_platform_viewer      = string
      gcp_security_reviewer    = string
      gcp_network_viewer       = string
      gcp_scc_admin            = string
      gcp_global_secrets_admin = string
      gcp_audit_viewer         = string
    })
  })
 
{
  "billing_project": "",
  "create_groups": false,
  "optional_groups": {
    "gcp_audit_viewer": "",
    "gcp_global_secrets_admin": "",
    "gcp_network_viewer": "",
    "gcp_platform_viewer": "",
    "gcp_scc_admin": "",
    "gcp_security_reviewer": ""
  },
  "required_groups": {
    "audit_data_users": "",
    "billing_data_users": "",
    "group_billing_admins": "",
    "group_org_admins": "",
    "monitoring_workspace_users": ""
  }
}
 no
initial_group_config Define the group configuration when it are initialized. Valid values are: WITH_INITIAL_OWNER, EMPTY and INITIAL_GROUP_CONFIG_UNSPECIFIED. string "WITH_INITIAL_OWNER" no
org_id GCP Organization ID string n/a yes
org_policy_admin_role Additional Org Policy Admin role for admin group. You can use this for testing purposes. bool false no
org_project_creators Additional list of members to have project creator role across the organization. Prefix of group: user: or serviceAccount: is required. list(string) [] no
parent_folder Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. string "" no
project_prefix Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. string "prj" no

Outputs

Name Description
cloudbuild_project_id Project where CloudBuild configuration and terraform container image will reside.
common_config Common configuration data to be used in other steps.
csr_repos List of Cloud Source Repos created by the module, linked to Cloud Build triggers.
environment_step_terraform_service_account_email Environment Step Terraform Account
gcs_bucket_cloudbuild_artifacts Bucket used to store Cloud/Build artifacts in CloudBuild project.
gcs_bucket_tfstate Bucket used for storing terraform state for foundations pipelines in seed project.
group_billing_admins Google Group for GCP Billing Administrators.
group_org_admins Google Group for GCP Organization Administrators.
networks_step_terraform_service_account_email Networks Step Terraform Account
optional_groups List of Google Groups created that are optional to the Example Foundation steps.
organization_step_terraform_service_account_email Organization Step Terraform Account
projects_step_terraform_service_account_email Projects Step Terraform Account
required_groups List of Google Groups created that are required by the Example Foundation steps.
seed_project_id Project where service accounts and core APIs will be enabled.
terraform_sa_name Fully qualified name for privileged service account for Terraform.