From 38bc82009d234c420a58b1bdac173dd89ab36b41 Mon Sep 17 00:00:00 2001 From: Michael OBrien Date: Sun, 12 May 2024 16:34:11 -0400 Subject: [PATCH] #387 - 4-p finished - tef 20240511 --- 4-projects/README.md | 38 +++++++++---------- .../business_unit_1/nonproduction/backend.tf | 2 +- .../nonproduction/backend.tf.cloud.example | 2 +- .../business_unit_1/nonproduction/main.tf | 2 +- .../business_unit_2/nonproduction/backend.tf | 2 +- .../nonproduction/backend.tf.cloud.example | 2 +- .../business_unit_2/nonproduction/main.tf | 2 +- 4-projects/modules/base_env/README.md | 2 +- .../example_base_shared_vpc_project.tf | 2 +- .../example_restricted_shared_vpc_project.tf | 2 +- 4-projects/modules/base_env/variables.tf | 2 +- 4-projects/modules/infra_pipelines/main.tf | 2 +- 4-projects/modules/single_project/README.md | 4 +- 4-projects/modules/single_project/main.tf | 4 +- 14 files changed, 34 insertions(+), 34 deletions(-) diff --git a/4-projects/README.md b/4-projects/README.md index ffe92a73..4ff5b54e 100644 --- a/4-projects/README.md +++ b/4-projects/README.md @@ -21,7 +21,7 @@ organizational policy. 2-environments -Sets up development, non-production, and production environments within the +Sets up development, nonproduction, and production environments within the Google Cloud organization that you've created. @@ -62,7 +62,7 @@ For each business unit, a shared `infra-pipeline` project is created along with This step follows the same [conventions](https://github.com/terraform-google-modules/terraform-example-foundation#branching-strategy) as the Foundation pipeline deployed in [0-bootstrap](https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/0-bootstrap/README.md). A custom [workspace](https://github.com/terraform-google-modules/terraform-google-bootstrap/blob/master/modules/tf_cloudbuild_workspace/README.md) (`bu1-example-app`) is created by this pipeline and necessary roles are granted to the Terraform Service Account of this workspace by enabling variable `sa_roles` as shown in this [example](https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/4-projects/modules/base_env/example_base_shared_vpc_project.tf). -This pipeline is utilized to deploy resources in projects across development/non-production/production in step [5-app-infra](../5-app-infra/README.md). +This pipeline is utilized to deploy resources in projects across development/nonproduction/production in step [5-app-infra](../5-app-infra/README.md). Other Workspaces can also be created to isolate deployments if needed. ## Prerequisites @@ -118,11 +118,11 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get mv common.auto.example.tfvars common.auto.tfvars mv shared.auto.example.tfvars shared.auto.tfvars mv development.auto.example.tfvars development.auto.tfvars - mv non-production.auto.example.tfvars non-production.auto.tfvars + mv nonproduction.auto.example.tfvars nonproduction.auto.tfvars mv production.auto.example.tfvars production.auto.tfvars ``` -1. See any of the envs folder [README.md](./business_unit_1/production/README.md) files for additional information on the values in the `common.auto.tfvars`, `development.auto.tfvars`, `non-production.auto.tfvars`, and `production.auto.tfvars` files. +1. See any of the envs folder [README.md](./business_unit_1/production/README.md) files for additional information on the values in the `common.auto.tfvars`, `development.auto.tfvars`, `nonproduction.auto.tfvars`, and `production.auto.tfvars` files. 1. See any of the shared folder [README.md](./business_unit_1/shared/README.md) files for additional information on the values in the `shared.auto.tfvars` file. 1. Use `terraform output` to get the backend bucket value from 0-bootstrap output. @@ -141,7 +141,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get git commit -m 'Initialize projects repo' ``` -1. You need to manually plan and apply only once the `business_unit_1/shared` and `business_unit_2/shared` environments since `development`, `non-production`, and `production` depend on them. +1. You need to manually plan and apply only once the `business_unit_1/shared` and `business_unit_2/shared` environments since `development`, `nonproduction`, and `production` depend on them. 1. To use the `validate` option of the `tf-wrapper.sh` script, please follow the [instructions](https://cloud.google.com/docs/terraform/policy-validation/validate-policies#install) to install the terraform-tools component. 1. Use `terraform output` to get the Cloud Build project ID and the projects step Terraform Service Account from 0-bootstrap output. An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set using the Terraform Service Account to enable impersonation. @@ -197,13 +197,13 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get git push origin development ``` -1. After development has been applied, apply non-production. -1. Merge changes to non-production. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), +1. After development has been applied, apply nonproduction. +1. Merge changes to nonproduction. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project. https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID ```bash - git checkout -b non-production - git push origin non-production + git checkout -b nonproduction + git push origin nonproduction ``` 1. Before executing the next step, unset the `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` environment variable. @@ -238,11 +238,11 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s mv common.auto.example.tfvars common.auto.tfvars mv shared.auto.example.tfvars shared.auto.tfvars mv development.auto.example.tfvars development.auto.tfvars - mv non-production.auto.example.tfvars non-production.auto.tfvars + mv nonproduction.auto.example.tfvars nonproduction.auto.tfvars mv production.auto.example.tfvars production.auto.tfvars ``` -1. See any of the envs folder [README.md](./business_unit_1/production/README.md) files for additional information on the values in the `common.auto.tfvars`, `development.auto.tfvars`, `non-production.auto.tfvars`, and `production.auto.tfvars` files. +1. See any of the envs folder [README.md](./business_unit_1/production/README.md) files for additional information on the values in the `common.auto.tfvars`, `development.auto.tfvars`, `nonproduction.auto.tfvars`, and `production.auto.tfvars` files. See any of the shared folder [README.md](./business_unit_1/shared/README.md) files for additional information on the values in the `shared.auto.tfvars` file. Use `terraform output` to get the remote state bucket (the backend bucket used by previous steps) value from `0-bootstrap` output. @@ -253,8 +253,8 @@ See `0-bootstrap` [README-GitHub.md](../0-bootstrap/README-GitHub.md#deploying-s sed -i'' -e "s/REMOTE_STATE_BUCKET/${remote_state_bucket}/" ./common.auto.tfvars ``` -We will now deploy each of our environments(development/production/non-production) using the `tf-wrapper.sh` script. -When using Cloud Build or Jenkins as your CI/CD tool each environment corresponds to a branch is the repository for 4-projects step and only the corresponding environment is applied. Environment shared must be applied first because development, non-production, and production depend on it. +We will now deploy each of our environments(development/production/nonproduction) using the `tf-wrapper.sh` script. +When using Cloud Build or Jenkins as your CI/CD tool each environment corresponds to a branch is the repository for 4-projects step and only the corresponding environment is applied. Environment shared must be applied first because development, nonproduction, and production depend on it. To use the `validate` option of the `tf-wrapper.sh` script, please follow the [instructions](https://cloud.google.com/docs/terraform/policy-validation/validate-policies#install) to install the terraform-tools component. @@ -306,23 +306,23 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i ./tf-wrapper.sh apply production ``` -1. Run `init` and `plan` and review output for environment non-production. +1. Run `init` and `plan` and review output for environment nonproduction. ```bash - ./tf-wrapper.sh init non-production - ./tf-wrapper.sh plan non-production + ./tf-wrapper.sh init nonproduction + ./tf-wrapper.sh plan nonproduction ``` 1. Run `validate` and check for violations. ```bash - ./tf-wrapper.sh validate non-production $(pwd)/../policy-library ${CLOUD_BUILD_PROJECT_ID} + ./tf-wrapper.sh validate nonproduction $(pwd)/../policy-library ${CLOUD_BUILD_PROJECT_ID} ``` -1. Run `apply` non-production. +1. Run `apply` nonproduction. ```bash - ./tf-wrapper.sh apply non-production + ./tf-wrapper.sh apply nonproduction ``` 1. Run `init` and `plan` and review output for environment development. diff --git a/4-projects/business_unit_1/nonproduction/backend.tf b/4-projects/business_unit_1/nonproduction/backend.tf index 34a8a6e5..7ab917fd 100644 --- a/4-projects/business_unit_1/nonproduction/backend.tf +++ b/4-projects/business_unit_1/nonproduction/backend.tf @@ -17,6 +17,6 @@ terraform { backend "gcs" { bucket = "UPDATE_PROJECTS_BACKEND" - prefix = "terraform/projects/business_unit_1/non-production" + prefix = "terraform/projects/business_unit_1/nonproduction" } } diff --git a/4-projects/business_unit_1/nonproduction/backend.tf.cloud.example b/4-projects/business_unit_1/nonproduction/backend.tf.cloud.example index d9c7fc92..372b0799 100644 --- a/4-projects/business_unit_1/nonproduction/backend.tf.cloud.example +++ b/4-projects/business_unit_1/nonproduction/backend.tf.cloud.example @@ -17,7 +17,7 @@ terraform { cloud { workspaces { - name = "4-bu1-non-production" + name = "4-bu1-nonproduction" } } } diff --git a/4-projects/business_unit_1/nonproduction/main.tf b/4-projects/business_unit_1/nonproduction/main.tf index e2eb3680..b48e1594 100644 --- a/4-projects/business_unit_1/nonproduction/main.tf +++ b/4-projects/business_unit_1/nonproduction/main.tf @@ -17,7 +17,7 @@ module "env" { source = "../../modules/base_env" - env = "non-production" + env = "nonproduction" business_code = "bu1" business_unit = "business_unit_1" remote_state_bucket = var.remote_state_bucket diff --git a/4-projects/business_unit_2/nonproduction/backend.tf b/4-projects/business_unit_2/nonproduction/backend.tf index d974c9f1..8d75824f 100644 --- a/4-projects/business_unit_2/nonproduction/backend.tf +++ b/4-projects/business_unit_2/nonproduction/backend.tf @@ -17,6 +17,6 @@ terraform { backend "gcs" { bucket = "UPDATE_PROJECTS_BACKEND" - prefix = "terraform/projects/business_unit_2/non-production" + prefix = "terraform/projects/business_unit_2/nonproduction" } } diff --git a/4-projects/business_unit_2/nonproduction/backend.tf.cloud.example b/4-projects/business_unit_2/nonproduction/backend.tf.cloud.example index d102782c..f6921e66 100644 --- a/4-projects/business_unit_2/nonproduction/backend.tf.cloud.example +++ b/4-projects/business_unit_2/nonproduction/backend.tf.cloud.example @@ -17,7 +17,7 @@ terraform { cloud { workspaces { - name = "4-bu2-non-production" + name = "4-bu2-nonproduction" } } } diff --git a/4-projects/business_unit_2/nonproduction/main.tf b/4-projects/business_unit_2/nonproduction/main.tf index 36284bcc..ab157006 100644 --- a/4-projects/business_unit_2/nonproduction/main.tf +++ b/4-projects/business_unit_2/nonproduction/main.tf @@ -17,7 +17,7 @@ module "env" { source = "../../modules/base_env" - env = "non-production" + env = "nonproduction" business_code = "bu2" business_unit = "business_unit_2" remote_state_bucket = var.remote_state_bucket diff --git a/4-projects/modules/base_env/README.md b/4-projects/modules/base_env/README.md index f072bf16..c0d40492 100644 --- a/4-projects/modules/base_env/README.md +++ b/4-projects/modules/base_env/README.md @@ -12,7 +12,7 @@ | key\_name | Name to be used for KMS Key | `string` | `"crypto-key-example"` | no | | key\_rotation\_period | Rotation period in seconds to be used for KMS Key | `string` | `"7776000s"` | no | | keyring\_name | Name to be used for KMS Keyring | `string` | `"sample-keyring"` | no | -| kms\_prj\_suffix | Name suffix to use for KMS project created. | `string` | `"env-kms"` | no | +| kms\_prj\_suffix | Name suffix to use for KMS project created. | `string` | `"kms"` | no | | location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no | | location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no | | optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no | diff --git a/4-projects/modules/base_env/example_base_shared_vpc_project.tf b/4-projects/modules/base_env/example_base_shared_vpc_project.tf index 552ad2bd..2b7c5e7b 100644 --- a/4-projects/modules/base_env/example_base_shared_vpc_project.tf +++ b/4-projects/modules/base_env/example_base_shared_vpc_project.tf @@ -21,7 +21,7 @@ module "base_shared_vpc_project" { billing_account = local.billing_account folder_id = google_folder.env_business_unit.name environment = var.env - vpc_type = "base" + vpc = "base" shared_vpc_host_project_id = local.base_host_project_id shared_vpc_subnets = local.base_subnets_self_links project_budget = var.project_budget diff --git a/4-projects/modules/base_env/example_restricted_shared_vpc_project.tf b/4-projects/modules/base_env/example_restricted_shared_vpc_project.tf index b3ca78da..13180b18 100644 --- a/4-projects/modules/base_env/example_restricted_shared_vpc_project.tf +++ b/4-projects/modules/base_env/example_restricted_shared_vpc_project.tf @@ -21,7 +21,7 @@ module "restricted_shared_vpc_project" { billing_account = local.billing_account folder_id = google_folder.env_business_unit.name environment = var.env - vpc_type = "restricted" + vpc = "restricted" shared_vpc_host_project_id = local.restricted_host_project_id shared_vpc_subnets = local.restricted_subnets_self_links project_budget = var.project_budget diff --git a/4-projects/modules/base_env/variables.tf b/4-projects/modules/base_env/variables.tf index a1205c4d..25412be4 100644 --- a/4-projects/modules/base_env/variables.tf +++ b/4-projects/modules/base_env/variables.tf @@ -91,7 +91,7 @@ variable "project_budget" { variable "kms_prj_suffix" { description = "Name suffix to use for KMS project created." type = string - default = "env-kms" + default = "kms" } variable "location_kms" { diff --git a/4-projects/modules/infra_pipelines/main.tf b/4-projects/modules/infra_pipelines/main.tf index 0b7b396b..68ffeb47 100644 --- a/4-projects/modules/infra_pipelines/main.tf +++ b/4-projects/modules/infra_pipelines/main.tf @@ -84,7 +84,7 @@ module "tf_workspace" { "_DOCKER_TAG_VERSION_TERRAFORM" = var.terraform_docker_tag_version } - tf_apply_branches = ["development", "non\\-production", "production"] + tf_apply_branches = ["development", "nonproduction", "production"] depends_on = [ google_sourcerepo_repository.app_infra_repo, diff --git a/4-projects/modules/single_project/README.md b/4-projects/modules/single_project/README.md index 92e8d82b..622df0e3 100644 --- a/4-projects/modules/single_project/README.md +++ b/4-projects/modules/single_project/README.md @@ -8,7 +8,7 @@ | application\_name | The name of application where GCP resources relate | `string` | n/a | yes | | billing\_account | The ID of the billing account to associated this project with | `string` | n/a | yes | | billing\_code | The code that's used to provide chargeback information | `string` | n/a | yes | -| business\_code | The code that describes which business unit owns the project | `string` | `"abcd"` | no | +| business\_code | The code that describes which business unit owns the project | `string` | `"shared"` | no | | enable\_cloudbuild\_deploy | Enable infra deployment using Cloud Build | `bool` | `false` | no | | environment | The environment the single project belongs to | `string` | n/a | yes | | folder\_id | The folder id where project will be created | `string` | n/a | yes | @@ -21,10 +21,10 @@ | secondary\_contact | The secondary email contact for the project | `string` | `""` | no | | shared\_vpc\_host\_project\_id | Shared VPC host project ID | `string` | `""` | no | | shared\_vpc\_subnets | List of the shared vpc subnets self links. | `list(string)` | `[]` | no | +| vpc | The type of VPC to attach the project to. Possible options are none, base or restricted. | `string` | `"none"` | no | | vpc\_service\_control\_attach\_enabled | Whether the project will be attached to a VPC Service Control Perimeter | `bool` | `false` | no | | vpc\_service\_control\_perimeter\_name | The name of a VPC Service Control Perimeter to add the created project to | `string` | `null` | no | | vpc\_service\_control\_sleep\_duration | The duration to sleep in seconds before adding the project to a shared VPC after the project is added to the VPC Service Control Perimeter | `string` | `"5s"` | no | -| vpc\_type | The type of VPC to attach the project to. Possible options are base or restricted. | `string` | `null` | no | ## Outputs diff --git a/4-projects/modules/single_project/main.tf b/4-projects/modules/single_project/main.tf index 765f69c1..fc8b53ff 100644 --- a/4-projects/modules/single_project/main.tf +++ b/4-projects/modules/single_project/main.tf @@ -51,7 +51,7 @@ module "project" { random_project_id = true random_project_id_length = 4 activate_apis = distinct(concat(var.activate_apis, ["billingbudgets.googleapis.com"])) - name = "${var.project_prefix}-${local.env_code}-${var.business_code}${var.project_suffix}" + name = "${var.project_prefix}-${local.env_code}-${var.business_code}-${var.project_suffix}" org_id = var.org_id billing_account = var.billing_account folder_id = var.folder_id @@ -71,7 +71,7 @@ module "project" { secondary_contact = element(split("@", var.secondary_contact), 0) business_code = var.business_code env_code = local.env_code - vpc_type = var.vpc_type + vpc = var.vpc } budget_alert_pubsub_topic = var.project_budget.alert_pubsub_topic budget_alert_spent_percents = var.project_budget.alert_spent_percents