The objective of the instructions below is to configure the infrastructure that allows you to run CI/CD deployments using
GitHub Actions for the Terraform Example Foundation stages (0-bootstrap
, 1-org
, 2-environments
, 3-networks
, 4-projects
).
The infrastructure consists in two Google Cloud Platform projects (prj-b-seed
and prj-b-cicd-wif-gh
).
It is a best practice to have two separate projects here (prj-b-seed
and prj-b-cicd-wif-gh
) for separation of concerns.
On one hand, prj-b-seed
stores terraform state and has the Service Accounts able to create / modify infrastructure.
On the other hand, the authentication infrastructure using Workload identity federation is implemented in prj-b-cicd-wif-gh
.
To run the instructions described in this document, install the following:
- Google Cloud SDK version 393.0.0 or later
- terraform-tools component
- Git version 2.28.0 or later
- Terraform version 1.5.7 or later
Also make sure that you have the following:
- A GitHub account for your User or Organization.
- A private GitHub repository for each one of the stages of Foundation:
- Bootstrap
- Organization
- Environments
- Networks
- Projects
- A Fine grained personal access token configured with:
- Repository access to Only select repositories, including all the repositories in the previous item.
- Permissions:
- Actions: Read and Write
- Metadata: Read-only
- Secrets: Read and Write
- Variables: Read and Write
- Workflows: Read and Write
- A Google Cloud organization.
- A Google Cloud billing account.
- Cloud Identity or Google Workspace groups for organization and billing admins.
- Add the Identity (user or Service Account) who will run Terraform to the
group_org_admins
group. They must be in this group, or they won't haveroles/resourcemanager.projectCreator
access. - For the Identity who will run the procedures in this document, grant the following roles:
- The
roles/resourcemanager.organizationAdmin
role on the Google Cloud organization. - The
roles/orgpolicy.policyAdmin
role on the Google Cloud organization. - The
roles/billing.admin
role on the billing account. - The
roles/resourcemanager.folderCreator
role.
- The
If other users need to be able to run these procedures, add them to the group
represented by the org_project_creators
variable.
For more information about the permissions that are required, and the resources
that are created, see the organization bootstrap module
documentation.
Due to issue First commit pushed triggers 2 workflow runs,
The repositories created must be initialized with an initial commit,
so that the initial push for the plan
branch does not trigger two workflow runs.
The instructions in the following steps will ensure the creation of an initial commit
for each one of the repositories.
-
Clone terraform-google-enterprise-genai into your local environment.
git clone https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai.git
-
Clone the private repository you created to host the
0-bootstrap
terraform configuration at the same level of theterraform-google-enterprise-genai
folder. You must be authenticated to GitHub.git clone [email protected]:<GITHUB-OWNER>/<GITHUB-BOOTSTRAP-REPO>.git gcp-bootstrap
-
The layout should be:
gcp-bootstrap/ terraform-google-enterprise-genai/
-
Navigate into the repo. All subsequent steps assume you are running them from the
gcp-bootstrap
directory. If you run them from another directory, adjust your copy paths accordingly.cd gcp-bootstrap
-
Seed the repository if it has not been initialized yet.
git commit --allow-empty -m 'repository seed' git push --set-upstream origin main git checkout -b production git push --set-upstream origin production
-
change to a non-production branch.
git checkout -b plan
-
Copy contents of foundation to new repo (modify accordingly based on your current directory).
mkdir -p envs/shared cp -RT ../terraform-google-enterprise-genai/0-bootstrap/ ./envs/shared cp -RT ../terraform-google-enterprise-genai/policy-library/ ./policy-library mkdir -p .github/workflows cp ../terraform-google-enterprise-genai/build/github-tf-* ./.github/workflows/ cp ../terraform-google-enterprise-genai/build/tf-wrapper.sh . chmod 755 ./tf-wrapper.sh cd ./envs/shared
-
In the versions file
./versions.tf
un-comment thegithub
required provider -
In the variables file
./variables.tf
un-comment variables in the sectionSpecific to github_bootstrap
-
In the outputs file
./outputs.tf
Comment-out outputs in the sectionSpecific to cloudbuild_module
-
In the outputs file
./outputs.tf
un-comment outputs in the sectionSpecific to github_bootstrap
-
Rename file
./cb.tf
to./cb.tf.example
mv ./cb.tf ./cb.tf.example
-
Rename file
./github.tf.example
to./github.tf
mv ./github.tf.example ./github.tf
-
Rename file
terraform.example.tfvars
toterraform.tfvars
mv ./terraform.example.tfvars ./terraform.tfvars
-
Update the file
terraform.tfvars
with values from your Google Cloud environment -
Update the file
terraform.tfvars
with values from your GitHub repositories -
To prevent saving the
gh_token
in plain text in theterraform.tfvars
file, export the GitHub fine grained access token as an environment variable:export TF_VAR_gh_token="YOUR-FINE-GRAINED-ACCESS-TOKEN"
-
Use the helper script validate-requirements.sh to validate your environment:
../../../terraform-google-enterprise-genai/scripts/validate-requirements.sh -o <ORGANIZATION_ID> -b <BILLING_ACCOUNT_ID> -u <END_USER_EMAIL> -e
Note: The script is not able to validate if the user is in a Cloud Identity or Google Workspace group with the required roles.
-
Run
terraform init
andterraform plan
and review the output.terraform init terraform plan -input=false -out bootstrap.tfplan
-
To validate your policies, run
gcloud beta terraform vet
. For installation instructions, see Validate policies instructions for the Google Cloud CLI. -
Run the following commands and check for violations:
export VET_PROJECT_ID=A-VALID-PROJECT-ID terraform show -json bootstrap.tfplan > bootstrap.json gcloud beta terraform vet bootstrap.json --policy-library="../../policy-library" --project ${VET_PROJECT_ID}
A-VALID-PROJECT-ID
must be an existing project you have access to. This is necessary because Terraform-validator needs to link resources to a valid Google Cloud Platform project. -
No violations and an output with
done
means the validation was successful. -
Run
terraform apply
.terraform apply bootstrap.tfplan
-
Run
terraform output
to get the email address of the terraform service accounts that will be used to run manual steps forshared
environments in steps3-networks-dual-svpc
,3-networks-hub-and-spoke
, and4-projects
.export network_step_sa=$(terraform output -raw networks_step_terraform_service_account_email) export projects_step_sa=$(terraform output -raw projects_step_terraform_service_account_email) echo "network step service account = ${network_step_sa}" echo "projects step service account = ${projects_step_sa}"
-
Run
terraform output
to get the ID of your CI/CD project:export cicd_project_id=$(terraform output -raw cicd_project_id) echo "CI/CD Project ID = ${cicd_project_id}"
-
Copy the backend and update
backend.tf
with the name of your Google Cloud Storage bucket for Terraform's state. Also update thebackend.tf
of all steps.export backend_bucket=$(terraform output -raw gcs_bucket_tfstate) echo "backend_bucket = ${backend_bucket}" cp backend.tf.example backend.tf cd ../../../ for i in `find -name 'backend.tf'`; do sed -i "s/UPDATE_ME/${backend_bucket}/" $i; done for i in `find -name 'backend.tf'`; do sed -i "s/UPDATE_PROJECTS_BACKEND/${backend_bucket}/" $i; done cd gcp-bootstrap/envs/shared
-
Re-run
terraform init
. When you're prompted, agree to copy Terraform state to Cloud Storage.terraform init
-
(Optional) Run
terraform plan
to verify that state is configured correctly. You should see no changes from the previous state. -
Save the Terraform configuration to
gcp-bootstrap
github repository:cd ../.. git add . git commit -m 'Initialize bootstrap repo' git push --set-upstream origin plan
-
Open a pull request in GitHub https://github.com/GITHUB-OWNER/GITHUB-BOOTSTRAP-REPO/pull/new/plan from the
plan
branch to theproduction
branch and review the output. -
The Pull request will trigger a GitHub Action that will run Terraform
init
/plan
/validate
in theproduction
environment. -
Review the GitHub Action output in GitHub https://github.com/GITHUB-OWNER/GITHUB-BOOTSTRAP-REPO/actions under
tf-pull-request
. -
If the GitHub action is successful, merge the pull request in to the
production
branch. -
The merge will trigger a GitHub Action that will apply the terraform configuration for the
production
environment. -
Review merge output in GitHub https://github.com/GITHUB-OWNER/GITHUB-BOOTSTRAP-REPO/actions under
tf-apply
.
Note 1: The stages after 0-bootstrap
use terraform_remote_state
data source to read common configuration like the organization ID from the output of the 0-bootstrap
stage.
They will fail if the state is not copied to the Cloud Storage bucket.
Note 2: After the deploy, to prevent the project quota error described in the Troubleshooting guide, we recommend that you request 50 additional projects for the projects step service account created in this step.
-
Clone the repository you created to host the
1-org
terraform configuration at the same level of theterraform-google-enterprise-genai
folder.git clone [email protected]:<GITHUB-OWNER>/<GITHUB-ORGANIZATION-REPO>.git gcp-org
-
Navigate into the repo. All subsequent steps assume you are running them from the
gcp-org
directory. If you run them from another directory, adjust your copy paths accordingly.cd gcp-org
-
Seed the repository if it has not been initialized yet.
git commit --allow-empty -m 'repository seed' git push --set-upstream origin main git checkout -b production git push --set-upstream origin production
-
change to a non-production branch.
git checkout -b plan
-
Copy contents of foundation to new repo.
cp -RT ../terraform-google-enterprise-genai/1-org/ . cp -RT ../terraform-google-enterprise-genai/policy-library/ ./policy-library mkdir -p .github/workflows cp ../terraform-google-enterprise-genai/build/github-tf-* ./.github/workflows/ cp ../terraform-google-enterprise-genai/build/tf-wrapper.sh . chmod 755 ./tf-wrapper.sh
-
Rename
./envs/shared/terraform.example.tfvars
to./envs/shared/terraform.tfvars
mv ./envs/shared/terraform.example.tfvars ./envs/shared/terraform.tfvars
-
Update the file
envs/shared/terraform.tfvars
with values from your GCP environment. See the shared folder README.md for additional information on the values in theterraform.tfvars
file. -
Un-comment the variable
create_access_context_manager_access_policy = false
if your organization already has an Access Context Manager Policy.export ORGANIZATION_ID=$(terraform -chdir="../gcp-bootstrap/envs/shared" output -json common_config | jq '.org_id' --raw-output) export ACCESS_CONTEXT_MANAGER_ID=$(gcloud access-context-manager policies list --organization ${ORGANIZATION_ID} --format="value(name)") echo "access_context_manager_policy_id = ${ACCESS_CONTEXT_MANAGER_ID}" if [ ! -z "${ACCESS_CONTEXT_MANAGER_ID}" ]; then sed -i "s=//create_access_context_manager_access_policy=create_access_context_manager_access_policy=" ./envs/shared/terraform.tfvars; fi
-
Update the
remote_state_bucket
variable with the backend bucket from step Bootstrap.export backend_bucket=$(terraform -chdir="../gcp-bootstrap/envs/shared" output -raw gcs_bucket_tfstate) echo "remote_state_bucket = ${backend_bucket}" sed -i "s/REMOTE_STATE_BUCKET/${backend_bucket}/" ./envs/shared/terraform.tfvars
-
Check if a Security Command Center Notification with the default name, scc-notify, already exists in your organization.
export ORG_STEP_SA=$(terraform -chdir="../gcp-bootstrap/envs/shared" output -raw organization_step_terraform_service_account_email) gcloud scc notifications describe "scc-notify" --format="value(name)" --organization=${ORGANIZATION_ID} --impersonate-service-account=${ORG_STEP_SA}
-
If the notification exists the output will be:
organizations/ORGANIZATION_ID/notificationConfigs/scc-notify
-
If the notification does not exist the output will be:
ERROR: (gcloud.scc.notifications.describe) NOT_FOUND: Requested entity was not found.
-
If the notification exists, choose a different value for the
scc_notification_name
variable in the./envs/shared/terraform.tfvars
file. -
Commit changes.
git add . git commit -m 'Initialize org repo'
-
Push your plan branch.
git push --set-upstream origin plan
-
Open a pull request in GitHub https://github.com/GITHUB-OWNER/GITHUB-ORGANIZATION-REPO/pull/new/plan from the
plan
branch to theproduction
branch and review the output. -
The Pull request will trigger a GitHub Action that will run Terraform
init
/plan
/validate
in theproduction
environment. -
Review the GitHub Action output in GitHub https://github.com/GITHUB-OWNER/GITHUB-ORGANIZATION-REPO/actions under
tf-pull-request
. -
If the GitHub action is successful, merge the pull request in to the
production
branch. -
The merge will trigger a GitHub Action that will apply the terraform configuration for the
production
environment. -
Review merge output in GitHub https://github.com/GITHUB-OWNER/GITHUB-ORGANIZATION-REPO/actions under
tf-apply
.
-
Clone the repository you created to host the
2-environments
terraform configuration at the same level of theterraform-google-enterprise-genai
folder.git clone [email protected]:<GITHUB-OWNER>/<GITHUB-ENVIRONMENTS-REPO>.git gcp-environments
-
Navigate into the repo. All subsequent steps assume you are running them from the
gcp-environments
directory. If you run them from another directory, adjust your copy paths accordingly.cd gcp-environments
-
Seed the repository if it has not been initialized yet.
git commit --allow-empty -m 'repository seed' git push --set-upstream origin main git checkout -b production git push --set-upstream origin production git checkout -b non-production git push --set-upstream origin non-production git checkout -b development git push --set-upstream origin development
-
change to a non-production branch.
git checkout -b plan
-
Copy contents of foundation to new repo.
cp -RT ../terraform-google-enterprise-genai/2-environments/ . cp -RT ../terraform-google-enterprise-genai/policy-library/ ./policy-library mkdir -p .github/workflows cp ../terraform-google-enterprise-genai/build/github-tf-* ./.github/workflows/ cp ../terraform-google-enterprise-genai/build/tf-wrapper.sh . chmod 755 ./tf-wrapper.sh
-
Rename
terraform.example.tfvars
toterraform.tfvars
.mv terraform.example.tfvars terraform.tfvars
-
Update the file with values from your GCP environment. See any of the envs folder README.md files for additional information on the values in the
terraform.tfvars
file. -
Update the
remote_state_bucket
variable with the backend bucket from step Bootstrap.export backend_bucket=$(terraform -chdir="../gcp-bootstrap/envs/shared" output -raw gcs_bucket_tfstate) echo "remote_state_bucket = ${backend_bucket}" sed -i "s/REMOTE_STATE_BUCKET/${backend_bucket}/" terraform.tfvars
-
Commit changes.
git add . git commit -m 'Initialize environments repo'
-
Push your plan branch.
git push --set-upstream origin plan
-
Open a pull request in GitHub https://github.com/GITHUB-OWNER/GITHUB-ENVIRONMENTS-REPO/pull/new/plan from the
plan
branch to thedevelopment
branch and review the output. -
The Pull request will trigger a GitHub Action that will run Terraform
init
/plan
/validate
in thedevelopment
environment. -
Review the GitHub Action output in GitHub https://github.com/GITHUB-OWNER/GITHUB-ENVIRONMENTS-REPO/actions under
tf-pull-request
. -
If the GitHub action is successful, merge the pull request in to the
development
branch. -
The merge will trigger a GitHub Action that will apply the terraform configuration for the
development
environment. -
Review merge output in GitHub https://github.com/GITHUB-OWNER/GITHUB-ENVIRONMENTS-REPO/actions under
tf-apply
. -
If the GitHub action is successful, apply the next environment.
-
Open a pull request in GitHub https://github.com/GITHUB-OWNER/GITHUB-ENVIRONMENTS-REPO/pull/new/development from the
development
branch to thenon-production
branch and review the output. -
The Pull request will trigger a GitHub Action that will run Terraform
init
/plan
/validate
in thenon-production
environment. -
Review the GitHub Action output in GitHub https://github.com/GITHUB-OWNER/GITHUB-ENVIRONMENTS-REPO/actions under
tf-pull-request
. -
If the GitHub action is successful, merge the pull request in to the
non-production
branch. -
The merge will trigger a GitHub Action that will apply the terraform configuration for the
non-production
environment. -
Review merge output in GitHub https://github.com/GITHUB-OWNER/GITHUB-ENVIRONMENTS-REPO/actions under
tf-apply
. -
If the GitHub action is successful, apply the next environment.
-
Open a pull request in GitHub https://github.com/GITHUB-OWNER/GITHUB-ENVIRONMENTS-REPO/pull/new/non-production from the
non-production
branch to theproduction
branch and review the output. -
The Pull request will trigger a GitHub Action that will run Terraform
init
/plan
/validate
in theproduction
environment. -
Review the GitHub Action output in GitHub https://github.com/GITHUB-OWNER/GITHUB-ENVIRONMENTS-REPO/actions under
tf-pull-request
. -
If the GitHub action is successful, merge the pull request in to the
production
branch. -
The merge will trigger a GitHub Action that will apply the terraform configuration for the
production
environment. -
Review merge output in GitHub https://github.com/GITHUB-OWNER/GITHUB-ENVIRONMENTS-REPO/actions under
tf-apply
. -
You can now move to the instructions in the network stage. To use the Dual Shared VPC network mode go to Deploying step 3-networks-dual-svpc, or go to Deploying step 3-networks-hub-and-spoke to use the Hub and Spoke network mode.
-
Clone the repository you created to host the
3-networks-dual-svpc
terraform configuration at the same level of theterraform-google-enterprise-genai
folder.git clone [email protected]:<GITHUB-OWNER>/<GITHUB-NETWORKS-REPO>.git gcp-networks
-
Navigate into the repo. All subsequent steps assume you are running them from the
gcp-networks
directory. If you run them from another directory, adjust your copy paths accordingly.cd gcp-networks
-
Seed the repository if it has not been initialized yet.
git commit --allow-empty -m 'repository seed' git push --set-upstream origin main git checkout -b production git push --set-upstream origin production git checkout -b non-production git push --set-upstream origin non-production git checkout -b development git push --set-upstream origin development
-
change to a non-production branch.
git checkout -b plan
-
Copy contents of foundation to new repo.
cp -RT ../terraform-google-enterprise-genai/3-networks-dual-svpc/ . cp -RT ../terraform-google-enterprise-genai/policy-library/ ./policy-library mkdir -p .github/workflows cp ../terraform-google-enterprise-genai/build/github-tf-* ./.github/workflows/ cp ../terraform-google-enterprise-genai/build/tf-wrapper.sh . chmod 755 ./tf-wrapper.sh
-
Rename
common.auto.example.tfvars
tocommon.auto.tfvars
, renameshared.auto.example.tfvars
toshared.auto.tfvars
and renameaccess_context.auto.example.tfvars
toaccess_context.auto.tfvars
.mv common.auto.example.tfvars common.auto.tfvars mv shared.auto.example.tfvars shared.auto.tfvars mv access_context.auto.example.tfvars access_context.auto.tfvars
-
Update the file
shared.auto.tfvars
with the values for thetarget_name_server_addresses
. -
Update the file
access_context.auto.tfvars
with the organization'saccess_context_manager_policy_id
.export ORGANIZATION_ID=$(terraform -chdir="../gcp-bootstrap/envs/shared/" output -json common_config | jq '.org_id' --raw-output) export ACCESS_CONTEXT_MANAGER_ID=$(gcloud access-context-manager policies list --organization ${ORGANIZATION_ID} --format="value(name)") echo "access_context_manager_policy_id = ${ACCESS_CONTEXT_MANAGER_ID}" sed -i "s/ACCESS_CONTEXT_MANAGER_ID/${ACCESS_CONTEXT_MANAGER_ID}/" ./access_context.auto.tfvars
-
Update
common.auto.tfvars
file with values from your GCP environment. See any of the envs folder README.md files for additional information on the values in thecommon.auto.tfvars
file. -
You must add your user email in the variable
perimeter_additional_members
to be able to see the resources created in the restricted project. -
Update the
remote_state_bucket
variable with the backend bucket from step Bootstrap in thecommon.auto.tfvars
file.export backend_bucket=$(terraform -chdir="../gcp-bootstrap/envs/shared/" output -raw gcs_bucket_tfstate) echo "remote_state_bucket = ${backend_bucket}" sed -i "s/REMOTE_STATE_BUCKET/${backend_bucket}/" ./common.auto.tfvars
-
Commit changes
git add . git commit -m 'Initialize networks repo'
-
You must manually plan and apply the
shared
environment (only once) since thedevelopment
,non-production
andproduction
environments depend on it. -
Use
terraform output
to get the CI/CD project ID and the networks step Terraform Service Account from gcp-bootstrap output. -
The CI/CD project ID will be used in the validation of the Terraform configuration
export CICD_PROJECT_ID=$(terraform -chdir="../gcp-bootstrap/envs/shared/" output -raw cicd_project_id) echo ${CICD_PROJECT_ID}
-
The networks step Terraform Service Account will be used for Service Account impersonation in the following steps. An environment variable
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT
will be set with the Terraform Service Account to enable impersonation.export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../gcp-bootstrap/envs/shared/" output -raw networks_step_terraform_service_account_email) echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT}
-
Run
init
andplan
and review output for environment shared../tf-wrapper.sh init shared ./tf-wrapper.sh plan shared
-
To use the
validate
option of thetf-wrapper.sh
script, please follow the instructions to install the terraform-tools component. -
Run
validate
and check for violations../tf-wrapper.sh validate shared $(pwd)/policy-library ${CICD_PROJECT_ID}
-
Run
apply
shared../tf-wrapper.sh apply shared
-
Push your plan branch.
git push --set-upstream origin plan
-
Open a pull request in GitHub https://github.com/GITHUB-OWNER/GITHUB-NETWORKS-REPO/pull/new/plan from the
plan
branch to thedevelopment
branch and review the output. -
The Pull request will trigger a GitHub Action that will run Terraform
init
/plan
/validate
in thedevelopment
environment. -
Review the GitHub Action output in GitHub https://github.com/GITHUB-OWNER/GITHUB-NETWORKS-REPO/actions under
tf-pull-request
. -
If the GitHub action is successful, merge the pull request in to the
development
branch. -
The merge will trigger a GitHub Action that will apply the terraform configuration for the
development
environment. -
Review merge output in GitHub https://github.com/GITHUB-OWNER/GITHUB-NETWORKS-REPO/actions under
tf-apply
. -
If the GitHub action is successful, apply the next environment.
-
Open a pull request in GitHub https://github.com/GITHUB-OWNER/GITHUB-NETWORKS-REPO/pull/new/development from the
development
branch to thenon-production
branch and review the output. -
The Pull request will trigger a GitHub Action that will run Terraform
init
/plan
/validate
in thenon-production
environment. -
Review the GitHub Action output in GitHub https://github.com/GITHUB-OWNER/GITHUB-NETWORKS-REPO/actions under
tf-pull-request
. -
If the GitHub action is successful, merge the pull request in to the
non-production
branch. -
The merge will trigger a GitHub Action that will apply the terraform configuration for the
non-production
environment. -
Review merge output in GitHub https://github.com/GITHUB-OWNER/GITHUB-NETWORKS-REPO/actions under
tf-apply
. -
If the GitHub action is successful, apply the next environment.
-
Open a pull request in GitHub https://github.com/GITHUB-OWNER/GITHUB-NETWORKS-REPO/pull/new/non-production from the
non-production
branch to theproduction
branch and review the output. -
The Pull request will trigger a GitHub Action that will run Terraform
init
/plan
/validate
in theproduction
environment. -
Review the GitHub Action output in GitHub https://github.com/GITHUB-OWNER/GITHUB-NETWORKS-REPO/actions under
tf-pull-request
. -
If the GitHub action is successful, merge the pull request in to the
production
branch. -
The merge will trigger a GitHub Action that will apply the terraform configuration for the
production
environment. -
Review merge output in GitHub https://github.com/GITHUB-OWNER/GITHUB-NETWORKS-REPO/actions under
tf-apply
. -
Before executing the next steps, unset the
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT
environment variable.unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT
-
You can now move to the instructions in the 4-projects stage.
-
Clone the repository you created to host the
3-networks-hub-and-spoke
terraform configuration at the same level of theterraform-google-enterprise-genai
folder.git clone [email protected]:<GITHUB-OWNER>/<GITHUB-NETWORKS-REPO>.git gcp-networks
-
Navigate into the repo. All subsequent steps assume you are running them from the
gcp-networks
directory. If you run them from another directory, adjust your copy paths accordingly.cd gcp-networks
-
Seed the repository if it has not been initialized yet.
git commit --allow-empty -m 'repository seed' git push --set-upstream origin main git checkout -b production git push --set-upstream origin production git checkout -b non-production git push --set-upstream origin non-production git checkout -b development git push --set-upstream origin development
-
change to a non-production branch.
git checkout -b plan
-
Copy contents of foundation to new repo.
cp -RT ../terraform-google-enterprise-genai/3-networks-hub-and-spoke/ . cp -RT ../terraform-google-enterprise-genai/policy-library/ ./policy-library mkdir -p .github/workflows cp ../terraform-google-enterprise-genai/build/github-tf-* ./.github/workflows/ cp ../terraform-google-enterprise-genai/build/tf-wrapper.sh . chmod 755 ./tf-wrapper.sh
-
Rename
common.auto.example.tfvars
tocommon.auto.tfvars
, renameshared.auto.example.tfvars
toshared.auto.tfvars
and renameaccess_context.auto.example.tfvars
toaccess_context.auto.tfvars
.mv common.auto.example.tfvars common.auto.tfvars mv shared.auto.example.tfvars shared.auto.tfvars mv access_context.auto.example.tfvars access_context.auto.tfvars
-
Update
common.auto.tfvars
file with values from your GCP environment. See any of the envs folder README.md files for additional information on the values in thecommon.auto.tfvars
file. -
You must add your user email in the variable
perimeter_additional_members
to be able to see the resources created in the restricted project. -
Update the
remote_state_bucket
variable with the backend bucket from step Bootstrap in thecommon.auto.tfvars
file.export backend_bucket=$(terraform -chdir="../gcp-bootstrap/envs/shared/" output -raw gcs_bucket_tfstate) echo "remote_state_bucket = ${backend_bucket}" sed -i "s/REMOTE_STATE_BUCKET/${backend_bucket}/" ./common.auto.tfvars
-
Commit changes
git add . git commit -m 'Initialize networks repo'
-
You must manually plan and apply the
shared
environment (only once) since thedevelopment
,non-production
andproduction
environments depend on it. -
Use
terraform output
to get the CI/CD project ID and the networks step Terraform Service Account from gcp-bootstrap output. -
The CI/CD project ID will be used in the validation of the Terraform configuration
export CICD_PROJECT_ID=$(terraform -chdir="../gcp-bootstrap/envs/shared/" output -raw cicd_project_id) echo ${CICD_PROJECT_ID}
-
The networks step Terraform Service Account will be used for Service Account impersonation in the following steps. An environment variable
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT
will be set with the Terraform Service Account to enable impersonation.export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../gcp-bootstrap/envs/shared/" output -raw networks_step_terraform_service_account_email) echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT}
-
Run
init
andplan
and review output for environment shared../tf-wrapper.sh init shared ./tf-wrapper.sh plan shared
-
To use the
validate
option of thetf-wrapper.sh
script, please follow the instructions to install the terraform-tools component. -
Run
validate
and check for violations../tf-wrapper.sh validate shared $(pwd)/policy-library ${CICD_PROJECT_ID}
-
Run
apply
shared../tf-wrapper.sh apply shared
-
Push your plan branch.
git push --set-upstream origin plan
-
Open a pull request in GitHub https://github.com/GITHUB-OWNER/GITHUB-NETWORKS-REPO/pull/new/plan from the
plan
branch to thedevelopment
branch and review the output. -
The Pull request will trigger a GitHub Action that will run Terraform
init
/plan
/validate
in thedevelopment
environment. -
Review the GitHub Action output in GitHub https://github.com/GITHUB-OWNER/GITHUB-NETWORKS-REPO/actions under
tf-pull-request
. -
If the GitHub action is successful, merge the pull request in to the
development
branch. -
The merge will trigger a GitHub Action that will apply the terraform configuration for the
development
environment. -
Review merge output in GitHub https://github.com/GITHUB-OWNER/GITHUB-NETWORKS-REPO/actions under
tf-apply
. -
If the GitHub action is successful, apply the next environment.
-
Open a pull request in GitHub https://github.com/GITHUB-OWNER/GITHUB-NETWORKS-REPO/pull/new/development from the
development
branch to thenon-production
branch and review the output. -
The Pull request will trigger a GitHub Action that will run Terraform
init
/plan
/validate
in thenon-production
environment. -
Review the GitHub Action output in GitHub https://github.com/GITHUB-OWNER/GITHUB-NETWORKS-REPO/actions under
tf-pull-request
. -
If the GitHub action is successful, merge the pull request in to the
non-production
branch. -
The merge will trigger a GitHub Action that will apply the terraform configuration for the
non-production
environment. -
Review merge output in GitHub https://github.com/GITHUB-OWNER/GITHUB-NETWORKS-REPO/actions under
tf-apply
. -
If the GitHub action is successful, apply the next environment.
-
Open a pull request in GitHub https://github.com/GITHUB-OWNER/GITHUB-NETWORKS-REPO/pull/new/non-production from the
non-production
branch to theproduction
branch and review the output. -
The Pull request will trigger a GitHub Action that will run Terraform
init
/plan
/validate
in theproduction
environment. -
Review the GitHub Action output in GitHub https://github.com/GITHUB-OWNER/GITHUB-NETWORKS-REPO/actions under
tf-pull-request
. -
If the GitHub action is successful, merge the pull request in to the
production
branch. -
The merge will trigger a GitHub Action that will apply the terraform configuration for the
production
environment. -
Review merge output in GitHub https://github.com/GITHUB-OWNER/GITHUB-NETWORKS-REPO/actions under
tf-apply
. -
Before executing the next steps, unset the
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT
environment variable.unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT
-
You can now move to the instructions in the 4-projects stage.
-
Clone the repository you created to host the
4-projects
terraform configuration at the same level of theterraform-google-enterprise-genai
folder.git clone [email protected]:<GITHUB-OWNER>/<GITHUB-PROJECTS-REPO>.git gcp-projects
-
Navigate into the repo. All subsequent steps assume you are running them from the
gcp-projects
directory. If you run them from another directory, adjust your copy paths accordingly.cd gcp-projects
-
Seed the repository if it has not been initialized yet.
git commit --allow-empty -m 'repository seed' git push --set-upstream origin main git checkout -b production git push --set-upstream origin production git checkout -b non-production git push --set-upstream origin non-production git checkout -b development git push --set-upstream origin development
-
change to a non-production branch.
git checkout -b plan
-
Copy contents of foundation to new repo.
cp -RT ../terraform-google-enterprise-genai/4-projects/ . cp -RT ../terraform-google-enterprise-genai/policy-library/ ./policy-library mkdir -p .github/workflows cp ../terraform-google-enterprise-genai/build/github-tf-* ./.github/workflows/ cp ../terraform-google-enterprise-genai/build/tf-wrapper.sh . chmod 755 ./tf-wrapper.sh
-
Rename
auto.example.tfvars
files toauto.tfvars
.mv common.auto.example.tfvars common.auto.tfvars mv shared.auto.example.tfvars shared.auto.tfvars mv development.auto.example.tfvars development.auto.tfvars mv non-production.auto.example.tfvars non-production.auto.tfvars mv production.auto.example.tfvars production.auto.tfvars
-
See any of the envs folder README.md files for additional information on the values in the
common.auto.tfvars
,development.auto.tfvars
,non-production.auto.tfvars
, andproduction.auto.tfvars
files. -
See any of the shared folder README.md files for additional information on the values in the
shared.auto.tfvars
file. -
Use
terraform output
to get the backend bucket value from bootstrap output.export remote_state_bucket=$(terraform -chdir="../gcp-bootstrap/envs/shared/" output -raw gcs_bucket_tfstate) echo "remote_state_bucket = ${remote_state_bucket}" sed -i "s/REMOTE_STATE_BUCKET/${remote_state_bucket}/" ./common.auto.tfvars
-
Commit changes.
git add . git commit -m 'Initialize projects repo'
-
You need to manually plan and apply only once the
ml_business_unit/shared
environments sincedevelopment
,non-production
, andproduction
depend on them. -
Use
terraform output
to get the CI/CD project ID and the projects step Terraform Service Account from gcp-bootstrap output. -
The CI/CD project ID will be used in the validation of the Terraform configuration
export CICD_PROJECT_ID=$(terraform -chdir="../gcp-bootstrap/envs/shared/" output -raw cicd_project_id) echo ${CICD_PROJECT_ID}
-
The projects step Terraform Service Account will be used for Service Account impersonation in the following steps. An environment variable
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT
will be set with the Terraform Service Account to enable impersonation.export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../gcp-bootstrap/envs/shared/" output -raw projects_step_terraform_service_account_email) echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT}
-
Run
init
andplan
and review output for environment shared../tf-wrapper.sh init shared ./tf-wrapper.sh plan shared
-
To use the
validate
option of thetf-wrapper.sh
script, please follow the instructions to install the terraform-tools component. -
Run
validate
and check for violations../tf-wrapper.sh validate shared $(pwd)/policy-library ${CICD_PROJECT_ID}
-
Run
apply
shared../tf-wrapper.sh apply shared
-
Push your plan branch.
git push --set-upstream origin plan
-
Open a pull request in GitHub https://github.com/GITHUB-OWNER/GITHUB-PROJECTS-REPO/pull/new/plan from the
plan
branch to thedevelopment
branch and review the output. -
The Pull request will trigger a GitHub Action that will run Terraform
init
/plan
/validate
in thedevelopment
environment. -
Review the GitHub Action output in GitHub https://github.com/GITHUB-OWNER/GITHUB-PROJECTS-REPO/actions under
tf-pull-request
. -
If the GitHub action is successful, merge the pull request in to the
development
branch. -
The merge will trigger a GitHub Action that will apply the terraform configuration for the
development
environment. -
Review merge output in GitHub https://github.com/GITHUB-OWNER/GITHUB-PROJECTS-REPO/actions under
tf-apply
. -
If the GitHub action is successful, apply the next environment.
-
Open a pull request in GitHub https://github.com/GITHUB-OWNER/GITHUB-PROJECTS-REPO/pull/new/development from the
development
branch to thenon-production
branch and review the output. -
The Pull request will trigger a GitHub Action that will run Terraform
init
/plan
/validate
in thenon-production
environment. -
Review the GitHub Action output in GitHub https://github.com/GITHUB-OWNER/GITHUB-PROJECTS-REPO/actions under
tf-pull-request
. -
If the GitHub action is successful, merge the pull request in to the
non-production
branch. -
The merge will trigger a GitHub Action that will apply the terraform configuration for the
non-production
environment. -
Review merge output in GitHub https://github.com/GITHUB-OWNER/GITHUB-PROJECTS-REPO/actions under
tf-apply
. -
If the GitHub action is successful, apply the next environment.
-
Open a pull request in GitHub https://github.com/GITHUB-OWNER/GITHUB-PROJECTS-REPO/pull/new/non-production from the
non-production
branch to theproduction
branch and review the output. -
The Pull request will trigger a GitHub Action that will run Terraform
init
/plan
/validate
in theproduction
environment. -
Review the GitHub Action output in GitHub https://github.com/GITHUB-OWNER/GITHUB-PROJECTS-REPO/actions under
tf-pull-request
. -
If the GitHub action is successful, merge the pull request in to the
production
branch. -
The merge will trigger a GitHub Action that will apply the terraform configuration for the
production
environment. -
Review merge output in GitHub https://github.com/GITHUB-OWNER/GITHUB-PROJECTS-REPO/actions under
tf-apply
. -
Unset the
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT
environment variable.unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT