This repo is part of a multi-part guide that shows how to configure and deploy the example.com reference architecture described in Google Cloud security foundations guide (PDF). The following table lists the parts of the guide.
| 0-bootstrap | Bootstraps a Google Cloud organization, creating all the required resources and permissions to start using the Cloud Foundation Toolkit (CFT). This step also configures a CI/CD pipeline for foundations code in subsequent stages. |
| 1-org | Sets up top-level shared folders, monitoring and networking projects, organization-level logging, and baseline security settings through organizational policies. |
| 2-environments | Sets up development, non-production, and production environments within the Google Cloud organization that you've created. |
| 3-networks-dual-svpc | Sets up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, on-premises Dedicated Interconnect, and baseline firewall rules for each environment. It also sets up the global DNS hub. |
| 3-networks-hub-and-spoke | Sets up base and restricted shared VPCs with all the default configuration found on step 3-networks-dual-svpc, but here the architecture will be based on the Hub and Spoke network model. It also sets up the global DNS hub |
| 4-projects | Sets up a folder structure, projects, and an application infrastructure pipeline for applications, which are connected as service projects to the shared VPC created in the previous stage. |
| 5-app-infra (this file) | Deploy a simple [Compute Engine](https://cloud.google.com/compute/) instance in one of the business unit projects using the infra pipeline set up in 4-projects. |
For an overview of the architecture and the parts, see the terraform-example-foundation README file.
The purpose of this step is to deploy a simple Compute Engine instance in one of the business unit projects using the infra pipeline set up in 4-projects.
The infra pipeline is created in step 4-projects within the shared env and has a Cloud Build pipeline configured to manage infrastructure within projects.
To enable deployment via this pipeline, the projects deployed should enable the enable_cloudbuild_deploy flag and provide the Cloud Build service account value via cloudbuild_sa.
This enables the Cloud Build service account to impersonate the project service account and use it to deploy infrastructure. The roles required for the project SA can also be managed via sa_roles. (Note: This requires per project SA impersonation. If you would like to have a single SA managing an environment and all associated projects, that is also possible by granting roles/iam.serviceAccountTokenCreator to an SA with the right roles in 4-projects/env.)
There is also a Source Repository configured with build triggers similar to the foundation pipeline setup in 0-bootstrap.
This Compute Engine instance is created using the base network from step 3-networks and is used to access private services.
- 0-bootstrap executed successfully.
- 1-org executed successfully.
- 2-environments executed successfully.
- 3-networks executed successfully.
- 4-projects executed successfully.
Please refer to troubleshooting if you run into issues during this step.
Note: If you are using MacOS, replace cp -RT with cp -R in the relevant
commands. The -T flag is needed for Linux, but causes problems for MacOS.
- Get the Infra Pipeline project ID from the previous step. Run the following in the
gcp-projects/business_unit_1/sharedfolder.terraform output cloudbuild_project_id - Clone the policies repo. (This repo has the same name of the repo created in step 1-org, but it is from a different project, you may need to rename the previous one to prevent a collision if you are cloning it in the same folder).
gcloud source repos clone gcp-policies --project=YOUR_INFRA_PIPELINE_PROJECT_ID - Navigate into the repo. All subsequent steps assume you are running them
from the gcp-environments directory. If you run them from another directory,
adjust your copy paths accordingly.
cd gcp-policies git checkout -b main - Copy contents of policy-library to new repo.
cp -RT ../terraform-example-foundation/policy-library/ . - Commit changes.
git add . git commit -m 'Your message' - Push your main branch to the new repo.
git push --set-upstream origin main - Navigate out of the repo.
cd .. - Clone the
bu1-example-apprepo.gcloud source repos clone bu1-example-app --project=YOUR_INFRA_PIPELINE_PROJECT_ID - Navigate into the repo. All subsequent steps assume you are running them
from the gcp-environments directory. If you run them from another directory,
adjust your copy paths accordingly.
cd bu1-example-app - Change freshly cloned repo and change to non-main branch.
git checkout -b plan - Copy contents of foundation to new repo.
cp -RT ../terraform-example-foundation/5-app-infra/ . - Copy Cloud Build configuration files for Terraform.
cp ../terraform-example-foundation/build/cloudbuild-tf-* . - Copy the Terraform wrapper script to the root of your new repository.
cp ../terraform-example-foundation/build/tf-wrapper.sh . - Ensure wrapper script can be executed.
chmod 755 ./tf-wrapper.sh - Rename
common.auto.example.tfvarstocommon.auto.tfvarsand update the file with values from your environment and 0-bootstrap. See any of the business unit 1 envs folders README.md files for additional information on the values in thecommon.auto.tfvarsfile. - Rename
bu1-development.auto.example.tfvarstobu1-development.auto.tfvarsand update the file with values from your environment. - Rename
bu1-non-production.auto.example.tfvarstobu1-non-production.auto.tfvarsand update the file with values from your environment. - Rename
bu1-production.auto.example.tfvarstobu1-production.auto.tfvarsand update the file with values from your environment. - Commit changes.
git add . git commit -m 'Your message' - Push your plan branch to trigger a plan for all environments. Because the
plan branch is not a named environment branch, pushing your plan
branch triggers terraform plan but not terraform apply.
git push --set-upstream origin plan - Review the plan output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds?project=YOUR_INFRA_PIPELINE_PROJECT_ID
- Merge changes to development. Because this is a named environment branch,
pushing to this branch triggers both terraform plan and terraform apply.
git checkout -b development git push origin development - Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds?project=YOUR_INFRA_PIPELINE_PROJECT_ID
- Merge changes to non-production. Because this is a named environment branch,
pushing to this branch triggers both terraform plan and terraform apply.
git checkout -b non-production git push origin non-production - Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds?project=YOUR_INFRA_PIPELINE_PROJECT_ID
- Merge changes to production branch. Because this is a named environment branch,
pushing to this branch triggers both terraform plan and terraform apply.
git checkout -b production git push origin production - Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds?project=YOUR_INFRA_PIPELINE_PROJECT_ID
- Change into the
5-app-infrafolder. - Run
cp ../build/tf-wrapper.sh . - Run
chmod 755 ./tf-wrapper.sh. - Rename
common.auto.example.tfvarstocommon.auto.tfvarsand update the file with values from your environment and 0-bootstrap. - Rename
bu1-development.auto.example.tfvarstobu1-development.auto.tfvarsand update the file with values from your environment. - Rename
bu1-non-production.auto.example.tfvarstobu1-non-production.auto.tfvarsand update the file with values from your environment. - Rename
bu1-production.auto.example.tfvarstobu1-production.auto.tfvarsand update the file with values from your environment. - Provide the user that will be running
./tf-wrapper.shthe Service Account Token Creator role to the bu1 project service accounts - Provide the user permissions to run the terraform locally with the
serviceAccountTokenCreatorpermission.gcloud iam service-accounts add-iam-policy-binding $PROJECT_SERVICE_ACCOUNT --project $PROJECT --member="user:$(gcloud auth list --format="value(account)")" --role="roles/iam.serviceAccountTokenCreator" - Update
backend.tfwith your bucket from the infra pipeline example.for i in `find -name 'backend.tf'`; do sed -i 's/UPDATE_ME/<YOUR-BUCKET-NAME>/' $i; done
We will now deploy each of our environments (development/production/non-production) using this script.
When using Cloud Build or Jenkins as your CI/CD tool, each environment corresponds to a branch in the repository for the 5-app-infra step. Only the corresponding environment is applied.
To use the validate option of the tf-wrapper.sh script, please follow the instructions in the Install Terraform Validator section and install version v0.4.0 in your system. You will also need to rename the binary from terraform-validator-<your-platform> to terraform-validator and the terraform-validator binary must be in your PATH.
- Run
./tf-wrapper.sh init production. - Run
./tf-wrapper.sh plan productionand review output. - Run
./tf-wrapper.sh validate production $(pwd)/../policy-library <YOUR_INFRA_PIPELINE_PROJECT_ID>and check for violations. - Run
./tf-wrapper.sh apply production. - Run
./tf-wrapper.sh init non-production. - Run
./tf-wrapper.sh plan non-productionand review output. - Run
./tf-wrapper.sh validate non-production $(pwd)/../policy-library <YOUR_INFRA_PIPELINE_PROJECT_ID>and check for violations. - Run
./tf-wrapper.sh apply non-production. - Run
./tf-wrapper.sh init development. - Run
./tf-wrapper.sh plan developmentand review output. - Run
./tf-wrapper.sh validate development $(pwd)/../policy-library <YOUR_INFRA_PIPELINE_PROJECT_ID>and check for violations. - Run
./tf-wrapper.sh apply development.
If you received any errors or made any changes to the Terraform config or terraform.tfvars you must re-run ./tf-wrapper.sh plan <env> before running ./tf-wrapper.sh apply <env>.