diff --git a/0-bootstrap/README.md b/0-bootstrap/README.md index 3650e627..62788a6d 100644 --- a/0-bootstrap/README.md +++ b/0-bootstrap/README.md @@ -265,6 +265,7 @@ Using GitHub Actions requires manual creation of the GitHub repositories used in git add . git commit -m 'Initialize bootstrap repo' git push --set-upstream origin plan + cd .. ``` 1. Continue with the instructions in the [1-org](../1-org/README.md) step. diff --git a/1-org/README.md b/1-org/README.md index fc1590c7..063d0ded 100644 --- a/1-org/README.md +++ b/1-org/README.md @@ -293,4 +293,7 @@ Before executing the next stages, unset the `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` ```bash unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT + +cd ../.. ``` +1. Proceed to the [2-environments](../2-environments/README.md) step. diff --git a/2-environments/README.md b/2-environments/README.md index b65f02c8..736272f3 100644 --- a/2-environments/README.md +++ b/2-environments/README.md @@ -171,7 +171,7 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get git push origin production ``` -### `N.B.` Read this before continuing further +### Read this before continuing further A logging project will be created in every environment (`development`, `non-production`, `production`) when running this code. This project contains a storage bucket for the purposes of project logging within its respective environment. This requires the `cloud-storage-analytics@google.com` group permissions for the storage bucket. Since foundations has more restricted security measures, a domain restriction constraint is enforced. This restraint will prevent the google cloud-storage-analytics group to be added to any permissions. In order for this terraform code to execute without error, manual intervention must be made to ensure everything applies without issue. @@ -405,7 +405,8 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../0-bootstrap/" output -raw environment_step_terraform_service_account_email) echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT} ``` -1. Ensure you [disable The Orginization Policy](#do-this-before-you-push-development-non-production--production) on the `development` folder before continuing further + +1. Ensure you [disable The Organization Policy](#read-this-before-continuing-further) on the `development` folder before continuing further. 1. Run `init` and `plan` and review output for environment development. @@ -426,7 +427,7 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i ./tf-wrapper.sh apply development ``` -1. Ensure you [disable The Orginization Policy](#do-this-before-you-push-development-non-production--production) on the `non-production` folder before continuing further +1. Ensure you [disable The Organization Policy](#read-this-before-continuing-further) on the `non-production` folder before continuing further. 1. Run `init` and `plan` and review output for environment non-production. @@ -446,7 +447,8 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i ```bash ./tf-wrapper.sh apply non-production ``` -1. Ensure you [disable The Orginization Policy](#do-this-before-you-push-development-non-production--production) on the `non-production` folder before continuing further + +1. Ensure you [disable The Organization Policy](#read-this-before-continuing-further) on the `non-production` folder before continuing further. 1. Run `init` and `plan` and review output for environment production. @@ -473,4 +475,8 @@ Before executing the next stages, unset the `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` ```bash unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT + +cd ../.. ``` + +1. You can now move to the instructions in the network step. To use the [Dual Shared VPC](https://cloud.google.com/architecture/security-foundations/networking#vpcsharedvpc-id7-1-shared-vpc-) network mode go to [3-networks-dual-svpc](../3-networks-dual-svpc/README.md). diff --git a/3-networks-dual-svpc/README.md b/3-networks-dual-svpc/README.md index 17383ac5..9e77eb74 100644 --- a/3-networks-dual-svpc/README.md +++ b/3-networks-dual-svpc/README.md @@ -418,3 +418,5 @@ Before executing the next stages, unset the `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` ```bash unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT ``` + +1. You can now move to the instructions in the [4-projects](../4-projects/README.md) step. diff --git a/4-projects/README.md b/4-projects/README.md index c84f8b86..cc038b63 100644 --- a/4-projects/README.md +++ b/4-projects/README.md @@ -358,4 +358,7 @@ Before executing the next stages, unset the `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` ```bash unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT + +cd ../.. ``` +1. You can now move to the instructions in the [5-app-infra](../5-app-infra/README.md) step. diff --git a/5-app-infra/README.md b/5-app-infra/README.md index 1e40e8bc..7412d10d 100644 --- a/5-app-infra/README.md +++ b/5-app-infra/README.md @@ -514,10 +514,10 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i 1. Use `terraform output` to get the Infra Pipeline Project ID from 4-projects output. ```bash - export INFRA_PIPELINE_PROJECT_ID=$(terraform -chdir="../../../4-projects/ml_business_unit/shared/" output -raw cloudbuild_project_id) + export INFRA_PIPELINE_PROJECT_ID=$(terraform -chdir="../terraform-google-enterprise-genai/4-projects/ml_business_unit/shared/" output -raw cloudbuild_project_id) echo ${INFRA_PIPELINE_PROJECT_ID} - export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../../../4-projects/ml_business_unit/shared/" output -json terraform_service_accounts | jq '."ml-artifact-publish"' --raw-output) + export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../terraform-google-enterprise-genai/4-projects/ml_business_unit/shared/" output -json terraform_service_accounts | jq '."ml-artifact-publish"' --raw-output) echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT} ``` @@ -531,7 +531,7 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i 1. Run `validate` and check for violations. ```bash - ./tf-wrapper.sh validate shared $(pwd)/../policy-library ${INFRA_PIPELINE_PROJECT_ID} + ./tf-wrapper.sh validate shared $(pwd)/../terraform-google-enterprise-genai/policy-library ${INFRA_PIPELINE_PROJECT_ID} ``` 1. Run `apply` shared. @@ -636,7 +636,7 @@ unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT 1. Update `backend.tf` with your bucket from the infra pipeline output. ```bash - export backend_bucket=$(terraform -chdir="../gcp-projects/ml_business_unit/shared/" output -json state_buckets | jq '."ml-service-catalog"' --raw-output) + export backend_bucket=$(terraform -chdir="../terraform-google-enterprise-genai/4-projects/ml_business_unit/shared/" output -json state_buckets | jq '."ml-service-catalog"' --raw-output) echo "backend_bucket = ${backend_bucket}" for i in `find -name 'backend.tf'`; do sed -i "s/UPDATE_APP_INFRA_BUCKET/${backend_bucket}/" $i; done @@ -645,7 +645,7 @@ unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT 1. Update the `log_bucket` variable with the value of the `logs_export_storage_bucket_name`. ```bash - export log_bucket=$(terraform -chdir="../gcp-org/envs/shared" output -raw logs_export_storage_bucket_name) + export log_bucket=$(terraform -chdir="../terraform-google-enterprise-genai/1-org/envs/shared" output -raw logs_export_storage_bucket_name) echo "log_bucket = ${log_bucket}" sed -i "s/REPLACE_LOG_BUCKET/${log_bucket}/" ./common.auto.tfvars ``` @@ -653,7 +653,7 @@ unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT 1. Provide the user permissions to run the terraform locally with the `serviceAccountTokenCreator` permission. ```bash - (cd ../terraform-google-enterprise-genai/4-projects && git checkout production && ./tf-wrapper init shared) + (cd ../terraform-google-enterprise-genai/4-projects && ./tf-wrapper.sh init shared) member="user:$(gcloud auth list --filter="status=ACTIVE" --format="value(account)")" echo ${member} @@ -675,10 +675,10 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i 1. Use `terraform output` to get the Infra Pipeline Project ID from 4-projects output. ```bash - export INFRA_PIPELINE_PROJECT_ID=$(terraform -chdir="../../../4-projects/ml_business_unit/shared/" output -raw cloudbuild_project_id) + export INFRA_PIPELINE_PROJECT_ID=$(terraform -chdir="../terraform-google-enterprise-genai/4-projects/ml_business_unit/shared/" output -raw cloudbuild_project_id) echo ${INFRA_PIPELINE_PROJECT_ID} - export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../../../4-projects/ml_business_unit/shared/" output -json terraform_service_accounts | jq '."ml-service-catalog"' --raw-output) + export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../terraform-google-enterprise-genai/4-projects/ml_business_unit/shared/" output -json terraform_service_accounts | jq '."ml-service-catalog"' --raw-output) echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT} ``` @@ -692,7 +692,7 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i 1. Run `validate` and check for violations. ```bash - ./tf-wrapper.sh validate shared $(pwd)/../policy-library ${INFRA_PIPELINE_PROJECT_ID} + ./tf-wrapper.sh validate shared $(pwd)/../terraform-google-enterprise-genai/policy-library ${INFRA_PIPELINE_PROJECT_ID} ``` 1. Run `apply` shared. @@ -758,4 +758,6 @@ After executing this stage, unset the `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` envir cd .. ``` -1. Navigate to the project that was output from `${ARTIFACT_PROJECT_ID}` in Google's Cloud Console to view the first run of images being built. +1. Navigate to the project that was output from `${SERVICE_CATALOG_PROJECT_ID}` in Google's Cloud Console to view the first run of images being built. + +https://console.cloud.google.com/cloud-build/builds;region=us-central1?orgonly=true&project=${SERVICE_CATALOG_PROJECT_ID}&supportedpurview=project