From aea1dd913595316fe67e5fa8a18c7482a8e41ee1 Mon Sep 17 00:00:00 2001 From: Caetano Colin <164910343+caetano-colin@users.noreply.github.com> Date: Tue, 10 Sep 2024 16:59:25 -0300 Subject: [PATCH] fix: adjusting deploy on foundation docs, cleaning files and 5-appinfra docs (#65) * update * update docs * update docs * terraform fmt * add missing statement * add missing instruction * update run terraform locally * update path * update cd out of repo * allow changing kms key name * terraform fmt and generate docs * update project_id -> project_name * updating doc * rephrase * small fixes for READMEs * rename non-production to nonproduction, add dry-run configs * update to foundation v4.1.0 * update header --------- Co-authored-by: Renato Rudnicki --- 0-bootstrap/README.md | 1 + 1-org/README.md | 3 + 1-org/envs/shared/ml_key_rings.tf | 2 +- 2-environments/README.md | 14 +- 3-networks-dual-svpc/README.md | 2 + 4-projects/README.md | 3 + 5-app-infra/README.md | 118 ++++-- 5-app-infra/modules/service_catalog/locals.tf | 21 - 5-app-infra/modules/service_catalog/main.tf | 7 +- .../ml_business_unit/shared/README.md | 1 - .../ml_business_unit/shared/README.md | 1 + .../modules/artifact_registry/README.md | 1 + .../modules/artifact_registry/data.tf | 2 +- .../modules/artifact_registry/locals.tf | 1 + .../modules/artifact_registry/variables.tf | 8 + .../modules/bigquery/README.md | 1 + .../service-catalog/modules/bigquery/data.tf | 2 +- .../modules/bigquery/locals.tf | 1 + .../modules/bigquery/variables.tf | 8 + .../service-catalog/modules/bucket/README.md | 1 + .../service-catalog/modules/bucket/data.tf | 6 +- .../modules/bucket/variables.tf | 8 + .../modules/composer/README.md | 1 + .../service-catalog/modules/composer/data.tf | 2 +- .../modules/composer/locals.tf | 2 + .../modules/composer/variables.tf | 8 + .../modules/metadata/README.md | 1 + .../service-catalog/modules/metadata/data.tf | 6 +- .../modules/metadata/variables.tf | 7 + .../modules/notebook/README.md | 1 + .../service-catalog/modules/notebook/data.tf | 2 +- .../modules/notebook/locals.tf | 1 + .../modules/notebook/variables.tf | 8 + .../service-catalog/modules/pubsub/README.md | 1 + .../service-catalog/modules/pubsub/data.tf | 6 +- .../modules/pubsub/variables.tf | 8 + .../service-catalog/modules/secrets/README.md | 1 + .../service-catalog/modules/secrets/data.tf | 2 +- .../service-catalog/modules/secrets/locals.tf | 1 + .../modules/secrets/variables.tf | 8 + .../modules/tensorboard/README.md | 1 + .../modules/tensorboard/data.tf | 5 +- .../modules/tensorboard/variables.tf | 8 + README.md | 8 +- .../ml_business_unit/development/remote.tf | 2 +- .../nonproduction/non-production.auto.tfvars | 1 - .../nonproduction/nonproduction.auto.tfvars | 1 + .../ml_business_unit/nonproduction/remote.tf | 2 +- .../ml_business_unit/production/remote.tf | 2 +- .../ml_business_unit/shared/remote.tf | 2 +- ...vars => nonproduction.auto.example.tfvars} | 0 .../ml_business_unit/shared/README.md | 17 - ....0.0.md => deploy_on_foundation_v4.1.0.md} | 392 ++++++++++-------- 53 files changed, 446 insertions(+), 273 deletions(-) delete mode 120000 docs/assets/terraform/4-projects/ml_business_unit/nonproduction/non-production.auto.tfvars create mode 120000 docs/assets/terraform/4-projects/ml_business_unit/nonproduction/nonproduction.auto.tfvars rename docs/assets/terraform/4-projects/{non-production.auto.example.tfvars => nonproduction.auto.example.tfvars} (100%) delete mode 100644 docs/assets/terraform/5-appinfra/service-catalog-infra-repo/ml_business_unit/shared/README.md rename docs/{deploy_on_foundation_v4.0.0.md => deploy_on_foundation_v4.1.0.md} (90%) diff --git a/0-bootstrap/README.md b/0-bootstrap/README.md index be451956..6ea7739b 100644 --- a/0-bootstrap/README.md +++ b/0-bootstrap/README.md @@ -262,6 +262,7 @@ Using GitHub Actions requires manual creation of the GitHub repositories used in git add . git commit -m 'Initialize bootstrap repo' git push --set-upstream origin plan + cd .. ``` 1. Continue with the instructions in the [1-org](../1-org/README.md) step. diff --git a/1-org/README.md b/1-org/README.md index fc1590c7..063d0ded 100644 --- a/1-org/README.md +++ b/1-org/README.md @@ -293,4 +293,7 @@ Before executing the next stages, unset the `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` ```bash unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT + +cd ../.. ``` +1. Proceed to the [2-environments](../2-environments/README.md) step. diff --git a/1-org/envs/shared/ml_key_rings.tf b/1-org/envs/shared/ml_key_rings.tf index 588b0840..9fa6751d 100644 --- a/1-org/envs/shared/ml_key_rings.tf +++ b/1-org/envs/shared/ml_key_rings.tf @@ -21,7 +21,7 @@ module "kms_keyring" { keyring_admins = [ "serviceAccount:${local.projects_step_terraform_service_account_email}" ] - project_id = module.org_kms.project_id + project_id = module.common_kms.project_id keyring_regions = var.keyring_regions keyring_name = var.keyring_name } diff --git a/2-environments/README.md b/2-environments/README.md index 0af2973f..132e80e8 100644 --- a/2-environments/README.md +++ b/2-environments/README.md @@ -171,7 +171,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get git push origin production ``` -### `N.B.` Read this before continuing further +### Read this before continuing further A logging project will be created in every environment (`development`, `non-production`, `production`) when running this code. This project contains a storage bucket for the purposes of project logging within its respective environment. This requires the `cloud-storage-analytics@google.com` group permissions for the storage bucket. Since foundations has more restricted security measures, a domain restriction constraint is enforced. This restraint will prevent the google cloud-storage-analytics group to be added to any permissions. In order for this terraform code to execute without error, manual intervention must be made to ensure everything applies without issue. @@ -405,7 +405,8 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../0-bootstrap/" output -raw environment_step_terraform_service_account_email) echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT} ``` -1. Ensure you [disable The Orginization Policy](#do-this-before-you-push-development-non-production--production) on the `development` folder before continuing further + +1. Ensure you [disable The Organization Policy](#read-this-before-continuing-further) on the `development` folder before continuing further. 1. Run `init` and `plan` and review output for environment development. @@ -426,7 +427,7 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i ./tf-wrapper.sh apply development ``` -1. Ensure you [disable The Orginization Policy](#do-this-before-you-push-development-non-production--production) on the `non-production` folder before continuing further +1. Ensure you [disable The Organization Policy](#read-this-before-continuing-further) on the `non-production` folder before continuing further. 1. Run `init` and `plan` and review output for environment non-production. @@ -446,7 +447,8 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i ```bash ./tf-wrapper.sh apply non-production ``` -1. Ensure you [disable The Orginization Policy](#do-this-before-you-push-development-non-production--production) on the `non-production` folder before continuing further + +1. Ensure you [disable The Organization Policy](#read-this-before-continuing-further) on the `non-production` folder before continuing further. 1. Run `init` and `plan` and review output for environment production. @@ -473,4 +475,8 @@ Before executing the next stages, unset the `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` ```bash unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT + +cd ../.. ``` + +1. You can now move to the instructions in the network step. To use the [Dual Shared VPC](https://cloud.google.com/architecture/security-foundations/networking#vpcsharedvpc-id7-1-shared-vpc-) network mode go to [3-networks-dual-svpc](../3-networks-dual-svpc/README.md). diff --git a/3-networks-dual-svpc/README.md b/3-networks-dual-svpc/README.md index 17383ac5..9e77eb74 100644 --- a/3-networks-dual-svpc/README.md +++ b/3-networks-dual-svpc/README.md @@ -418,3 +418,5 @@ Before executing the next stages, unset the `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` ```bash unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT ``` + +1. You can now move to the instructions in the [4-projects](../4-projects/README.md) step. diff --git a/4-projects/README.md b/4-projects/README.md index c84f8b86..cc038b63 100644 --- a/4-projects/README.md +++ b/4-projects/README.md @@ -358,4 +358,7 @@ Before executing the next stages, unset the `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` ```bash unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT + +cd ../.. ``` +1. You can now move to the instructions in the [5-app-infra](../5-app-infra/README.md) step. diff --git a/5-app-infra/README.md b/5-app-infra/README.md index a8af7c66..ff835467 100644 --- a/5-app-infra/README.md +++ b/5-app-infra/README.md @@ -416,6 +416,7 @@ The pipeline also listens for changes made to `plan`, `development`, `non-produc ```bash cd service-catalog/ + git checkout -b main cp -RT ../terraform-google-enterprise-genai/5-app-infra/source_repos/service-catalog/ . git add img git commit -m "Add img directory" @@ -442,11 +443,23 @@ The pipeline also listens for changes made to `plan`, `development`, `non-produc #### Artifacts Application -1. The next instructions assume that you are at the same level of the `terraform-google-enterprise-genai` folder. Change into `5-app-infra` folder, copy the Terraform wrapper script and ensure it can be executed. +1. Create `ml-artifact-publish` directory at the same level as `terraform-google-enterprise-genai`. + + ```bash + mkdir ml-artifact-publish + ``` + +1. Navigate into the repo, change to non-main branch and copy contents of genAI to new repo. + All subsequent steps assume you are running them from the ml-artifact-publish directory. + If you run them from another directory, adjust your copy paths accordingly. ```bash - cd terraform-google-enterprise-genai/5-app-infra/projects/artifact-publish/ - cp ../../../build/tf-wrapper.sh . + cd ml-artifact-publish/ + + cp -RT ../terraform-google-enterprise-genai/5-app-infra/projects/artifact-publish/ . + cp -R ../terraform-google-enterprise-genai/5-app-infra/modules/ ./modules + cp ../terraform-google-enterprise-genai/build/cloudbuild-tf-* . + cp ../terraform-google-enterprise-genai/build/tf-wrapper.sh . chmod 755 ./tf-wrapper.sh ``` @@ -461,7 +474,7 @@ The pipeline also listens for changes made to `plan`, `development`, `non-produc 1. Use `terraform output` to get the project backend bucket value from 0-bootstrap. ```bash - export remote_state_bucket=$(terraform -chdir="../../../0-bootstrap/" output -raw projects_gcs_bucket_tfstate) + export remote_state_bucket=$(terraform -chdir="../terraform-google-enterprise-genai/0-bootstrap/" output -raw projects_gcs_bucket_tfstate) echo "remote_state_bucket = ${remote_state_bucket}" sed -i "s/REMOTE_STATE_BUCKET/${remote_state_bucket}/" ./common.auto.tfvars ``` @@ -474,10 +487,10 @@ The pipeline also listens for changes made to `plan`, `development`, `non-produc member="user:$(gcloud auth list --filter="status=ACTIVE" --format="value(account)")" echo ${member} - project_id=$(terraform -chdir="../../../4-projects/ml_business_unit/shared/" output -raw cloudbuild_project_id) + project_id=$(terraform -chdir="../terraform-google-enterprise-genai/4-projects/ml_business_unit/shared/" output -raw cloudbuild_project_id) echo ${project_id} - terraform_sa=$(terraform -chdir="../../../4-projects/ml_business_unit/shared/" output -json terraform_service_accounts | jq '."ml-artifact-publish"' --raw-output) + terraform_sa=$(terraform -chdir="../terraform-google-enterprise-genai/4-projects/ml_business_unit/shared/" output -json terraform_service_accounts | jq '."ml-artifact-publish"' --raw-output) echo ${terraform_sa} gcloud iam service-accounts add-iam-policy-binding ${terraform_sa} --project ${project_id} --member="${member}" --role="roles/iam.serviceAccountTokenCreator" @@ -486,7 +499,7 @@ The pipeline also listens for changes made to `plan`, `development`, `non-produc 1. Update `backend.tf` with your bucket from the infra pipeline output. ```bash - export backend_bucket=$(terraform -chdir="../../../4-projects/ml_business_unit/shared/" output -json state_buckets | jq '."ml-artifact-publish"' --raw-output) + export backend_bucket=$(terraform -chdir="../terraform-google-enterprise-genai/4-projects/ml_business_unit/shared/" output -json state_buckets | jq '."ml-artifact-publish"' --raw-output) echo "backend_bucket = ${backend_bucket}" for i in `find -name 'backend.tf'`; do sed -i "s/UPDATE_APP_INFRA_BUCKET/${backend_bucket}/" $i; done @@ -500,10 +513,10 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i 1. Use `terraform output` to get the Infra Pipeline Project ID from 4-projects output. ```bash - export INFRA_PIPELINE_PROJECT_ID=$(terraform -chdir="../../../4-projects/ml_business_unit/shared/" output -raw cloudbuild_project_id) + export INFRA_PIPELINE_PROJECT_ID=$(terraform -chdir="../terraform-google-enterprise-genai/4-projects/ml_business_unit/shared/" output -raw cloudbuild_project_id) echo ${INFRA_PIPELINE_PROJECT_ID} - export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../../../4-projects/ml_business_unit/shared/" output -json terraform_service_accounts | jq '."ml-artifact-publish"' --raw-output) + export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../terraform-google-enterprise-genai/4-projects/ml_business_unit/shared/" output -json terraform_service_accounts | jq '."ml-artifact-publish"' --raw-output) echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT} ``` @@ -517,7 +530,7 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i 1. Run `validate` and check for violations. ```bash - ./tf-wrapper.sh validate shared $(pwd)/../policy-library ${INFRA_PIPELINE_PROJECT_ID} + ./tf-wrapper.sh validate shared $(pwd)/../terraform-google-enterprise-genai/policy-library ${INFRA_PIPELINE_PROJECT_ID} ``` 1. Run `apply` shared. @@ -534,14 +547,12 @@ After executing this stage, unset the `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` envir unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT ``` -1. `cd` out of the `artifact-publish`. +1. `cd` out of the repository. ```bash - cd + cd .. ``` -1. Navigate to the project that was output from `${ARTIFACT_PROJECT_ID}` in Google's Cloud Console to view the first run of images being built. - #### Configuring Cloud Source Repository of Artifact Application 1. The next instructions assume that you are at the same level of the `terraform-google-enterprise-genai` folder. @@ -586,62 +597,73 @@ unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT #### Service Catalog Configuration -1. The next instructions assume that you are at the same level of the `terraform-google-enterprise-genai` folder. Change into `5-app-infra` folder, copy the Terraform wrapper script and ensure it can be executed. + +1. Create `ml-service-catalog` directory at the same level as `terraform-google-enterprise-genai`. ```bash - cd terraform-google-enterprise-genai/5-app-infra/projects/service-catalog/ - cp ../../../build/tf-wrapper.sh . + mkdir ml-service-catalog + ``` + +1. Navigate into the repo, change to non-main branch and copy contents of foundation to new repo. + All subsequent steps assume you are running them from the ml-service-catalog directory. + If you run them from another directory, adjust your copy paths accordingly. + + ```bash + cd ml-service-catalog + + cp -RT ../terraform-google-enterprise-genai/5-app-infra/projects/service-catalog/ . + cp -R ../terraform-google-enterprise-genai/5-app-infra/modules/ ./modules + cp ../terraform-google-enterprise-genai/build/cloudbuild-tf-* . + cp ../terraform-google-enterprise-genai/build/tf-wrapper.sh . chmod 755 ./tf-wrapper.sh ``` -1. Rename `common.auto.example.tfvars` files to `common.auto.tfvars`. +1. Rename `common.auto.example.tfvars` to `common.auto.tfvars`. ```bash mv common.auto.example.tfvars common.auto.tfvars ``` -1. Update `common.auto.tfvars` file with values from your environment. - -1. Use `terraform output` to get the project backend bucket value from 0-bootstrap. +1. Update the file with values from your environment and 0-bootstrap. See any of the business unit 1 envs folders [README.md](./ml_business_unit/production/README.md) files for additional information on the values in the `common.auto.tfvars` file. ```bash - export remote_state_bucket=$(terraform -chdir="../../../0-bootstrap/" output -raw projects_gcs_bucket_tfstate) + export remote_state_bucket=$(terraform -chdir="../terraform-google-enterprise-genai/0-bootstrap/" output -raw projects_gcs_bucket_tfstate) echo "remote_state_bucket = ${remote_state_bucket}" sed -i "s/REMOTE_STATE_BUCKET/${remote_state_bucket}/" ./common.auto.tfvars ``` -1. Provide the user that will be running `./tf-wrapper.sh` the Service Account Token Creator role to the ml Terraform service account. - -1. Provide the user permissions to run the terraform locally with the `serviceAccountTokenCreator` permission. +1. Update `backend.tf` with your bucket from the infra pipeline output. ```bash - member="user:$(gcloud auth list --filter="status=ACTIVE" --format="value(account)")" - echo ${member} - - project_id=$(terraform -chdir="../../../4-projects/ml_business_unit/shared/" output -raw cloudbuild_project_id) - echo ${project_id} - - terraform_sa=$(terraform -chdir="../../../4-projects/ml_business_unit/shared/" output -json terraform_service_accounts | jq '."ml-service-catalog"' --raw-output) - echo ${terraform_sa} + export backend_bucket=$(terraform -chdir="../terraform-google-enterprise-genai/4-projects/ml_business_unit/shared/" output -json state_buckets | jq '."ml-service-catalog"' --raw-output) + echo "backend_bucket = ${backend_bucket}" - gcloud iam service-accounts add-iam-policy-binding ${terraform_sa} --project ${project_id} --member="${member}" --role="roles/iam.serviceAccountTokenCreator" + for i in `find -name 'backend.tf'`; do sed -i "s/UPDATE_APP_INFRA_BUCKET/${backend_bucket}/" $i; done ``` 1. Update the `log_bucket` variable with the value of the `logs_export_storage_bucket_name`. - ```bash - export log_bucket=$(terraform -chdir="../gcp-org/envs/shared" output -raw logs_export_storage_bucket_name) + ```bash + export log_bucket=$(terraform -chdir="../terraform-google-enterprise-genai/1-org/envs/shared" output -raw logs_export_storage_bucket_name) echo "log_bucket = ${log_bucket}" sed -i "s/REPLACE_LOG_BUCKET/${log_bucket}/" ./common.auto.tfvars ``` -1. Update `backend.tf` with your bucket from the infra pipeline output. +1. Provide the user permissions to run the terraform locally with the `serviceAccountTokenCreator` permission. ```bash - export backend_bucket=$(terraform -chdir="../../../4-projects/ml_business_unit/shared/" output -json state_buckets | jq '."ml-service-catalog"' --raw-output) - echo "backend_bucket = ${backend_bucket}" + (cd ../terraform-google-enterprise-genai/4-projects && ./tf-wrapper.sh init shared) - for i in `find -name 'backend.tf'`; do sed -i "s/UPDATE_APP_INFRA_BUCKET/${backend_bucket}/" $i; done + member="user:$(gcloud auth list --filter="status=ACTIVE" --format="value(account)")" + echo ${member} + + project_id=$(terraform -chdir="../terraform-google-enterprise-genai/4-projects/ml_business_unit/shared/" output -raw cloudbuild_project_id) + echo ${project_id} + + terraform_sa=$(terraform -chdir="../terraform-google-enterprise-genai/4-projects/ml_business_unit/shared/" output -json terraform_service_accounts | jq '."ml-service-catalog"' --raw-output) + echo ${terraform_sa} + + gcloud iam service-accounts add-iam-policy-binding ${terraform_sa} --project ${project_id} --member="${member}" --role="roles/iam.serviceAccountTokenCreator" ``` We will now deploy each of our environments (development/production/non-production) using this script. @@ -652,10 +674,10 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i 1. Use `terraform output` to get the Infra Pipeline Project ID from 4-projects output. ```bash - export INFRA_PIPELINE_PROJECT_ID=$(terraform -chdir="../../../4-projects/ml_business_unit/shared/" output -raw cloudbuild_project_id) + export INFRA_PIPELINE_PROJECT_ID=$(terraform -chdir="../terraform-google-enterprise-genai/4-projects/ml_business_unit/shared/" output -raw cloudbuild_project_id) echo ${INFRA_PIPELINE_PROJECT_ID} - export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../../../4-projects/ml_business_unit/shared/" output -json terraform_service_accounts | jq '."ml-service-catalog"' --raw-output) + export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../terraform-google-enterprise-genai/4-projects/ml_business_unit/shared/" output -json terraform_service_accounts | jq '."ml-service-catalog"' --raw-output) echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT} ``` @@ -669,7 +691,7 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i 1. Run `validate` and check for violations. ```bash - ./tf-wrapper.sh validate shared $(pwd)/../policy-library ${INFRA_PIPELINE_PROJECT_ID} + ./tf-wrapper.sh validate shared $(pwd)/../terraform-google-enterprise-genai/policy-library ${INFRA_PIPELINE_PROJECT_ID} ``` 1. Run `apply` shared. @@ -686,6 +708,12 @@ After executing this stage, unset the `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` envir unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT ``` +1. `cd` out of the repository. + + ```bash + cd .. + ``` + #### Configuring Cloud Source Repository of Service Catalog Solutions Pipeline 1. The next instructions assume that you are at the same level of the `terraform-google-enterprise-genai` folder @@ -729,4 +757,6 @@ After executing this stage, unset the `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` envir cd .. ``` -1. Navigate to the project that was output from `${ARTIFACT_PROJECT_ID}` in Google's Cloud Console to view the first run of images being built. +1. Navigate to the project that was output from `${SERVICE_CATALOG_PROJECT_ID}` in Google's Cloud Console to view the first run of images being built. + +https://console.cloud.google.com/cloud-build/builds;region=us-central1?orgonly=true&project=${SERVICE_CATALOG_PROJECT_ID}&supportedpurview=project diff --git a/5-app-infra/modules/service_catalog/locals.tf b/5-app-infra/modules/service_catalog/locals.tf index 5f9d6b26..6c175ec3 100644 --- a/5-app-infra/modules/service_catalog/locals.tf +++ b/5-app-infra/modules/service_catalog/locals.tf @@ -19,25 +19,4 @@ locals { current_user_domain = split("@", local.current_user_email)[1] current_member = strcontains(local.current_user_domain, "iam.gserviceaccount.com") ? "serviceAccount:${local.current_user_email}" : "user:${local.current_user_email}" log_bucket_prefix = "bkt" - bucket_permissions = { - - "roles/storage.admin" = [ - google_service_account.trigger_sa.member, - ], - "roles/storage.legacyObjectReader" = [ - "serviceAccount:${var.machine_learning_project_number}@cloudbuild.gserviceaccount.com", - ], - } - - bucket_roles = flatten([ - for role in keys(local.bucket_permissions) : [ - for sa in local.bucket_permissions[role] : - { - role = role - acct = sa - } - ] - ]) } - - diff --git a/5-app-infra/modules/service_catalog/main.tf b/5-app-infra/modules/service_catalog/main.tf index 288156e5..0d9f4763 100644 --- a/5-app-infra/modules/service_catalog/main.tf +++ b/5-app-infra/modules/service_catalog/main.tf @@ -53,10 +53,9 @@ resource "google_storage_bucket" "bucket" { } resource "google_storage_bucket_iam_member" "bucket_role" { - for_each = { for gcs in local.bucket_roles : "${gcs.role}-${gcs.acct}" => gcs } - bucket = google_storage_bucket.bucket.name - role = each.value.role - member = each.value.acct + bucket = google_storage_bucket.bucket.name + role = "roles/storage.admin" + member = google_service_account.trigger_sa.member } resource "google_sourcerepo_repository_iam_member" "read" { diff --git a/5-app-infra/projects/artifact-publish/ml_business_unit/shared/README.md b/5-app-infra/projects/artifact-publish/ml_business_unit/shared/README.md index 210f623d..c255b2ef 100644 --- a/5-app-infra/projects/artifact-publish/ml_business_unit/shared/README.md +++ b/5-app-infra/projects/artifact-publish/ml_business_unit/shared/README.md @@ -4,7 +4,6 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | instance\_region | The region where compute instance will be created. A subnetwork must exists in the instance region. | `string` | n/a | yes | -| log\_bucket | Log bucket to be used by Service Catalog Bucket | `string` | n/a | yes | | remote\_state\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | ## Outputs diff --git a/5-app-infra/projects/service-catalog/ml_business_unit/shared/README.md b/5-app-infra/projects/service-catalog/ml_business_unit/shared/README.md index 849fc76c..55c6e6bb 100644 --- a/5-app-infra/projects/service-catalog/ml_business_unit/shared/README.md +++ b/5-app-infra/projects/service-catalog/ml_business_unit/shared/README.md @@ -4,6 +4,7 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | instance\_region | The region where compute instance will be created. A subnetwork must exists in the instance region. | `string` | n/a | yes | +| log\_bucket | Log bucket to be used by Service Catalog Bucket | `string` | n/a | yes | | remote\_state\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | ## Outputs diff --git a/5-app-infra/source_repos/service-catalog/modules/artifact_registry/README.md b/5-app-infra/source_repos/service-catalog/modules/artifact_registry/README.md index 455f824f..90bb9bc5 100644 --- a/5-app-infra/source_repos/service-catalog/modules/artifact_registry/README.md +++ b/5-app-infra/source_repos/service-catalog/modules/artifact_registry/README.md @@ -63,6 +63,7 @@ No outputs. | cleanup\_policy\_dry\_run | Whether to perform a dry run of the cleanup policy. | `bool` | `false` | no | | description | Description of the repository. | `string` | `""` | no | | format | Format of the repository. | `string` | `"DOCKER"` | no | +| kms\_key\_name | The KMS key to be used on the keyring, if not specified will use the default key created in 4-projects step" | `string` | `""` | no | | kms\_keyring | The KMS keyring that will be used when selecting the KMS key, preferably this should be on the same region as the other resources and the same environment.
This value can be obtained by running "gcloud kms keyrings list --project=KMS\_PROJECT\_ID --location=REGION." | `string` | n/a | yes | | name | Name of the repository. | `string` | n/a | yes | | project\_id | Project ID. | `string` | n/a | yes | diff --git a/5-app-infra/source_repos/service-catalog/modules/artifact_registry/data.tf b/5-app-infra/source_repos/service-catalog/modules/artifact_registry/data.tf index 72555a5b..77a8f2ef 100644 --- a/5-app-infra/source_repos/service-catalog/modules/artifact_registry/data.tf +++ b/5-app-infra/source_repos/service-catalog/modules/artifact_registry/data.tf @@ -19,6 +19,6 @@ data "google_project" "project" { } data "google_kms_crypto_key" "key" { - name = data.google_project.project.name + name = local.key_name key_ring = var.kms_keyring } diff --git a/5-app-infra/source_repos/service-catalog/modules/artifact_registry/locals.tf b/5-app-infra/source_repos/service-catalog/modules/artifact_registry/locals.tf index 8b98b2db..3b1d2fb3 100644 --- a/5-app-infra/source_repos/service-catalog/modules/artifact_registry/locals.tf +++ b/5-app-infra/source_repos/service-catalog/modules/artifact_registry/locals.tf @@ -19,4 +19,5 @@ locals { "us-central1" = "usc1" "us-east4" = "use4" } + key_name = var.kms_key_name == "" ? data.google_project.project.name : var.kms_key_name } diff --git a/5-app-infra/source_repos/service-catalog/modules/artifact_registry/variables.tf b/5-app-infra/source_repos/service-catalog/modules/artifact_registry/variables.tf index 8b5241b5..4603c6c9 100644 --- a/5-app-infra/source_repos/service-catalog/modules/artifact_registry/variables.tf +++ b/5-app-infra/source_repos/service-catalog/modules/artifact_registry/variables.tf @@ -91,3 +91,11 @@ The KMS keyring that will be used when selecting the KMS key, preferably this sh This value can be obtained by running "gcloud kms keyrings list --project=KMS_PROJECT_ID --location=REGION." EOF } + +variable "kms_key_name" { + type = string + description = <This value can be obtained by running "gcloud kms keyrings list --project=KMS\_PROJECT\_ID --location=REGION." | `string` | n/a | yes | | project\_id | Project ID. | `string` | n/a | yes | | region | The resource region, one of [us-central1, us-east4]. | `string` | `"us-central1"` | no | diff --git a/5-app-infra/source_repos/service-catalog/modules/bigquery/data.tf b/5-app-infra/source_repos/service-catalog/modules/bigquery/data.tf index b45bc6cd..a5282c33 100644 --- a/5-app-infra/source_repos/service-catalog/modules/bigquery/data.tf +++ b/5-app-infra/source_repos/service-catalog/modules/bigquery/data.tf @@ -19,6 +19,6 @@ data "google_project" "project" { } data "google_kms_crypto_key" "key" { - name = data.google_project.project.name + name = local.key_name key_ring = var.kms_keyring } diff --git a/5-app-infra/source_repos/service-catalog/modules/bigquery/locals.tf b/5-app-infra/source_repos/service-catalog/modules/bigquery/locals.tf index af32650b..1bede7f4 100644 --- a/5-app-infra/source_repos/service-catalog/modules/bigquery/locals.tf +++ b/5-app-infra/source_repos/service-catalog/modules/bigquery/locals.tf @@ -17,4 +17,5 @@ locals { project_hash = substr(sha256(data.google_project.project.project_id), 0, 6) name_var = "bq-${var.dataset_id}-${data.google_project.project.labels.env_code}-${local.project_hash}" + key_name = var.kms_key_name == "" ? data.google_project.project.name : var.kms_key_name } diff --git a/5-app-infra/source_repos/service-catalog/modules/bigquery/variables.tf b/5-app-infra/source_repos/service-catalog/modules/bigquery/variables.tf index 699817d4..2c16d91e 100644 --- a/5-app-infra/source_repos/service-catalog/modules/bigquery/variables.tf +++ b/5-app-infra/source_repos/service-catalog/modules/bigquery/variables.tf @@ -71,3 +71,11 @@ The KMS keyring that will be used when selecting the KMS key, preferably this sh This value can be obtained by running "gcloud kms keyrings list --project=KMS_PROJECT_ID --location=REGION." EOF } + +variable "kms_key_name" { + type = string + description = <This value can be obtained by running "gcloud kms keyrings list --project=KMS\_PROJECT\_ID --location=REGION." | `string` | n/a | yes | | labels | Labels to be attached to the buckets. | `map(string)` |
{
"classification": "dataclassification",
"label": "samplelabel",
"owner": "testowner"
}
| no | | lifecycle\_rules | List of lifecycle rules to configure. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket.html#lifecycle_rule except condition.matches\_storage\_class should be a comma delimited string. |
set(object({
# Object with keys:
# - type - The type of the action of this Lifecycle Rule. Supported values: Delete and SetStorageClass.
# - storage_class - (Required if action type is SetStorageClass) The target Storage Class of objects affected by this Lifecycle Rule.
action = map(string)

# Object with keys:
# - age - (Optional) Minimum age of an object in days to satisfy this condition.
# - created_before - (Optional) Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.
# - with_state - (Optional) Match to live and/or archived objects. Supported values include: "LIVE", "ARCHIVED", "ANY".
# - matches_storage_class - (Optional) Comma delimited string for storage class of objects to satisfy this condition. Supported values include: MULTI_REGIONAL, REGIONAL.
# - num_newer_versions - (Optional) Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition.
# - custom_time_before - (Optional) A date in the RFC 3339 format YYYY-MM-DD. This condition is satisfied when the customTime metadata for the object is set to an earlier date than the date used in this lifecycle condition.
# - days_since_custom_time - (Optional) The number of days from the Custom-Time metadata attribute after which this condition becomes true.
# - days_since_noncurrent_time - (Optional) Relevant only for versioned objects. Number of days elapsed since the noncurrent timestamp of an object.
# - noncurrent_time_before - (Optional) Relevant only for versioned objects. The date in RFC 3339 (e.g. 2017-06-13) when the object became nonconcurrent.
condition = map(string)
}))
|
[
{
"action": {
"storage_class": "NEARLINE",
"type": "SetStorageClass"
},
"condition": {
"age": "30",
"matches_storage_class": "REGIONAL"
}
},
{
"action": {
"type": "Delete"
},
"condition": {
"with_state": "ARCHIVED"
}
}
]
| no | diff --git a/5-app-infra/source_repos/service-catalog/modules/bucket/data.tf b/5-app-infra/source_repos/service-catalog/modules/bucket/data.tf index b45bc6cd..e80821b9 100644 --- a/5-app-infra/source_repos/service-catalog/modules/bucket/data.tf +++ b/5-app-infra/source_repos/service-catalog/modules/bucket/data.tf @@ -14,11 +14,15 @@ * limitations under the License. */ +locals { + key_name = var.kms_key_name == "" ? data.google_project.project.name : var.kms_key_name +} + data "google_project" "project" { project_id = var.project_id } data "google_kms_crypto_key" "key" { - name = data.google_project.project.name + name = local.key_name key_ring = var.kms_keyring } diff --git a/5-app-infra/source_repos/service-catalog/modules/bucket/variables.tf b/5-app-infra/source_repos/service-catalog/modules/bucket/variables.tf index 788b192a..91776268 100644 --- a/5-app-infra/source_repos/service-catalog/modules/bucket/variables.tf +++ b/5-app-infra/source_repos/service-catalog/modules/bucket/variables.tf @@ -196,3 +196,11 @@ variable "log_bucket" { type = string description = "Bucket to store logs from the created bucket. This is the Env-level Log Bucket creted on 2-environments." } + +variable "kms_key_name" { + type = string + description = <This value can be obtained by running "gcloud kms keyrings list --project=KMS\_PROJECT\_ID --location=REGION." | `string` | n/a | yes | | labels | The resource labels (a map of key/value pairs) to be applied to the Cloud Composer. | `map(string)` | `{}` | no | | maintenance\_window | The configuration settings for Cloud Composer maintenance window. |
object({
start_time = string
end_time = string
recurrence = string
})
|
{
"end_time": "2021-01-01T13:00:00Z",
"recurrence": "FREQ=WEEKLY;BYDAY=SU",
"start_time": "2021-01-01T01:00:00Z"
}
| no | diff --git a/5-app-infra/source_repos/service-catalog/modules/composer/data.tf b/5-app-infra/source_repos/service-catalog/modules/composer/data.tf index bbf89bd8..e7e7a9e6 100644 --- a/5-app-infra/source_repos/service-catalog/modules/composer/data.tf +++ b/5-app-infra/source_repos/service-catalog/modules/composer/data.tf @@ -32,7 +32,7 @@ data "google_project" "project" { } data "google_kms_crypto_key" "key" { - name = data.google_project.project.name + name = local.key_name key_ring = var.kms_keyring } diff --git a/5-app-infra/source_repos/service-catalog/modules/composer/locals.tf b/5-app-infra/source_repos/service-catalog/modules/composer/locals.tf index d23e6170..99d77aea 100644 --- a/5-app-infra/source_repos/service-catalog/modules/composer/locals.tf +++ b/5-app-infra/source_repos/service-catalog/modules/composer/locals.tf @@ -69,4 +69,6 @@ locals { tags = var.region == "us-central1" ? ["composer-usc1"] : ["composer-use4"] github_repository = replace(var.github_remote_uri, "https://", "") + + key_name = var.kms_key_name == "" ? data.google_project.project.name : var.kms_key_name } diff --git a/5-app-infra/source_repos/service-catalog/modules/composer/variables.tf b/5-app-infra/source_repos/service-catalog/modules/composer/variables.tf index b4497a15..8f6f1cbc 100644 --- a/5-app-infra/source_repos/service-catalog/modules/composer/variables.tf +++ b/5-app-infra/source_repos/service-catalog/modules/composer/variables.tf @@ -136,3 +136,11 @@ The KMS keyring that will be used when selecting the KMS key, preferably this sh This value can be obtained by running "gcloud kms keyrings list --project=KMS_PROJECT_ID --location=REGION." EOF } + +variable "kms_key_name" { + type = string + description = <This value can be obtained by running "gcloud kms keyrings list --project=KMS\_PROJECT\_ID --location=REGION." | `string` | n/a | yes | | name | The name of the metadata store instance. | `string` | n/a | yes | | project\_id | Project ID. | `string` | n/a | yes | diff --git a/5-app-infra/source_repos/service-catalog/modules/metadata/data.tf b/5-app-infra/source_repos/service-catalog/modules/metadata/data.tf index f91fceb6..0448f649 100644 --- a/5-app-infra/source_repos/service-catalog/modules/metadata/data.tf +++ b/5-app-infra/source_repos/service-catalog/modules/metadata/data.tf @@ -14,12 +14,16 @@ * limitations under the License. */ +locals { + key_name = var.kms_key_name == "" ? data.google_project.project.name : var.kms_key_name +} + data "google_project" "project" { project_id = var.project_id } data "google_kms_crypto_key" "key" { - name = data.google_project.project.name + name = local.key_name key_ring = var.kms_keyring } diff --git a/5-app-infra/source_repos/service-catalog/modules/metadata/variables.tf b/5-app-infra/source_repos/service-catalog/modules/metadata/variables.tf index 65be58f8..772058ea 100644 --- a/5-app-infra/source_repos/service-catalog/modules/metadata/variables.tf +++ b/5-app-infra/source_repos/service-catalog/modules/metadata/variables.tf @@ -42,3 +42,10 @@ This value can be obtained by running "gcloud kms keyrings list --project=KMS_PR EOF } +variable "kms_key_name" { + type = string + description = < This value can be obtained by running "gcloud kms keyrings list --project=KMS\_PROJECT\_ID --location=REGION". | `string` | n/a | yes | | location | Notebook instance location (zone). | `string` | `"us-central1-a"` | no | | machine\_type | Type of the machine to spin up for the notebook. | `string` | `"e2-standard-4"` | no | diff --git a/5-app-infra/source_repos/service-catalog/modules/notebook/data.tf b/5-app-infra/source_repos/service-catalog/modules/notebook/data.tf index 8a245691..27610bff 100644 --- a/5-app-infra/source_repos/service-catalog/modules/notebook/data.tf +++ b/5-app-infra/source_repos/service-catalog/modules/notebook/data.tf @@ -30,7 +30,7 @@ data "google_compute_subnetwork" "subnet" { } data "google_kms_crypto_key" "key" { - name = data.google_project.project.name + name = local.key_name key_ring = var.kms_keyring } diff --git a/5-app-infra/source_repos/service-catalog/modules/notebook/locals.tf b/5-app-infra/source_repos/service-catalog/modules/notebook/locals.tf index cdfed661..5dc83ebf 100644 --- a/5-app-infra/source_repos/service-catalog/modules/notebook/locals.tf +++ b/5-app-infra/source_repos/service-catalog/modules/notebook/locals.tf @@ -17,4 +17,5 @@ locals { name_var = format("%s-%s", data.google_project.project.labels.env_code, var.name) region = substr(var.location, 0, length(var.location) - 2) + key_name = var.kms_key_name == "" ? data.google_project.project.name : var.kms_key_name } diff --git a/5-app-infra/source_repos/service-catalog/modules/notebook/variables.tf b/5-app-infra/source_repos/service-catalog/modules/notebook/variables.tf index cb8c8d4a..9b5fb3b2 100644 --- a/5-app-infra/source_repos/service-catalog/modules/notebook/variables.tf +++ b/5-app-infra/source_repos/service-catalog/modules/notebook/variables.tf @@ -154,3 +154,11 @@ variable "vpc_project" { This value can be obtained by running "gcloud projects list --filter='labels.application_name:restricted-shared-vpc-host lifecycleState:ACTIVE'" and selecting the project. EOF } + +variable "kms_key_name" { + type = string + description = <This value can be obtained by running "gcloud kms keyrings list --project=KMS\_PROJECT\_ID --location=REGION." | `string` | n/a | yes | | locked\_regions | Regions that Pub/Sub persistence is locked to. | `list(any)` |
[
"us-central1",
"us-east4"
]
| no | | message\_retention\_duration | Message retention duration. | `string` | `"86400s"` | no | diff --git a/5-app-infra/source_repos/service-catalog/modules/pubsub/data.tf b/5-app-infra/source_repos/service-catalog/modules/pubsub/data.tf index b45bc6cd..e80821b9 100644 --- a/5-app-infra/source_repos/service-catalog/modules/pubsub/data.tf +++ b/5-app-infra/source_repos/service-catalog/modules/pubsub/data.tf @@ -14,11 +14,15 @@ * limitations under the License. */ +locals { + key_name = var.kms_key_name == "" ? data.google_project.project.name : var.kms_key_name +} + data "google_project" "project" { project_id = var.project_id } data "google_kms_crypto_key" "key" { - name = data.google_project.project.name + name = local.key_name key_ring = var.kms_keyring } diff --git a/5-app-infra/source_repos/service-catalog/modules/pubsub/variables.tf b/5-app-infra/source_repos/service-catalog/modules/pubsub/variables.tf index 4cab7a21..b6bbc0c0 100644 --- a/5-app-infra/source_repos/service-catalog/modules/pubsub/variables.tf +++ b/5-app-infra/source_repos/service-catalog/modules/pubsub/variables.tf @@ -56,3 +56,11 @@ The KMS keyring that will be used when selecting the KMS key, preferably this sh This value can be obtained by running "gcloud kms keyrings list --project=KMS_PROJECT_ID --location=REGION." EOF } + +variable "kms_key_name" { + type = string + description = <This value can be obtained by running "gcloud kms keyrings list --project=KMS\_PROJECT\_ID --location=REGION." | `string` | n/a | yes | | project\_id | Project ID. | `string` | n/a | yes | | region | The resource region, one of [us-central1, us-east4]. | `string` | `"us-central1"` | no | diff --git a/5-app-infra/source_repos/service-catalog/modules/secrets/data.tf b/5-app-infra/source_repos/service-catalog/modules/secrets/data.tf index 00eb5b9c..38f340dc 100644 --- a/5-app-infra/source_repos/service-catalog/modules/secrets/data.tf +++ b/5-app-infra/source_repos/service-catalog/modules/secrets/data.tf @@ -19,7 +19,7 @@ data "google_project" "project" { } data "google_kms_crypto_key" "key" { - name = data.google_project.project.name + name = local.key_name key_ring = var.kms_keyring } diff --git a/5-app-infra/source_repos/service-catalog/modules/secrets/locals.tf b/5-app-infra/source_repos/service-catalog/modules/secrets/locals.tf index f464e4ce..d35b2dac 100644 --- a/5-app-infra/source_repos/service-catalog/modules/secrets/locals.tf +++ b/5-app-infra/source_repos/service-catalog/modules/secrets/locals.tf @@ -17,4 +17,5 @@ locals { key_location = element(split("/", var.kms_keyring), 3) pubsub_topic_name = "secret-rotation-notifications" + key_name = var.kms_key_name == "" ? data.google_project.project.name : var.kms_key_name } diff --git a/5-app-infra/source_repos/service-catalog/modules/secrets/variables.tf b/5-app-infra/source_repos/service-catalog/modules/secrets/variables.tf index 42275d76..51555aec 100644 --- a/5-app-infra/source_repos/service-catalog/modules/secrets/variables.tf +++ b/5-app-infra/source_repos/service-catalog/modules/secrets/variables.tf @@ -41,3 +41,11 @@ The KMS keyring that will be used when selecting the KMS key, preferably this sh This value can be obtained by running "gcloud kms keyrings list --project=KMS_PROJECT_ID --location=REGION." EOF } + +variable "kms_key_name" { + type = string + description = <This value can be obtained by running "gcloud kms keyrings list --project=KMS\_PROJECT\_ID --location=REGION." | `string` | n/a | yes | | name | The name of the tensorboard. | `string` | n/a | yes | | project\_id | Project ID. | `string` | n/a | yes | diff --git a/5-app-infra/source_repos/service-catalog/modules/tensorboard/data.tf b/5-app-infra/source_repos/service-catalog/modules/tensorboard/data.tf index fc37f8dd..e80821b9 100644 --- a/5-app-infra/source_repos/service-catalog/modules/tensorboard/data.tf +++ b/5-app-infra/source_repos/service-catalog/modules/tensorboard/data.tf @@ -14,12 +14,15 @@ * limitations under the License. */ +locals { + key_name = var.kms_key_name == "" ? data.google_project.project.name : var.kms_key_name +} data "google_project" "project" { project_id = var.project_id } data "google_kms_crypto_key" "key" { - name = data.google_project.project.name + name = local.key_name key_ring = var.kms_keyring } diff --git a/5-app-infra/source_repos/service-catalog/modules/tensorboard/variables.tf b/5-app-infra/source_repos/service-catalog/modules/tensorboard/variables.tf index 1d1c8a4c..740723e5 100644 --- a/5-app-infra/source_repos/service-catalog/modules/tensorboard/variables.tf +++ b/5-app-infra/source_repos/service-catalog/modules/tensorboard/variables.tf @@ -41,3 +41,11 @@ The KMS keyring that will be used when selecting the KMS key, preferably this sh This value can be obtained by running "gcloud kms keyrings list --project=KMS_PROJECT_ID --location=REGION." EOF } + +variable "kms_key_name" { + type = string + description = < NOTE: If the user currently does not have a Enterprise Foundations Blueprint deployed, he can follow the steps outlined in [terraform-example-foundation v4.0.0](https://github.com/terraform-google-modules/terraform-example-foundation/tree/v4.0.0) to deploy it. +- Deploy the codebase on top of an existing Enterprise Foundations Blueprint instance by following the steps detailed in [`docs/deploy_on_foundation_v4.1.0.md`](./docs/deploy_on_foundation_v4.1.0.md). + > NOTE: If the user currently does not have a Enterprise Foundations Blueprint deployed, he can follow the steps outlined in [terraform-example-foundation v4.1.0](https://github.com/terraform-google-modules/terraform-example-foundation/tree/v4.1.0) to deploy it. ## Main Modifications made to Enterprise Foundations Blueprint diff --git a/docs/assets/terraform/4-projects/ml_business_unit/development/remote.tf b/docs/assets/terraform/4-projects/ml_business_unit/development/remote.tf index 19fd1ffb..63a64a6e 100644 --- a/docs/assets/terraform/4-projects/ml_business_unit/development/remote.tf +++ b/docs/assets/terraform/4-projects/ml_business_unit/development/remote.tf @@ -21,7 +21,7 @@ locals { location_gcs = try(data.terraform_remote_state.bootstrap.outputs.common_config.default_region, var.location_gcs) billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account common_folder_name = data.terraform_remote_state.org.outputs.common_folder_name - common_kms_project_id = data.terraform_remote_state.org.outputs.org_kms_project_id + common_kms_project_id = data.terraform_remote_state.org.outputs.common_kms_project_id default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region project_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.project_prefix folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix diff --git a/docs/assets/terraform/4-projects/ml_business_unit/nonproduction/non-production.auto.tfvars b/docs/assets/terraform/4-projects/ml_business_unit/nonproduction/non-production.auto.tfvars deleted file mode 120000 index e878a833..00000000 --- a/docs/assets/terraform/4-projects/ml_business_unit/nonproduction/non-production.auto.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../non-production.auto.tfvars \ No newline at end of file diff --git a/docs/assets/terraform/4-projects/ml_business_unit/nonproduction/nonproduction.auto.tfvars b/docs/assets/terraform/4-projects/ml_business_unit/nonproduction/nonproduction.auto.tfvars new file mode 120000 index 00000000..d2ffd5e8 --- /dev/null +++ b/docs/assets/terraform/4-projects/ml_business_unit/nonproduction/nonproduction.auto.tfvars @@ -0,0 +1 @@ +../../nonproduction.auto.tfvars \ No newline at end of file diff --git a/docs/assets/terraform/4-projects/ml_business_unit/nonproduction/remote.tf b/docs/assets/terraform/4-projects/ml_business_unit/nonproduction/remote.tf index 19fd1ffb..63a64a6e 100644 --- a/docs/assets/terraform/4-projects/ml_business_unit/nonproduction/remote.tf +++ b/docs/assets/terraform/4-projects/ml_business_unit/nonproduction/remote.tf @@ -21,7 +21,7 @@ locals { location_gcs = try(data.terraform_remote_state.bootstrap.outputs.common_config.default_region, var.location_gcs) billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account common_folder_name = data.terraform_remote_state.org.outputs.common_folder_name - common_kms_project_id = data.terraform_remote_state.org.outputs.org_kms_project_id + common_kms_project_id = data.terraform_remote_state.org.outputs.common_kms_project_id default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region project_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.project_prefix folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix diff --git a/docs/assets/terraform/4-projects/ml_business_unit/production/remote.tf b/docs/assets/terraform/4-projects/ml_business_unit/production/remote.tf index 19fd1ffb..63a64a6e 100644 --- a/docs/assets/terraform/4-projects/ml_business_unit/production/remote.tf +++ b/docs/assets/terraform/4-projects/ml_business_unit/production/remote.tf @@ -21,7 +21,7 @@ locals { location_gcs = try(data.terraform_remote_state.bootstrap.outputs.common_config.default_region, var.location_gcs) billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account common_folder_name = data.terraform_remote_state.org.outputs.common_folder_name - common_kms_project_id = data.terraform_remote_state.org.outputs.org_kms_project_id + common_kms_project_id = data.terraform_remote_state.org.outputs.common_kms_project_id default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region project_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.project_prefix folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix diff --git a/docs/assets/terraform/4-projects/ml_business_unit/shared/remote.tf b/docs/assets/terraform/4-projects/ml_business_unit/shared/remote.tf index 74696cd0..3752312b 100644 --- a/docs/assets/terraform/4-projects/ml_business_unit/shared/remote.tf +++ b/docs/assets/terraform/4-projects/ml_business_unit/shared/remote.tf @@ -21,7 +21,7 @@ locals { location_gcs = try(data.terraform_remote_state.bootstrap.outputs.common_config.default_region, var.location_gcs) billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account common_folder_name = data.terraform_remote_state.org.outputs.common_folder_name - common_kms_project_id = data.terraform_remote_state.org.outputs.org_kms_project_id + common_kms_project_id = data.terraform_remote_state.org.outputs.common_kms_project_id default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region project_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.project_prefix folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix diff --git a/docs/assets/terraform/4-projects/non-production.auto.example.tfvars b/docs/assets/terraform/4-projects/nonproduction.auto.example.tfvars similarity index 100% rename from docs/assets/terraform/4-projects/non-production.auto.example.tfvars rename to docs/assets/terraform/4-projects/nonproduction.auto.example.tfvars diff --git a/docs/assets/terraform/5-appinfra/service-catalog-infra-repo/ml_business_unit/shared/README.md b/docs/assets/terraform/5-appinfra/service-catalog-infra-repo/ml_business_unit/shared/README.md deleted file mode 100644 index 55c6e6bb..00000000 --- a/docs/assets/terraform/5-appinfra/service-catalog-infra-repo/ml_business_unit/shared/README.md +++ /dev/null @@ -1,17 +0,0 @@ - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| instance\_region | The region where compute instance will be created. A subnetwork must exists in the instance region. | `string` | n/a | yes | -| log\_bucket | Log bucket to be used by Service Catalog Bucket | `string` | n/a | yes | -| remote\_state\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | - -## Outputs - -| Name | Description | -|------|-------------| -| cloudbuild\_trigger\_id | Id of Cloud Build Trigger | -| storage\_bucket\_name | Name of storage bucket created | - - diff --git a/docs/deploy_on_foundation_v4.0.0.md b/docs/deploy_on_foundation_v4.1.0.md similarity index 90% rename from docs/deploy_on_foundation_v4.0.0.md rename to docs/deploy_on_foundation_v4.1.0.md index 3d92bb82..1f3d37ea 100644 --- a/docs/deploy_on_foundation_v4.0.0.md +++ b/docs/deploy_on_foundation_v4.1.0.md @@ -1,14 +1,14 @@ -# Deploying on top of existing Foundation v.4.0.0 +# Deploying on top of existing Foundation v.4.1.0 ## Overview -To deploy a simple machine learning application, you must first have a [terraform-example-foundation v4.0.0](https://github.com/terraform-google-modules/terraform-example-foundation/tree/v4.0.0) instance set up. The following steps will guide you through the additional configurations required on top of the foundation. +To deploy a simple machine learning application, you must first have a [terraform-example-foundation v4.1.0](https://github.com/terraform-google-modules/terraform-example-foundation/tree/v4.1.0) instance set up. The following steps will guide you through the additional configurations required on top of the foundation. ## Requirements ### Code -- [terraform-example-foundation v4.0.0](https://github.com/terraform-google-modules/terraform-example-foundation/tree/v4.0.0) deployed until at least step `4-projects`. +- [terraform-example-foundation v4.1.0](https://github.com/terraform-google-modules/terraform-example-foundation/tree/v4.1.0) deployed until at least step `4-projects`. - You must have role **Service Account User** (`roles/iam.serviceAccountUser`) on the [Terraform Service Accounts](https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/docs/GLOSSARY.md#terraform-service-accounts) created in the foundation [Seed Project](https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/docs/GLOSSARY.md#seed-project). The Terraform Service Accounts have the permissions to deploy each step of the foundation. Service Accounts: - `sa-terraform-bootstrap@.iam.gserviceaccount.com`. @@ -63,6 +63,48 @@ gcp-projects terraform-google-enterprise-genai ``` +## Terraform Cloud Build Image Version Update + +The codebase uses terraform functionalities that are only available on 1.5.x, therefore, the user need to upgrade the terraform version on the cloud builder and can do so by following the following procedure. + +- Navigate to `gcp-bootstrap`. + +```bash +cd gcp-bootstrap +``` + +- Open `envs/shared/cb.tf` file, locate the `terraform_version` field under `locals` and update it to 1.5.7. + +```terraform +locals { + // terraform version image configuration + terraform_version = "1.5.7" + // The version of the terraform docker image to be used in the workspace builds + docker_tag_version_terraform = "v1" + ... +} +``` + +- Initialize and plan shared environment. The commands below must be run at `gcp-bootstrap/` directory. + +```bash +./tf-wrapper.sh init shared +./tf-wrapper.sh plan shared +``` + +- Apply the modifications and ensure that the build triggered by this modification was applied successfully. + +```bash +./tf-wrapper.sh apply shared +``` + +- Commit and the modifications to the repository. + +```bash +git commit -am "Update cb.tf - bump terraform to 1.5.7" +git push origin plan +``` + ## Policies ### Update `gcloud terraform vet` policies @@ -287,7 +329,7 @@ variable "gcs_logging_key_rotation_period" { } ``` -- On `gcp-environments/modules/env_baseline/variables.tf` add the following field to `project_budget` specification: +- On `gcp-environments/modules/env_baseline/variables.tf` add the following fields to `project_budget` specification: ```terraform logging_budget_amount = optional(number, 1000) @@ -343,35 +385,6 @@ variable "project_budget" { projects_step_terraform_service_account_email = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email ``` -- On `gcp-environments/envs/development/outputs.tf` add the following outputs: - -```terraform -output "env_log_project_id" { - description = "Project ID of the environments log project" - value = module.env.env_logs_project_id -} - -output "env_log_project_number" { - description = "Project Number of the environments log project" - value = module.env.env_logs_project_number -} - -output "env_log_bucket_name" { - description = "Name of environment log bucket" - value = module.env.env_log_bucket_name -} - -output "env_kms_project_number" { - description = "Project Number for environment Cloud Key Management Service (KMS)." - value = module.env.env_kms_project_number -} - -output "key_rings" { - description = "Keyring Names created" - value = module.env.key_rings -} -``` - - On `gcp-environments/modules/env_baseline/outputs.tf` add the following outputs: ```terraform @@ -401,6 +414,35 @@ output "env_log_bucket_name" { } ``` +- On `gcp-environments/envs/development/outputs.tf` add the following outputs: + +```terraform +output "env_log_project_id" { + description = "Project ID of the environments log project" + value = module.env.env_logs_project_id +} + +output "env_log_project_number" { + description = "Project Number of the environments log project" + value = module.env.env_logs_project_number +} + +output "env_log_bucket_name" { + description = "Name of environment log bucket" + value = module.env.env_log_bucket_name +} + +output "env_kms_project_number" { + description = "Project Number for environment Cloud Key Management Service (KMS)." + value = module.env.env_kms_project_number +} + +output "key_rings" { + description = "Keyring Names created" + value = module.env.key_rings +} +``` + - Commit and push files to git repo. ```bash @@ -499,7 +541,7 @@ variable "gcs_logging_key_rotation_period" { } ``` -- On `gcp-environments/modules/env_baseline/variables.tf` add the following field to `project_budget` specification: +- On `gcp-environments/modules/env_baseline/variables.tf` add the following fields to `project_budget` specification: ```terraform logging_budget_amount = optional(number, 1000) @@ -555,35 +597,6 @@ variable "project_budget" { projects_step_terraform_service_account_email = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email ``` -- On `gcp-environments/envs/nonproduction/outputs.tf` add the following outputs: - -```terraform -output "env_log_project_id" { - description = "Project ID of the environments log project" - value = module.env.env_logs_project_id -} - -output "env_log_project_number" { - description = "Project Number of the environments log project" - value = module.env.env_logs_project_number -} - -output "env_log_bucket_name" { - description = "Name of environment log bucket" - value = module.env.env_log_bucket_name -} - -output "env_kms_project_number" { - description = "Project Number for environment Cloud Key Management Service (KMS)." - value = module.env.env_kms_project_number -} - -output "key_rings" { - description = "Keyring Names created" - value = module.env.key_rings -} -``` - - On `gcp-environments/modules/env_baseline/outputs.tf` add the following outputs: ```terraform @@ -613,6 +626,35 @@ output "env_log_bucket_name" { } ``` +- On `gcp-environments/envs/nonproduction/outputs.tf` add the following outputs: + +```terraform +output "env_log_project_id" { + description = "Project ID of the environments log project" + value = module.env.env_logs_project_id +} + +output "env_log_project_number" { + description = "Project Number of the environments log project" + value = module.env.env_logs_project_number +} + +output "env_log_bucket_name" { + description = "Name of environment log bucket" + value = module.env.env_log_bucket_name +} + +output "env_kms_project_number" { + description = "Project Number for environment Cloud Key Management Service (KMS)." + value = module.env.env_kms_project_number +} + +output "key_rings" { + description = "Keyring Names created" + value = module.env.key_rings +} +``` + - Commit and push files to git repo. ```bash @@ -711,7 +753,7 @@ variable "gcs_logging_key_rotation_period" { } ``` -- On `gcp-environments/modules/env_baseline/variables.tf` add the following field to `project_budget` specification: +- On `gcp-environments/modules/env_baseline/variables.tf` add the following fields to `project_budget` specification: ```terraform logging_budget_amount = optional(number, 1000) @@ -767,35 +809,6 @@ variable "project_budget" { projects_step_terraform_service_account_email = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email ``` -- On `gcp-environments/envs/production/outputs.tf` add the following outputs: - -```terraform -output "env_log_project_id" { - description = "Project ID of the environments log project" - value = module.env.env_logs_project_id -} - -output "env_log_project_number" { - description = "Project Number of the environments log project" - value = module.env.env_logs_project_number -} - -output "env_log_bucket_name" { - description = "Name of environment log bucket" - value = module.env.env_log_bucket_name -} - -output "env_kms_project_number" { - description = "Project Number for environment Cloud Key Management Service (KMS)." - value = module.env.env_kms_project_number -} - -output "key_rings" { - description = "Keyring Names created" - value = module.env.key_rings -} -``` - - On `gcp-environments/modules/env_baseline/outputs.tf` add the following outputs: ```terraform @@ -825,6 +838,35 @@ output "env_log_bucket_name" { } ``` +- On `gcp-environments/envs/production/outputs.tf` add the following outputs: + +```terraform +output "env_log_project_id" { + description = "Project ID of the environments log project" + value = module.env.env_logs_project_id +} + +output "env_log_project_number" { + description = "Project Number of the environments log project" + value = module.env.env_logs_project_number +} + +output "env_log_bucket_name" { + description = "Name of environment log bucket" + value = module.env.env_log_bucket_name +} + +output "env_kms_project_number" { + description = "Project Number for environment Cloud Key Management Service (KMS)." + value = module.env.env_kms_project_number +} + +output "key_rings" { + description = "Keyring Names created" + value = module.env.key_rings +} +``` + - Commit and push files to git repo. ```bash @@ -839,7 +881,7 @@ git push origin production ### `N.B.` Read this before continuing further -A logging project will be created in every environment (`development`, `non-production`, `production`) when running this code. This project contains a storage bucket for the purposes of project logging within its respective environment. This requires the `cloud-storage-analytics@google.com` group permissions for the storage bucket. Since foundations has more restricted security measures, a domain restriction constraint is enforced. This restraint will prevent the google cloud-storage-analytics group to be added to any permissions. In order for this terraform code to execute without error, manual intervention must be made to ensure everything applies without issue. +A logging project will be created in every environment (`development`, `nonproduction`, `production`) when running this code. This project contains a storage bucket for the purposes of project logging within its respective environment. This requires the `cloud-storage-analytics@google.com` group permissions for the storage bucket. Since foundations has more restricted security measures, a domain restriction constraint is enforced. This restraint will prevent the google cloud-storage-analytics group to be added to any permissions. In order for this terraform code to execute without error, manual intervention must be made to ensure everything applies without issue. You must disable the contraint, assign the permission on the bucket and then apply the contraint again. This step-by-step presents you with two different options (`Option 1` and `Option 2`) and only one of them should be executed. @@ -849,17 +891,21 @@ The first and the recommended option is making the changes by using `gcloud` cli #### Option 1: Use `gcloud` cli to disable/enable organization policy constraint -You will be doing this procedure for each environment (`development`, `non-production` & `production`) +You will be doing this procedure for each environment (`development`, `nonproduction` & `production`) -##### `development` environment configuration +##### Configure `GCP_ENVIRONMENTS_PATH` variable -1. Configure the following variable below with the value of `gcp-environments` repository path. +1. Configure the following variable below with the value of `gcp-environments` repository absolute path. This variable will be used in this section for configuring the necessary permissions. ```bash export GCP_ENVIRONMENTS_PATH=INSERT_YOUR_PATH_HERE ``` - Make sure your git is checked out to the development branch by running `git checkout development` on `GCP_ENVIRONMENTS_PATH`. + > Tip: you can retrieve the absolute path of the gcp-environments directory by running `readlink -f ../gcp-environments`. + +##### `development` environment configuration + +1. Make sure your git is checked out to the development branch by running `git checkout development` on `GCP_ENVIRONMENTS_PATH`. ```bash (cd $GCP_ENVIRONMENTS_PATH && git checkout development) @@ -872,6 +918,8 @@ You will be doing this procedure for each environment (`development`, `non-produ export ENV_LOG_PROJECT_ID=$(terraform -chdir="$GCP_ENVIRONMENTS_PATH/envs/development" output -raw env_log_project_id) ``` + > Tip: If you haven't initilized the terraform on the branch, you may do so by running `./tf-wrapper.sh init development` command on the `gcp-environments` directory. + 3. Validate the variable values. ```bash @@ -899,15 +947,9 @@ You will be doing this procedure for each environment (`development`, `non-produ gcloud org-policies delete iam.allowedPolicyMemberDomains --project=$ENV_LOG_PROJECT_ID ``` -##### `non-production` environment configuration - -1. Configure the following variable below with the value of `gcp-environments` repository path. - - ```bash - export GCP_ENVIRONMENTS_PATH=INSERT_YOUR_PATH_HERE - ``` +##### `nonproduction` environment configuration - Make sure your git is checked out to the `non-production` branch by running `git checkout nonproduction` on `GCP_ENVIRONMENTS_PATH`. +1. Make sure your git is checked out to the `nonproduction` branch by running `git checkout nonproduction` on `GCP_ENVIRONMENTS_PATH`. ```bash (cd $GCP_ENVIRONMENTS_PATH && git checkout nonproduction) @@ -920,6 +962,8 @@ You will be doing this procedure for each environment (`development`, `non-produ export ENV_LOG_PROJECT_ID=$(terraform -chdir="$GCP_ENVIRONMENTS_PATH/envs/nonproduction" output -raw env_log_project_id) ``` + > Tip: If you haven't initilized the terraform on the branch, you may do so by running `./tf-wrapper.sh init nonproduction` command on the `gcp-environments` directory. + 3. Validate the variable values. ```bash @@ -949,13 +993,7 @@ You will be doing this procedure for each environment (`development`, `non-produ ##### `production` environment configuration -1. Configure the following variable below with the value of `gcp-environments` repository path. - - ```bash - export GCP_ENVIRONMENTS_PATH=INSERT_YOUR_PATH_HERE - ``` - - Make sure your git is checked out to the `production` branch by running `git checkout production` on `GCP_ENVIRONMENTS_PATH`. +1. Make sure your git is checked out to the `production` branch by running `git checkout production` on `GCP_ENVIRONMENTS_PATH`. ```bash (cd $GCP_ENVIRONMENTS_PATH && git checkout production) @@ -968,6 +1006,8 @@ You will be doing this procedure for each environment (`development`, `non-produ export ENV_LOG_PROJECT_ID=$(terraform -chdir="$GCP_ENVIRONMENTS_PATH/envs/production" output -raw env_log_project_id) ``` + > Tip: If you haven't initilized the terraform on the branch, you may do so by running `./tf-wrapper.sh init production` command on the `gcp-environments` directory. + 3. Validate the variable values. ```bash @@ -1017,9 +1057,9 @@ Proceed with these steps only if `Option 1` is not chosen. ![edit-policy](../2-environments/imgs/edit-policy.png) -4. Follow the instructions on checking out `development`, `non-production` & `production` branches. Once environments terraform code has successfully applied, edit the policy again and select 'Inherit parent's policy' and Click `SET POLICY`. +4. Follow the instructions on checking out `development`, `nonproduction` & `production` branches. Once environments terraform code has successfully applied, edit the policy again and select 'Inherit parent's policy' and Click `SET POLICY`. -After making these modifications, you can follow the README.md procedure for `2-environment` step on foundation, make sure you **change the organization policy after running the steps on foundation**. +Make sure you **change the organization policy** back to the original state. ## 3-network: Configure private DNS zone for Vertex Workbench Instances, Enable NAT and Attach projects to perimeter @@ -1170,10 +1210,11 @@ On `gcp-networks/modules/base_env/remote.tf`: ##### Adding projects to service perimeter (dev) -On `gcp-networks/modules/restricted_shared_vpc/service_control.tf`, modify the terraform module called **regular_service_perimeter** and add the following module field to `resources`: +On `gcp-networks/modules/restricted_shared_vpc/service_control.tf`, modify the terraform module called **regular_service_perimeter** by replacing the `resources` and `resources_dry_run` fields with the values below: ```terraform -distinct(concat([var.project_number], var.perimeter_projects)) +resources = var.enforce_vpcsc ? distinct(concat([var.project_number], var.perimeter_projects)) : [] +resources_dry_run = distinct(concat([var.project_number], var.perimeter_projects)) ``` This shall result in a module similar to the code below: @@ -1181,19 +1222,26 @@ This shall result in a module similar to the code below: ```terraform module "regular_service_perimeter" { source = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter" - version = "~> 4.0" + version = "~> 6.0" policy = var.access_context_manager_policy_id perimeter_name = local.perimeter_name description = "Default VPC Service Controls perimeter" - resources = distinct(concat([var.project_number], var.perimeter_projects)) - access_levels = [module.access_level_members.name] - restricted_services = var.restricted_services - vpc_accessible_services = ["RESTRICTED-SERVICES"] - - ingress_policies = var.ingress_policies - egress_policies = var.egress_policies + # configurations for a perimeter in enforced mode. + resources = var.enforce_vpcsc ? distinct(concat([var.project_number], var.perimeter_projects)) : [] + restricted_services = var.enforce_vpcsc ? var.restricted_services : [] + vpc_accessible_services = var.enforce_vpcsc ? ["RESTRICTED-SERVICES"] : [] + ingress_policies = var.enforce_vpcsc ? var.ingress_policies : [] + egress_policies = var.enforce_vpcsc ? var.egress_policies : [] + + # configurations for a perimeter in dry run mode. + resources_dry_run = distinct(concat([var.project_number], var.perimeter_projects)) + access_levels_dry_run = [module.access_level_dry_run.name] + restricted_services_dry_run = var.restricted_services_dry_run + vpc_accessible_services_dry_run = ["RESTRICTED-SERVICES"] + ingress_policies_dry_run = var.ingress_policies_dry_run + egress_policies_dry_run = var.egress_policies_dry_run depends_on = [ time_sleep.wait_vpc_sc_propagation @@ -1293,7 +1341,7 @@ cd ../gcp-networks git checkout nonproduction ``` -#### Private DNS zone configuration (non-production) +#### Private DNS zone configuration (nonproduction) - Return to `terraform-google-enterprise-genai` repo. @@ -1325,7 +1373,7 @@ git commit -m "Create DNS notebook configuration" git push origin nonproduction ``` -#### Enabling NAT, Attaching projects to Service Perimeter and Creating custom firewall rules (non-production) +#### Enabling NAT, Attaching projects to Service Perimeter and Creating custom firewall rules (nonproduction) Create `gcp-networks/modules/base_env/data.tf` file with the following content: @@ -1420,12 +1468,13 @@ On `gcp-networks/modules/base_env/remote.tf`: } ``` -##### Adding projects to service perimeter (non-production) +##### Adding projects to service perimeter (nonproduction) -On `gcp-networks/modules/restricted_shared_vpc/service_control.tf`, modify the terraform module called **regular_service_perimeter** and add the following module field to `resources`: +On `gcp-networks/modules/restricted_shared_vpc/service_control.tf`, modify the terraform module called **regular_service_perimeter** by replacing the `resources` and `resources_dry_run` fields with the values below: ```terraform -distinct(concat([var.project_number], var.perimeter_projects)) +resources = var.enforce_vpcsc ? distinct(concat([var.project_number], var.perimeter_projects)) : [] +resources_dry_run = distinct(concat([var.project_number], var.perimeter_projects)) ``` This shall result in a module similar to the code below: @@ -1433,19 +1482,26 @@ This shall result in a module similar to the code below: ```terraform module "regular_service_perimeter" { source = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter" - version = "~> 4.0" + version = "~> 6.0" policy = var.access_context_manager_policy_id perimeter_name = local.perimeter_name description = "Default VPC Service Controls perimeter" - resources = distinct(concat([var.project_number], var.perimeter_projects)) - access_levels = [module.access_level_members.name] - - restricted_services = var.restricted_services - vpc_accessible_services = ["RESTRICTED-SERVICES"] - ingress_policies = var.ingress_policies - egress_policies = var.egress_policies + # configurations for a perimeter in enforced mode. + resources = var.enforce_vpcsc ? distinct(concat([var.project_number], var.perimeter_projects)) : [] + restricted_services = var.enforce_vpcsc ? var.restricted_services : [] + vpc_accessible_services = var.enforce_vpcsc ? ["RESTRICTED-SERVICES"] : [] + ingress_policies = var.enforce_vpcsc ? var.ingress_policies : [] + egress_policies = var.enforce_vpcsc ? var.egress_policies : [] + + # configurations for a perimeter in dry run mode. + resources_dry_run = distinct(concat([var.project_number], var.perimeter_projects)) + access_levels_dry_run = [module.access_level_dry_run.name] + restricted_services_dry_run = var.restricted_services_dry_run + vpc_accessible_services_dry_run = ["RESTRICTED-SERVICES"] + ingress_policies_dry_run = var.ingress_policies_dry_run + egress_policies_dry_run = var.egress_policies_dry_run depends_on = [ time_sleep.wait_vpc_sc_propagation @@ -1453,7 +1509,7 @@ module "regular_service_perimeter" { } ``` -##### Creating "allow all ingress ranges" and "allow all egress ranges" firewall rules (non-production) +##### Creating "allow all ingress ranges" and "allow all egress ranges" firewall rules (nonproduction) On `gcp-networks/modules/restricted_shared_vpc/firewall.tf` add the following firewall rules by adding the terraform code below to the file: @@ -1511,7 +1567,7 @@ resource "google_compute_firewall" "allow_all_ingress" { } ``` -##### Changes to restricted shared VPC (non-production) +##### Changes to restricted shared VPC (nonproduction) On `gcp-networks/modules/base_env/main.tf` edit the terraform module named **restricted_shared_vpc** and add the following fields to it: @@ -1674,10 +1730,11 @@ On `gcp-networks/modules/base_env/remote.tf`: ##### Adding projects to service perimeter (production) -On `gcp-networks/modules/restricted_shared_vpc/service_control.tf`, modify the terraform module called **regular_service_perimeter** and add the following module field to `resources`: +On `gcp-networks/modules/restricted_shared_vpc/service_control.tf`, modify the terraform module called **regular_service_perimeter** by replacing the `resources` and `resources_dry_run` fields with the values below: ```terraform -distinct(concat([var.project_number], var.perimeter_projects)) +resources = var.enforce_vpcsc ? distinct(concat([var.project_number], var.perimeter_projects)) : [] +resources_dry_run = distinct(concat([var.project_number], var.perimeter_projects)) ``` This shall result in a module similar to the code below: @@ -1685,19 +1742,26 @@ This shall result in a module similar to the code below: ```terraform module "regular_service_perimeter" { source = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter" - version = "~> 4.0" + version = "~> 6.0" policy = var.access_context_manager_policy_id perimeter_name = local.perimeter_name description = "Default VPC Service Controls perimeter" - resources = distinct(concat([var.project_number], var.perimeter_projects)) - access_levels = [module.access_level_members.name] - restricted_services = var.restricted_services - vpc_accessible_services = ["RESTRICTED-SERVICES"] - - ingress_policies = var.ingress_policies - egress_policies = var.egress_policies + # configurations for a perimeter in enforced mode. + resources = var.enforce_vpcsc ? distinct(concat([var.project_number], var.perimeter_projects)) : [] + restricted_services = var.enforce_vpcsc ? var.restricted_services : [] + vpc_accessible_services = var.enforce_vpcsc ? ["RESTRICTED-SERVICES"] : [] + ingress_policies = var.enforce_vpcsc ? var.ingress_policies : [] + egress_policies = var.enforce_vpcsc ? var.egress_policies : [] + + # configurations for a perimeter in dry run mode. + resources_dry_run = distinct(concat([var.project_number], var.perimeter_projects)) + access_levels_dry_run = [module.access_level_dry_run.name] + restricted_services_dry_run = var.restricted_services_dry_run + vpc_accessible_services_dry_run = ["RESTRICTED-SERVICES"] + ingress_policies_dry_run = var.ingress_policies_dry_run + egress_policies_dry_run = var.egress_policies_dry_run depends_on = [ time_sleep.wait_vpc_sc_propagation @@ -1869,7 +1933,7 @@ echo ${CLOUD_BUILD_PROJECT_ID} mv common.auto.example.tfvars common.auto.tfvars mv shared.auto.example.tfvars shared.auto.tfvars mv development.auto.example.tfvars development.auto.tfvars -mv non-production.auto.example.tfvars non-production.auto.tfvars +mv nonproduction.auto.example.tfvars nonproduction.auto.tfvars mv production.auto.example.tfvars production.auto.tfvars ``` @@ -1890,12 +1954,6 @@ git add . git commit -m "Create ML Business Unit" ``` -- Log into gcloud using service account impersonation and then set your configuration: - -```bash -gcloud auth application-default login --impersonate-service-account=${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT} -``` - - Run `init` and `plan` and review output for environment shared. ```bash @@ -1971,7 +2029,7 @@ cd ../gcp-projects mv common.auto.example.tfvars common.auto.tfvars mv shared.auto.example.tfvars shared.auto.tfvars mv development.auto.example.tfvars development.auto.tfvars -mv non-production.auto.example.tfvars non-production.auto.tfvars +mv nonproduction.auto.example.tfvars nonproduction.auto.tfvars mv production.auto.example.tfvars production.auto.tfvars ``` @@ -2049,7 +2107,7 @@ cd ../gcp-projects mv common.auto.example.tfvars common.auto.tfvars mv shared.auto.example.tfvars shared.auto.tfvars mv development.auto.example.tfvars development.auto.tfvars -mv non-production.auto.example.tfvars non-production.auto.tfvars +mv nonproduction.auto.example.tfvars nonproduction.auto.tfvars mv production.auto.example.tfvars production.auto.tfvars ``` @@ -2109,6 +2167,12 @@ cp -r docs/assets/terraform/4-projects/ml_business_unit ../gcp-projects rm -rf ../gcp-projects/ml_business_unit/shared ``` +- Retrieve shared directory from `plan` branch. + +```bash +(cd ../gcp-projects && git checkout origin/plan -- ml_business_unit/shared) +``` + - Add modules to the `gcp-projects` repository. ```bash @@ -2133,7 +2197,7 @@ cd ../gcp-projects mv common.auto.example.tfvars common.auto.tfvars mv shared.auto.example.tfvars shared.auto.tfvars mv development.auto.example.tfvars development.auto.tfvars -mv non-production.auto.example.tfvars non-production.auto.tfvars +mv nonproduction.auto.example.tfvars nonproduction.auto.tfvars mv production.auto.example.tfvars production.auto.tfvars ``` @@ -2356,7 +2420,7 @@ This step has two main purposes: 1. To deploy a pipeline and a bucket which is linked to a Google Cloud Repository that houses terraform modules for the use in Service Catalog. Although Service Catalog itself must be manually deployed, the modules which will be used can still be automated. -2. To deploy infrastructure for operational environments (ie. `non-production` & `production`.) +2. To deploy infrastructure for operational environments (ie. `nonproduction` & `production`.) The resoning behind utilizing one repository with two deployment methodologies is due to how close interactive (`development`) and operational environments are. @@ -2365,7 +2429,7 @@ The repository has the structure (truncated for brevity): ```text ml_business_unit ├── development - ├── non-production + ├── nonproduction ├── production modules ├── bucket @@ -2404,7 +2468,7 @@ When there is a change in any of the terraform module folders, the pipeline will This pipeline is listening to the `main` branch of this repository for changes in order for the modules to be uploaded to service catalog. -The pipeline also listens for changes made to `plan`, `development`, `non-production` & `production` branches, this is used for deploying infrastructure to each project. +The pipeline also listens for changes made to `plan`, `development`, `nonproduction` & `production` branches, this is used for deploying infrastructure to each project. - Clone the `ml-service-catalog` repo. @@ -2524,3 +2588,5 @@ The series of steps below will trigger the custom Service Catalog Pipeline. ``` - Navigate to the project that was output from `${SERVICE_CATALOG_PROJECT_ID}` in Google's Cloud Console to view the first run of images being built. + +You may now proceed to deploy your applications, there are example applications under `examples` directory on the repository root.