"
diff --git a/2-environments/README.md b/2-environments/README.md
index fd5a43bd..0af2973f 100644
--- a/2-environments/README.md
+++ b/2-environments/README.md
@@ -45,14 +45,13 @@ Hub and Spoke network model. It also sets up the global DNS hub
| 5-app-infra |
-Deploy service catalog and artifacts pipeline. |
-Deploy a service catalog and artifacts pipeline. |
+Deploys Service Catalog Pipeline and Custom Artifacts Pipeline. |
For an overview of the architecture and the parts, see the
-[terraform-google-enterprise-genai README](https://github.com/terraform-google-modules/terraform-google-enterprise-genai).
+[terraform-google-enterprise-genai README](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai).
## Purpose
@@ -84,7 +83,6 @@ Use the [GCP console](https://console.cloud.google.com/compliance/assuredworkloa
## Usage
-
**Note:** If you are using MacOS, replace `cp -RT` with `cp -R` in the relevant
commands. The `-T` flag is needed for Linux, but causes problems for MacOS.
@@ -144,26 +142,8 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get
```bash
git push --set-upstream origin plan
```
-1. Review the plan output in your cloud build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID
-
-### `N.B.` Read this before continuing further!!
-
-A logging project will be created in every environment (`development`, `non-production`, `production`) when running this code. This project contains a storage bucket for the purposes of project logging within its respective environment. This requires the `cloud-storage-analytics@google.com` group permissions for the storage bucket. Since foundations has more restricted security measures, a domain restriction constraint is enforced. This restraint will prevent Google service accounts to be added to any permissions. In order for this terraform code to execute without error, manual intervention must be made to ensure everything applies without issue.
-You must disable the contraint in every folder that is about to be configured by terraform, push your code and then apply the contraint again:
-
-#### Do this before you push development, non-production & production
-1. Google Console is the quickest way to achieve this. Under `IAM & Admin`, select `Organization Policies`. Search for "Domain Restricted Sharing"
-
-
-1. Select 'Manage Policy'. This directs you to the Domain Restricted Sharing Edit Policy page. It will be set at 'Inherit parent's policy'. Change this to 'Google-managed default'
-
-
-1. Follow the instructions on checking out `development`, `non-production` & `production` branches. Once environments terraform code has successfully applied, edit the policy again and select 'Inherit parent's policy' and Click `SET POLICY`.
-
-### Deployment Continued...
-
-1. Ensure you [disable The Orginization Policy](#do-this-before-you-push-development-non-production--production) on the `development` folder before continuing further.
+1. Review the plan output in your cloud build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID
1. Merge changes to development branch. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch),
pushing to this branch triggers both _terraform plan_ and _terraform apply_.
@@ -175,10 +155,6 @@ You must disable the contraint in every folder that is about to be configured by
1. Review the apply output in your cloud build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID
-1. Enable the Organization Policy on the `development` folder has highlighted [here](#do-this-before-you-push-development-non-production--production)
-
-1. Ensure you [disable The Orginization Policy](#do-this-before-you-push-development-non-production--production) on the `non-production` folder before continuing further.
-
1. Merge changes to non-production. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch),
pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your cloud build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID
@@ -186,9 +162,6 @@ You must disable the contraint in every folder that is about to be configured by
git checkout -b non-production
git push origin non-production
```
-1. Enable the Organization Policy on the `non-production` folder has highlighted [here](#do-this-before-you-push-development-non-production--production)
-
-1. Ensure you [disable The Orginization Policy](#do-this-before-you-push-development-non-production--production) on the `production` folder before continuing further.
1. Merge changes to production branch. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch),
pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your cloud build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID
@@ -197,11 +170,192 @@ You must disable the contraint in every folder that is about to be configured by
git checkout -b production
git push origin production
```
-1. Enable the Organization Policy on the `production` folder has highlighted [here](#do-this-before-you-push-development-non-production--production)
+### `N.B.` Read this before continuing further
+
+A logging project will be created in every environment (`development`, `non-production`, `production`) when running this code. This project contains a storage bucket for the purposes of project logging within its respective environment. This requires the `cloud-storage-analytics@google.com` group permissions for the storage bucket. Since foundations has more restricted security measures, a domain restriction constraint is enforced. This restraint will prevent the google cloud-storage-analytics group to be added to any permissions. In order for this terraform code to execute without error, manual intervention must be made to ensure everything applies without issue.
+
+You must disable the contraint, assign the permission on the bucket and then apply the contraint again. This step-by-step presents you with two different options (`Option 1` and `Option 2`) and only one of them should be executed.
+
+The first and the recommended option is making the changes by using `gcloud` cli, as described in `Option 1`.
+
+`Option 2` is an alternative to `gcloud` cli and relies on Google Cloud Console.
+
+#### Option 1: Use `gcloud` cli to disable/enable organization policy constraint
+
+You will be doing this procedure for each environment (`development`, `non-production` & `production`)
+
+##### `development` environment configuration
+
+1. Configure the following variable below with the value of `gcp-environments` repository path.
+
+ ```bash
+ export GCP_ENVIRONMENTS_PATH=INSERT_YOUR_PATH_HERE
+ ```
+
+ Make sure your git is checked out to the development branch by running `git checkout development` on `GCP_ENVIRONMENTS_PATH`.
+
+ ```bash
+ (cd $GCP_ENVIRONMENTS_PATH && git checkout development)
+ ```
+
+2. Retrieve the bucket name and project id from terraform outputs.
+
+ ```bash
+ export ENV_LOG_BUCKET_NAME=$(terraform -chdir="$GCP_ENVIRONMENTS_PATH/envs/development" output -raw env_log_bucket_name)
+ export ENV_LOG_PROJECT_ID=$(terraform -chdir="$GCP_ENVIRONMENTS_PATH/envs/development" output -raw env_log_project_id)
+ ```
+
+3. Validate the variable values.
+
+ ```bash
+ echo env_log_project_id=$ENV_LOG_PROJECT_ID
+ echo env_log_bucket_name=$ENV_LOG_BUCKET_NAME
+ ```
+
+4. Reset your org policy for the logging project by running the following command.
+
+ ```bash
+ gcloud org-policies reset iam.allowedPolicyMemberDomains --project=$ENV_LOG_PROJECT_ID
+ ```
+
+5. Assign `roles/storage.objectCreator` role to `cloud-storage-analytics@google.com` group.
+
+ ```bash
+ gcloud storage buckets add-iam-policy-binding gs://$ENV_LOG_BUCKET_NAME --member="group:cloud-storage-analytics@google.com" --role="roles/storage.objectCreator"
+ ```
+
+ > Note: you might receive an error telling you that this is against an organization policy, this can happen because of the propagation time from the change made to the organization policy (propagation time is tipically 2 minutes, but can take 7 minutes or longer). If this happens, wait some minutes and try again
+
+6. Delete the change made on the first step to the organization policy, this will make the project inherit parent policies.
+
+ ```bash
+ gcloud org-policies delete iam.allowedPolicyMemberDomains --project=$ENV_LOG_PROJECT_ID
+ ```
+
+##### `non-production` environment configuration
+
+1. Configure the following variable below with the value of `gcp-environments` repository path.
+
+ ```bash
+ export GCP_ENVIRONMENTS_PATH=INSERT_YOUR_PATH_HERE
+ ```
+
+ Make sure your git is checked out to the `non-production` branch by running `git checkout non-production` on `GCP_ENVIRONMENTS_PATH`.
+
+ ```bash
+ (cd $GCP_ENVIRONMENTS_PATH && git checkout non-production)
+ ```
+
+2. Retrieve the bucket name and project id from terraform outputs.
+
+ ```bash
+ export ENV_LOG_BUCKET_NAME=$(terraform -chdir="$GCP_ENVIRONMENTS_PATH/envs/non-production" output -raw env_log_bucket_name)
+ export ENV_LOG_PROJECT_ID=$(terraform -chdir="$GCP_ENVIRONMENTS_PATH/envs/non-production" output -raw env_log_project_id)
+ ```
+
+3. Validate the variable values.
+
+ ```bash
+ echo env_log_project_id=$ENV_LOG_PROJECT_ID
+ echo env_log_bucket_name=$ENV_LOG_BUCKET_NAME
+ ```
+
+4. Reset your org policy for the logging project by running the following command.
+
+ ```bash
+ gcloud org-policies reset iam.allowedPolicyMemberDomains --project=$ENV_LOG_PROJECT_ID
+ ```
+
+5. Assign `roles/storage.objectCreator` role to `cloud-storage-analytics@google.com` group.
+
+ ```bash
+ gcloud storage buckets add-iam-policy-binding gs://$ENV_LOG_BUCKET_NAME --member="group:cloud-storage-analytics@google.com" --role="roles/storage.objectCreator"
+ ```
+
+ > Note: you might receive an error telling you that this is against an organization policy, this can happen because of the propagation time from the change made to the organization policy (propagation time is tipically 2 minutes, but can take 7 minutes or longer). If this happens, wait some minutes and try again
+
+6. Delete the change made on the first step to the organization policy, this will make the project inherit parent policies.
+
+ ```bash
+ gcloud org-policies delete iam.allowedPolicyMemberDomains --project=$ENV_LOG_PROJECT_ID
+ ```
+
+##### `production` environment configuration
+
+1. Configure the following variable below with the value of `gcp-environments` repository path.
+
+ ```bash
+ export GCP_ENVIRONMENTS_PATH=INSERT_YOUR_PATH_HERE
+ ```
+
+ Make sure your git is checked out to the `production` branch by running `git checkout production` on `GCP_ENVIRONMENTS_PATH`.
+
+ ```bash
+ (cd $GCP_ENVIRONMENTS_PATH && git checkout production)
+ ```
+
+2. Retrieve the bucket name and project id from terraform outputs.
+
+ ```bash
+ export ENV_LOG_BUCKET_NAME=$(terraform -chdir="$GCP_ENVIRONMENTS_PATH/envs/production" output -raw env_log_bucket_name)
+ export ENV_LOG_PROJECT_ID=$(terraform -chdir="$GCP_ENVIRONMENTS_PATH/envs/production" output -raw env_log_project_id)
+ ```
+
+3. Validate the variable values.
+
+ ```bash
+ echo env_log_project_id=$ENV_LOG_PROJECT_ID
+ echo env_log_bucket_name=$ENV_LOG_BUCKET_NAME
+ ```
+
+4. Reset your org policy for the logging project by running the following command.
+
+ ```bash
+ gcloud org-policies reset iam.allowedPolicyMemberDomains --project=$ENV_LOG_PROJECT_ID
+ ```
+
+5. Assign `roles/storage.objectCreator` role to `cloud-storage-analytics@google.com` group.
+
+ ```bash
+ gcloud storage buckets add-iam-policy-binding gs://$ENV_LOG_BUCKET_NAME --member="group:cloud-storage-analytics@google.com" --role="roles/storage.objectCreator"
+ ```
+
+ > Note: you might receive an error telling you that this is against an organization policy, this can happen because of the propagation time from the change made to the organization policy (propagation time is tipically 2 minutes, but can take 7 minutes or longer). If this happens, wait some minutes and try again
+
+6. Delete the change made on the first step to the organization policy, this will make the project inherit parent policies.
+
+ ```bash
+ gcloud org-policies delete iam.allowedPolicyMemberDomains --project=$ENV_LOG_PROJECT_ID
+ ```
+
+#### Option 2: Use Google Cloud Console to disable/enable organization policy constraint
+
+Proceed with these steps only if `Option 1` is not chosen.
+
+1. On `ml_logging.tf` locate the following lines and uncomment them:
+
+ ```terraform
+ resource "google_storage_bucket_iam_member" "bucket_logging" {
+ bucket = google_storage_bucket.log_bucket.name
+ role = "roles/storage.objectCreator"
+ member = "group:cloud-storage-analytics@google.com"
+ }
+ ```
+
+2. Under `IAM & Admin`, select `Organization Policies`. Search for "Domain Restricted Sharing".
+
+ 
+
+3. Select 'Manage Policy'. This directs you to the Domain Restricted Sharing Edit Policy page. It will be set at 'Inherit parent's policy'. Change this to 'Google-managed default'.
+
+ 
+
+4. Follow the instructions on checking out `development`, `non-production` & `production` branches. Once environments terraform code has successfully applied, edit the policy again and select 'Inherit parent's policy' and Click `SET POLICY`.
+After making these modifications, you can follow the README.md procedure for `2-environment` step on foundation, make sure you **change the organization policy after running the steps on foundation**.
-1. You can now move to the instructions in the network step. To use the [Dual Shared VPC](https://cloud.google.com/architecture/security-foundations/networking#vpcsharedvpc-id7-1-shared-vpc-) network mode go to [3-networks-dual-svpc](../3-networks-dual-svpc/README.md), or go to [3-networks-hub-and-spoke](../3-networks-hub-and-spoke/README.md) to use the [Hub and Spoke](https://cloud.google.com/architecture/security-foundations/networking#hub-and-spoke) network mode.
+1. You can now move to the instructions in the network step. To use the [Dual Shared VPC](https://cloud.google.com/architecture/security-foundations/networking#vpcsharedvpc-id7-1-shared-vpc-) network mode go to [3-networks-dual-svpc](../3-networks-dual-svpc/README.md).
### Deploying with Jenkins
diff --git a/2-environments/modules/env_baseline/ml_logging.tf b/2-environments/modules/env_baseline/ml_logging.tf
index 73ff5eb1..e247e976 100644
--- a/2-environments/modules/env_baseline/ml_logging.tf
+++ b/2-environments/modules/env_baseline/ml_logging.tf
@@ -75,11 +75,11 @@ resource "google_storage_bucket" "log_bucket" {
Logging Bucket - IAM
*****************************************/
-resource "google_storage_bucket_iam_member" "bucket_logging" {
- bucket = google_storage_bucket.log_bucket.name
- role = "roles/storage.objectCreator"
- member = "group:cloud-storage-analytics@google.com"
-}
+# resource "google_storage_bucket_iam_member" "bucket_logging" {
+# bucket = google_storage_bucket.log_bucket.name
+# role = "roles/storage.objectCreator"
+# member = "group:cloud-storage-analytics@google.com"
+# }
resource "google_kms_crypto_key_iam_member" "gcs_logging_key" {
crypto_key_id = module.kms_keyring.keys_by_region[var.gcs_logging_bucket_location][local.logging_key_name]
diff --git a/3-networks-dual-svpc/README.md b/3-networks-dual-svpc/README.md
index 12e0e96c..17383ac5 100644
--- a/3-networks-dual-svpc/README.md
+++ b/3-networks-dual-svpc/README.md
@@ -45,14 +45,13 @@ Hub and Spoke network model. It also sets up the global DNS hub
| 5-app-infra |
-Deploy service catalog and artifacts pipeline. |
-Deploy a service catalog and artifacts pipeline. |
+Deploys Service Catalog Pipeline and Custom Artifacts Pipeline. |
For an overview of the architecture and the parts, see the
-[terraform-google-enterprise-genai README](https://github.com/terraform-google-modules/terraform-google-enterprise-genai).
+[terraform-google-enterprise-genai README](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai).
## Purpose
@@ -74,9 +73,9 @@ The purpose of this step is to:
echo "access_context_manager_policy_id = ${ACCESS_CONTEXT_MANAGER_ID}"
```
-1. For the manual step described in this document, you need [Terraform](https://www.terraform.io/downloads.html) version 1.3.0 or later to be installed.
+1. For the manual step described in this document, you need [Terraform](https://www.terraform.io/downloads.html) version 1.5.7 or later to be installed.
-**Note:** Make sure that you use version 1.3.0 or later of Terraform throughout this series. Otherwise, you might experience Terraform state snapshot lock errors.
+**Note:** Make sure that you use version 1.5.7 or later of Terraform throughout this series. Otherwise, you might experience Terraform state snapshot lock errors.
### Troubleshooting
@@ -189,6 +188,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get
echo "remote_state_bucket = ${backend_bucket}"
sed -i "s/REMOTE_STATE_BUCKET/${backend_bucket}/" ./common.auto.tfvars
+ for i in `find -name 'backend.tf'`; do sed -i "s/UPDATE_ME/${backend_bucket}/" $i; done
```
**Note:** Make sure that you update the `perimeter_additional_members` variable with your e-mail in order to be able to view/access resources in the project protected by the VPC service controls.
@@ -200,7 +200,9 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get
```
1. You must manually plan and apply the `shared` environment (only once) since the `development`, `non-production` and `production` environments depend on it.
+
1. To use the `validate` option of the `tf-wrapper.sh` script, please follow the [instructions](https://cloud.google.com/docs/terraform/policy-validation/validate-policies#install) to install the terraform-tools component.
+
1. Use `terraform output` to get the Cloud Build project ID and the networks step Terraform Service Account from 0-bootstrap output. An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set using the Terraform Service Account to enable impersonation.
```bash
@@ -211,12 +213,6 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get
echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT}
```
-1. Log into gcloud using service account impersonation and then set your configuration:
- ```bash
- gcloud auth application-default login --impersonate-service-account=${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT}
- gcloud config set auth/impersonate_service_account ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT}
- ```
-
1. Run `init` and `plan` and review output for environment shared.
```bash
@@ -236,11 +232,6 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get
./tf-wrapper.sh apply shared
```
-1. Unset your gcloud configuration to remove impersonation:
- ```bash
- gcloud config unset auth/impersonate_service_account
- ```
-
1. Push your plan branch to trigger a plan for all environments. Because the
_plan_ branch is not a [named environment branch](../docs/FAQ.md#what-is-a-named-branch), pushing your _plan_
branch triggers _terraform plan_ but not _terraform apply_. Review the plan output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID
@@ -275,6 +266,13 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get
git push origin non-production
```
+1. Before executing the next step, unset the `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` environment variable.
+
+ ```bash
+ unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT
+ ```
+
+
1. You can now move to the instructions in the [4-projects](../4-projects/README.md) step.
### Deploying with Jenkins
diff --git a/4-projects/README.md b/4-projects/README.md
index 45b203ca..c84f8b86 100644
--- a/4-projects/README.md
+++ b/4-projects/README.md
@@ -45,13 +45,13 @@ Hub and Spoke network model. It also sets up the global DNS hub
| 5-app-infra |
-Deploy service catalog and artifacts pipeline. |
+Deploys Service Catalog Pipeline and Custom Artifacts Pipeline. |
For an overview of the architecture and the parts, see the
-[terraform-google-enterprise-genai README](https://github.com/terraform-google-modules/terraform-google-enterprise-genai).
+[terraform-google-enterprise-genai README](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai).
## Purpose
@@ -59,7 +59,8 @@ The purpose of this step is to set up the folder structure, projects, and infras
For machine learning business unit, a shared `infra-pipeline` project is created along with Cloud Build triggers, CSRs for application infrastructure code and Google Cloud Storage buckets for state storage.
-This step follows the same [conventions](https://github.com/terraform-google-modules/terraform-google-enterprise-genai#branching-strategy) as the Foundation pipeline deployed in [0-bootstrap](https://github.com/terraform-google-modules/terraform-google-enterprise-genai/blob/master/0-bootstrap/README.md).
+This step follows the same [conventions](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai#branching-strategy) as the Foundation pipeline deployed in [0-bootstrap](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/blob/master/0-bootstrap/README.md).
+A custom [workspace](https://github.com/terraform-google-modules/terraform-google-bootstrap/blob/master/modules/tf_cloudbuild_workspace/README.md) (`bu1-example-app`) is created by this pipeline and necessary roles are granted to the Terraform Service Account of this workspace by enabling variable `sa_roles` as shown in this [example](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/blob/master/4-projects/modules/base_env/example_base_shared_vpc_project.tf).
This pipeline is utilized to deploy resources in projects across development/non-production/production in step [5-app-infra](../5-app-infra/README.md).
Other Workspaces can also be created to isolate deployments if needed.
@@ -71,9 +72,9 @@ Other Workspaces can also be created to isolate deployments if needed.
1. 2-environments executed successfully.
1. 3-networks executed successfully.
-1. For the manual step described in this document, you need [Terraform](https://www.terraform.io/downloads.html) version 1.3.0 or later to be installed.
+1. For the manual step described in this document, you need [Terraform](https://www.terraform.io/downloads.html) version 1.5.7 or later to be installed.
- **Note:** Make sure that you use version 1.3.0 or later of Terraform throughout this series. Otherwise, you might experience Terraform state snapshot lock errors.
+ **Note:** Make sure that you use version 1.5.7 or later of Terraform throughout this series. Otherwise, you might experience Terraform state snapshot lock errors.
**Note 2:** As mentioned in 0-bootstrap [README note 2](../0-bootstrap/README.md#deploying-with-cloud-build) at the end of Cloud Build deploy section, make sure that you have requested at least 50 additional projects for the **projects step service account**, otherwise you may face a project quota exceeded error message during the following steps and you will need to apply the fix from [this entry](../docs/TROUBLESHOOTING.md#attempt-to-run-4-projects-step-without-enough-project-quota) of the Troubleshooting guide in order to continue.
@@ -131,7 +132,11 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get
export remote_state_bucket=$(terraform -chdir="../terraform-google-enterprise-genai/0-bootstrap/" output -raw gcs_bucket_tfstate)
echo "remote_state_bucket = ${remote_state_bucket}"
+ export projects_gcs_bucket_tfstate=$(terraform -chdir="../terraform-google-enterprise-genai/0-bootstrap/" output -raw projects_gcs_bucket_tfstate)
+ echo "projects_gcs_bucket_tfstate = ${projects_gcs_bucket_tfstate}"
+
sed -i "s/REMOTE_STATE_BUCKET/${remote_state_bucket}/" ./common.auto.tfvars
+ for i in `find -name 'backend.tf'`; do sed -i "s/UPDATE_PROJECTS_BACKEND/${projects_gcs_bucket_tfstate}/" $i; done
```
1. Commit changes.
@@ -155,12 +160,6 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get
echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT}
```
-1. Log into gcloud using service account impersonation and then set your configuration:
- ```bash
- gcloud auth application-default login --impersonate-service-account=${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT}
- gcloud config set auth/impersonate_service_account ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT}
- ```
-
1. Run `init` and `plan` and review output for environment shared.
```bash
@@ -180,11 +179,6 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get
./tf-wrapper.sh apply shared
```
-1. Unset your gcloud configuration to remove impersonation:
- ```bash
- gcloud config unset auth/impersonate_service_account
- ```
-
1. Push your plan branch to trigger a plan for all environments. Because the
_plan_ branch is not a [named environment branch](../docs/FAQ.md#what-is-a-named-branch)), pushing your _plan_
branch triggers _terraform plan_ but not _terraform apply_. Review the plan output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID
diff --git a/5-app-infra/README.md b/5-app-infra/README.md
index 507dcbdb..a8af7c66 100644
--- a/5-app-infra/README.md
+++ b/5-app-infra/README.md
@@ -360,6 +360,14 @@ The pipeline also listens for changes made to `plan`, `development`, `non-produc
for i in `find -name 'backend.tf'`; do sed -i "s/UPDATE_APP_INFRA_BUCKET/${backend_bucket}/" $i; done
```
+1. Update the `log_bucket` variable with the value of the `logs_export_storage_bucket_name`.
+
+ ```bash
+ export log_bucket=$(terraform -chdir="../gcp-org/envs/shared" output -raw logs_export_storage_bucket_name)
+ echo "log_bucket = ${log_bucket}"
+ sed -i "s/REPLACE_LOG_BUCKET/${log_bucket}/" ./common.auto.tfvars
+ ```
+
1. Commit changes.
```bash
diff --git a/5-app-infra/modules/publish_artifacts/main.tf b/5-app-infra/modules/publish_artifacts/main.tf
index a4b5ca20..f953ca65 100644
--- a/5-app-infra/modules/publish_artifacts/main.tf
+++ b/5-app-infra/modules/publish_artifacts/main.tf
@@ -20,6 +20,13 @@ resource "google_project_service_identity" "artifact_registry_agent" {
service = "artifactregistry.googleapis.com"
}
+resource "google_project_service_identity" "storage_agent" {
+ provider = google-beta
+
+ project = var.project_id
+ service = "storage.googleapis.com"
+}
+
resource "google_kms_crypto_key_iam_member" "artifact-kms-key-binding" {
crypto_key_id = var.kms_crypto_key
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
@@ -109,6 +116,8 @@ resource "google_kms_crypto_key_iam_member" "storage_agent" {
crypto_key_id = var.kms_crypto_key
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:service-${data.google_project.project.number}@gs-project-accounts.iam.gserviceaccount.com"
+
+ depends_on = [google_project_service_identity.storage_agent]
#member = "serviceAccount:${google_project_service_identity.storage.email}"
}
diff --git a/5-app-infra/projects/artifact-publish/ml_business_unit/shared/variables.tf b/5-app-infra/projects/artifact-publish/ml_business_unit/shared/variables.tf
index debeaa58..8e9bafd0 100644
--- a/5-app-infra/projects/artifact-publish/ml_business_unit/shared/variables.tf
+++ b/5-app-infra/projects/artifact-publish/ml_business_unit/shared/variables.tf
@@ -23,8 +23,3 @@ variable "remote_state_bucket" {
description = "Backend bucket to load remote state information from previous steps."
type = string
}
-
-variable "log_bucket" {
- description = "Log bucket to be used by Service Catalog Bucket"
- type = string
-}
diff --git a/5-app-infra/projects/service-catalog/ml_business_unit/shared/variables.tf b/5-app-infra/projects/service-catalog/ml_business_unit/shared/variables.tf
index 8e9bafd0..debeaa58 100644
--- a/5-app-infra/projects/service-catalog/ml_business_unit/shared/variables.tf
+++ b/5-app-infra/projects/service-catalog/ml_business_unit/shared/variables.tf
@@ -23,3 +23,8 @@ variable "remote_state_bucket" {
description = "Backend bucket to load remote state information from previous steps."
type = string
}
+
+variable "log_bucket" {
+ description = "Log bucket to be used by Service Catalog Bucket"
+ type = string
+}
diff --git a/Dockerfile-dev b/Dockerfile-dev
index 74dcd368..8c975c62 100644
--- a/Dockerfile-dev
+++ b/Dockerfile-dev
@@ -1,6 +1,6 @@
FROM alpine:3.18.4
# Use ARG so that values can be overriden by user/cloudbuild
-ARG TERRAFORM_VERSION=1.3.0
+ARG TERRAFORM_VERSION=1.5.7
ARG GCLOUD_VERSION=455.0.0
ENV ENV_TERRAFORM_VERSION=$TERRAFORM_VERSION
diff --git a/ERRATA.md b/ERRATA.md
index 2c8bec34..93ab4456 100644
--- a/ERRATA.md
+++ b/ERRATA.md
@@ -35,7 +35,7 @@ This will be addressed in the next version of the blueprint guide.
- Cloud Asset Inventory will be integrated in a future release.
- The unallocated IP address space in the Shared VPC networks, described in Section 7.3, is currently being used by Private Service Networking in this release.
-## [1.x](https://github.com/terraform-google-modules/terraform-google-enterprise-genai/releases/tag/v1.0.0)
+## [1.x](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/releases/tag/v1.0.0)
### Code Discrepancies
#### Labeling
diff --git a/docs/TROUBLESHOOTING.md b/docs/TROUBLESHOOTING.md
index aef67481..80cba4d3 100644
--- a/docs/TROUBLESHOOTING.md
+++ b/docs/TROUBLESHOOTING.md
@@ -87,12 +87,12 @@ This could be due to init.defaultBranch being set to something other than
When running the build for the branch `production` in step 3-networks in your **Foundation CI/CD Pipeline** the build fails with:
```
-state snapshot was created by Terraform v1.x.x, which is newer than current v1.3.0; upgrade to Terraform v1.x.x or greater to work with this state
+state snapshot was created by Terraform v1.x.x, which is newer than current v1.5.7; upgrade to Terraform v1.x.x or greater to work with this state
```
**Cause:**
-The manual deploy step for the shared environment in [3-networks](../3-networks#deploying-with-cloud-build) was executed with a Terraform version newer than version v1.3.0 used in the **Foundation CI/CD Pipeline**.
+The manual deploy step for the shared environment in [3-networks](../3-networks#deploying-with-cloud-build) was executed with a Terraform version newer than version v1.5.7 used in the **Foundation CI/CD Pipeline**.
**Solution:**
@@ -100,7 +100,7 @@ You have two options:
#### Downgrade your local Terraform version
-You will need to re-run the deploy of the 3-networks shared environment with Terraform v1.3.0.
+You will need to re-run the deploy of the 3-networks shared environment with Terraform v1.5.7.
Steps:
@@ -108,8 +108,8 @@ Steps:
- Update `backend.tf` with your bucket name from the 0-bootstrap step.
- Run `terraform destroy` in the folder using the Terraform v1.x.x version.
- Delete the Terraform state file in `gs://YOUR-TF-STATE-BUCKET/terraform/networks/envs/shared/default.tfstate`. This bucket is in your **Seed Project**.
-- Install Terraform v1.3.0.
-- Re-run the manual deploy of 3-networks shared environment using Terraform v1.3.0.
+- Install Terraform v1.5.7.
+- Re-run the manual deploy of 3-networks shared environment using Terraform v1.5.7.
#### Upgrade your 0-bootstrap runner image Terraform version
@@ -117,7 +117,7 @@ Replace `1.x.x` with the actual version of your local Terraform version in the f
- Go to folder `0-bootstrap`.
- Edit the local `terraform_version` in the Terraform [cb.tf](../0-bootstrap/cb.tf) file:
- - Upgrade local `terraform_version` from `"1.3.0"` to `"1.x.x"`
+ - Upgrade local `terraform_version` from `"1.5.7"` to `"1.x.x"`
- Run `terraform init`.
- Run `terraform plan` and review the output.
- Run `terraform apply`.
@@ -473,4 +473,4 @@ You can get this information from step `0-bootstrap` by running the following co
**Terraform State lock possible causes:**
-- If you realize that the Terraform State lock was due to a build timeout increase the build timeout on [build configuration](https://github.com/terraform-google-modules/terraform-google-enterprise-genai/blob/master/build/cloudbuild-tf-apply.yaml#L15).
+- If you realize that the Terraform State lock was due to a build timeout increase the build timeout on [build configuration](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/blob/master/build/cloudbuild-tf-apply.yaml#L15).
diff --git a/docs/upgrading_to_v2.0.md b/docs/upgrading_to_v2.0.md
index c4db74b3..bd9d2040 100644
--- a/docs/upgrading_to_v2.0.md
+++ b/docs/upgrading_to_v2.0.md
@@ -2,7 +2,7 @@
Before moving forward with adopting components of V2, please review the list of
breaking changes below. You can find a list of all changes in the
-[Changelog](https://github.com/terraform-google-modules/terraform-google-enterprise-genai/blob/master/CHANGELOG.md).
+[Changelog](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/blob/master/CHANGELOG.md).
**Note:** There is no in-place upgrade path from v1 to v2.
diff --git a/docs/upgrading_to_v3.0.md b/docs/upgrading_to_v3.0.md
index b5690425..8e23ee83 100644
--- a/docs/upgrading_to_v3.0.md
+++ b/docs/upgrading_to_v3.0.md
@@ -1,11 +1,11 @@
# Upgrade Guidance
-Before moving forward with adopting components of v3, review the list of breaking changes below. You can find a complete list of features, bug fixes and other updates in the [Changelog](https://github.com/terraform-google-modules/terraform-google-enterprise-genai/blob/master/CHANGELOG.md).
+Before moving forward with adopting components of v3, review the list of breaking changes below. You can find a complete list of features, bug fixes and other updates in the [Changelog](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/blob/master/CHANGELOG.md).
**Important:** There is no in-place upgrade path from v2 to v3.
## Breaking Changes
-- Minimum required Terraform version is now 1.3.0. For previous release, the minimum version was 0.13.7.
+- Minimum required Terraform version is now 1.5.7. For previous release, the minimum version was 0.13.7.
- Added Granular Service Account (SA) for each stage which is utilized within Cloud Build using [BYOSA feature](https://cloud.google.com/build/docs/securing-builds/configure-user-specified-service-accounts). In previous versions, a single SA was used to deploy all steps which resulted in excessive permissions. Now, each stage has its own SA with very limited permissions.
- 3-networks stage has been split into two different directories. Previously, the 3-networks step supported both network modes, Dual Shared VPC and Hub and Spoke. In this release, these two modes have been separated into two different implementations for easier customization and maintenance.
@@ -17,7 +17,7 @@ There is no direct path for upgrading from v2 to v3 as this may result in resour
In case you require to integrate some of the v3's features, we recommend to review the documentation regarding the feature you are interested in and use v3's code as a guidance for its implementation. We also recommend to review the output from `terraform plan` for any destructive operations before applying the updates.
-**Note:** You must verify that you are using the correct version for `terraform` and `gcloud`. You can check these and other additional requirements using this [validate script](https://github.com/terraform-google-modules/terraform-google-enterprise-genai/blob/master/scripts/validate-requirements.sh).
+**Note:** You must verify that you are using the correct version for `terraform` and `gcloud`. You can check these and other additional requirements using this [validate script](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/blob/master/scripts/validate-requirements.sh).
### Move Blocks
@@ -25,7 +25,7 @@ Integrating features to your codebase can end up with some resources being moved
Given this variety of scenarios, we suggest you to consider `moved` blocks which enables you to update your resources and safely refactor your code. For more details, see [moved blocks](https://developer.hashicorp.com/terraform/tutorials/configuration-language/move-config).
-**Note:** `moved` blocks are supported by the required terraform version for example foundation v3 (v1.3.0).
+**Note:** `moved` blocks are supported by the required terraform version for example foundation v3 (v1.5.7).
Next, we give some examples on how these moved blocks can be implemented.
diff --git a/examples/machine-learning-pipeline/README.md b/examples/machine-learning-pipeline/README.md
index 0161c9ed..6368c8f9 100644
--- a/examples/machine-learning-pipeline/README.md
+++ b/examples/machine-learning-pipeline/README.md
@@ -44,7 +44,7 @@ up the global DNS hub.
For an overview of the architecture and the parts, see the
-[terraform-google-enterprise-genai README](https://github.com/terraform-google-modules/terraform-google-enterprise-genai)
+[terraform-google-enterprise-genai README](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai)
file.
## Purpose
diff --git a/helpers/foundation-deployer/README.md b/helpers/foundation-deployer/README.md
index 22c06132..4ceb24f1 100644
--- a/helpers/foundation-deployer/README.md
+++ b/helpers/foundation-deployer/README.md
@@ -6,7 +6,7 @@ Helper tool to deploy the Terraform example foundation.
### Validate required tools
-- Check if required tools, Go 1.18+, Terraform 1.3.0+, gcloud 393.0.0+, and Git 2.28.0+, are installed:
+- Check if required tools, Go 1.18+, Terraform 1.5.7+, gcloud 393.0.0+, and Git 2.28.0+, are installed:
```bash
go version
@@ -45,17 +45,17 @@ Helper tool to deploy the Terraform example foundation.
```
- Update `global.tfvars` with values from your environment.
-- The `0-bootstrap` README [prerequisites](https://github.com/terraform-google-modules/terraform-google-enterprise-genai/blob/master/0-bootstrap/README.md#prerequisites) section has additional prerequisites needed to run this helper.
+- The `0-bootstrap` README [prerequisites](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/blob/master/0-bootstrap/README.md#prerequisites) section has additional prerequisites needed to run this helper.
- Variable `code_checkout_path` is the full path to `deploy-directory` directory.
- Variable `foundation_code_path` is the full path to `terraform-google-enterprise-genai` directory.
- See the READMEs for the stages for additional information:
- - [0-bootstrap](https://github.com/terraform-google-modules/terraform-google-enterprise-genai/blob/master/0-bootstrap/README.md)
- - [1-org](https://github.com/terraform-google-modules/terraform-google-enterprise-genai/blob/master/1-org/README.md)
- - [2-environments](https://github.com/terraform-google-modules/terraform-google-enterprise-genai/blob/master/2-environments/README.md)
- - [3-networks-dual-svpc](https://github.com/terraform-google-modules/terraform-google-enterprise-genai/blob/master/3-networks-dual-svpc)
- - [3-networks-hub-and-spoke](https://github.com/terraform-google-modules/terraform-google-enterprise-genai/blob/master/3-networks-hub-and-spoke)
- - [4-projects](https://github.com/terraform-google-modules/terraform-google-enterprise-genai/blob/master/4-projects)
- - [5-app-infra](https://github.com/terraform-google-modules/terraform-google-enterprise-genai/blob/master/5-app-infra)
+ - [0-bootstrap](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/blob/master/0-bootstrap/README.md)
+ - [1-org](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/blob/master/1-org/README.md)
+ - [2-environments](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/blob/master/2-environments/README.md)
+ - [3-networks-dual-svpc](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/blob/master/3-networks-dual-svpc)
+ - [3-networks-hub-and-spoke](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/blob/master/3-networks-hub-and-spoke)
+ - [4-projects](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/blob/master/4-projects)
+ - [5-app-infra](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/blob/master/5-app-infra)
### Location
@@ -163,5 +163,5 @@ Im addition to the variables declared in the file `global.tfvars` for configurin
- [Go](https://go.dev/doc/install) 1.18+
- [Google Cloud SDK](https://cloud.google.com/sdk/install) version 393.0.0+
- [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) version 2.28.0+
-- [Terraform](https://www.terraform.io/downloads.html) version 1.3.0+
+- [Terraform](https://www.terraform.io/downloads.html) version 1.5.7+
- See `0-bootstrap` README for additional IAM [requirements](../../0-bootstrap/README.md#prerequisites) on the user deploying the Foundation.
diff --git a/helpers/foundation-deployer/global.tfvars.example b/helpers/foundation-deployer/global.tfvars.example
index 5da7ab8b..fb4d3c00 100644
--- a/helpers/foundation-deployer/global.tfvars.example
+++ b/helpers/foundation-deployer/global.tfvars.example
@@ -29,7 +29,7 @@ validator_project_id = "EXISTING_PROJECT_ID"
// 0-bootstrap inputs
-// https://github.com/terraform-google-modules/terraform-google-enterprise-genai/blob/master/0-bootstrap/README.md#inputs
+// https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/blob/master/0-bootstrap/README.md#inputs
org_id = "REPLACE_ME" # format "000000000000"
billing_account = "REPLACE_ME" # format "000000-000000-000000"
@@ -55,7 +55,7 @@ folder_prefix = "fldr"
// Optional - for enabling the automatic groups creation, uncomment the groups
// variable and update the values with the desired group names
-// https://github.com/terraform-google-modules/terraform-google-enterprise-genai/blob/master/0-bootstrap/README.md#optional---automatic-creation-of-google-cloud-identity-groups
+// https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/blob/master/0-bootstrap/README.md#optional---automatic-creation-of-google-cloud-identity-groups
// After deploy, the Bootstrap service account will need to be granted "Group Admin" role in the
// Google Workspace by a Super Admin before Cloud Build builds can be executed by the Bootstrap workspace.
@@ -85,7 +85,7 @@ folder_prefix = "fldr"
// 1-org inputs
-// https://github.com/terraform-google-modules/terraform-google-enterprise-genai/blob/master/1-org/envs/shared/README.md#inputs
+// https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/blob/master/1-org/envs/shared/README.md#inputs
audit_data_users = "REPLACE_ME" # "gcp-security-admins@example.com"
billing_data_users = "REPLACE_ME" # "gcp-billing-data-users@example.com"
@@ -101,8 +101,8 @@ log_export_storage_location = "US"
billing_export_dataset_location = "US"
// Choose witch network architecture to use:
-// Dual Shared VPC: https://github.com/terraform-google-modules/terraform-google-enterprise-genai/blob/master/3-networks-dual-svpc/README.md
-// Hub And Spoke: https://github.com/terraform-google-modules/terraform-google-enterprise-genai/blob/master/3-networks-hub-and-spoke/README.md
+// Dual Shared VPC: https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/blob/master/3-networks-dual-svpc/README.md
+// Hub And Spoke: https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/blob/master/3-networks-hub-and-spoke/README.md
enable_hub_and_spoke = false
@@ -115,14 +115,14 @@ create_unique_tag_key = false
// 2-environments inputs
-// https://github.com/terraform-google-modules/terraform-google-enterprise-genai/blob/master/2-environments/envs/production/README.md#inputs
+// https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/blob/master/2-environments/envs/production/README.md#inputs
monitoring_workspace_users = "REPLACE_ME" # "gcp-monitoring-admins@example.com"
// 3-networks inputs
-// https://github.com/terraform-google-modules/terraform-google-enterprise-genai/blob/master/3-networks-hub-and-spoke/envs/production/README.md#inputs
-// https://github.com/terraform-google-modules/terraform-google-enterprise-genai/blob/master/3-networks-hub-and-spoke/envs/shared/README.md#inputs
+// https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/blob/master/3-networks-hub-and-spoke/envs/production/README.md#inputs
+// https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/blob/master/3-networks-hub-and-spoke/envs/shared/README.md#inputs
domain = "example.com." # The DNS name of peering managed zone. Must end with a period.
@@ -149,7 +149,7 @@ target_name_server_addresses = [
// 4-projects inputs
-// https://github.com/terraform-google-modules/terraform-google-enterprise-genai/blob/master/4-projects/business_unit_1/production/README.md#inputs
+// https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/blob/master/4-projects/business_unit_1/production/README.md#inputs
projects_gcs_location = "US"
projects_kms_location = "us"
diff --git a/scripts/validate-requirements.sh b/scripts/validate-requirements.sh
index b3d11889..bfbea10f 100755
--- a/scripts/validate-requirements.sh
+++ b/scripts/validate-requirements.sh
@@ -19,7 +19,7 @@
# -------------------------- Variables --------------------------
# Expected versions of the installers
-TF_VERSION="1.3.0"
+TF_VERSION="1.5.7"
# Version 393.0.0 due to terraform-tools 0.5.0 version that fixes the issue
# mentioned in this PR https://github.com/terraform-google-modules/terraform-google-enterprise-genai/pull/729#discussion_r919427668
GCLOUD_SDK_VERSION="393.0.0"