fix: Update readme files (terraform-google-modules#399)

* fix seed and cloudbuild project prefix

* add network hub projects to base README

* change introduction of each project explanation section

* fix environment secrets project explanation

* add win activation FW rule and add links to explanation pages for the existing rules

* add minor detail for groups in the prerequesites section.

* update instuctions in 1-org READMEs

* update instructions in 2-environments READMEs

* add README link in manual step na fix envs folder name

* update instructions in 3-networks README

* additional instructions for finding the service perimeter names

* markdown linting fixes

* replace YOUR-ORGANIZATION_ID with YOUR_ORGANIZATION_ID

* replace terraform_sa_email with terraform_service_account

* fix typos

* fix app_infra_pipeline_cloudbuild_sa example

Author: daniel-cit

0-bootstrap/README-Jenkins.md

@@ -6,12 +6,12 @@ Another CICD option is to use Cloud Build & Cloud Source Repos. If you don't hav
 
 ## Overview
 
-The objective of the instructions below is to configure the infrastructure that allows you to run CICD deployments for the next stages (`1-org, 2-environments, 3-networks, 4-projects`) using Jenkins. The infrastructure consists in two Google Cloud Platform projects (`cft-seed` and `prj-cicd`) and VPN configuration to connect to your on-prem environment.
+The objective of the instructions below is to configure the infrastructure that allows you to run CICD deployments for the next stages (`1-org, 2-environments, 3-networks, 4-projects`) using Jenkins. The infrastructure consists in two Google Cloud Platform projects (`prj-seed` and `prj-cicd`) and VPN configuration to connect to your on-prem environment.
 
-It is a best practice to have two separate projects here (`cft-seed` and `prj-cicd`) for separation of concerns. On one hand, `cft-seed` stores terraform state and has the Service Account able to create / modify infrastructure. On the other hand, the deployment of that infrastructure is coordinated by Jenkins, which is implemented in `prj-cicd` and connected to your Master on-prem.
+It is a best practice to have two separate projects here (`prj-seed` and `prj-cicd`) for separation of concerns. On one hand, `prj-seed` stores terraform state and has the Service Account able to create / modify infrastructure. On the other hand, the deployment of that infrastructure is coordinated by Jenkins, which is implemented in `prj-cicd` and connected to your Master on-prem.
 
 **After following the instructions below, you will have:**
-- The `cft-seed` project, which contains:
+- The `prj-seed` project, which contains:
   - Terraform state bucket
   - Custom Service Account used by Terraform to create new resources in GCP
 - The `prj-cicd` project, which contains:
@@ -20,7 +20,7 @@ It is a best practice to have two separate projects here (`cft-seed` and `prj-ci
   - FW rules to allow communication over port 22
   - VPN connection with on-prem (or where ever your Jenkins Master is located)
   - Custom service account `[email protected]` for the GCE instance.
-      - This service account is granted the access to generate tokens on the Terraform custom service account in the `cft-seed` project
+      - This service account is granted the access to generate tokens on the Terraform custom service account in the `prj-seed` project
 
 - **Note: these instructions do not indicate how to create a Jenkins Master.** To deploy a Jenkins Master, you should follow [Jenkins Architecture](https://www.jenkins.io/doc/book/architecting-for-scale/) recommendations.
 
@@ -135,7 +135,7 @@ You arrived to these instructions because you are using the `jenkins_bootstrap`
     1. Open the link in your browser and accept.
 
 1. Run terraform commands.
-    - After the credentials are configured, we will create the `cft-seed` project (which contains the GCS state bucket and Terraform custom service account) and the `prj-cicd` project (which contains the Jenkins Agent, its custom service account and where we will add VPN configuration)
+    - After the credentials are configured, we will create the `prj-seed` project (which contains the GCS state bucket and Terraform custom service account) and the `prj-cicd` project (which contains the Jenkins Agent, its custom service account and where we will add VPN configuration)
     - **WARNING: Make sure you have commented-out the `cloudbuild_bootstrap` module and enabled the `jenkins_bootstrap` module in the `./main.tf` file**
     - **Use Terraform 0.13.6** to run the terraform script with the commands below
     ```

0-bootstrap/README.md

@@ -8,24 +8,25 @@ The purpose of this step is to bootstrap a GCP organization, creating all the re
 1. A GCP [Billing Account](https://cloud.google.com/billing/docs/how-to/manage-billing-account)
 1. Cloud Identity / Google Workspace (former G Suite) groups for organization and billing admins
 1. User account should be used for running this step, service accounts are not supported.
-1. Membership in the `group_org_admins` group for user running terraform.
-1. Grant the roles mentioned in bootstrap [README.md](https://github.com/terraform-google-modules/terraform-google-bootstrap#permissions), as well as `roles/resourcemanager.folderCreator` for the user running the step.
+1. Membership in the `group_org_admins` group for the user running terraform.
+1. Grant the roles mentioned in bootstrap module [README.md](https://github.com/terraform-google-modules/terraform-google-bootstrap#permissions), as well as `roles/resourcemanager.folderCreator` for the user running the step.
 
-Further details of permissions required and resources created, can be found in the bootstrap module [documentation.](https://github.com/terraform-google-modules/terraform-google-bootstrap)
+Further details of groups, permissions required and resources created, can be found in the bootstrap module [documentation.](https://github.com/terraform-google-modules/terraform-google-bootstrap)
 
 **Note:** when running the examples in this repository, you may receive various errors when applying terraform:
-- `Error code 8, message: The project cannot be created because you have exceeded your allotted project quota.`. That means you have reached your [Project creation quota](https://support.google.com/cloud/answer/6330231). In this case you can use this [Request Project Quota Increase](https://support.google.com/code/contact/project_quota_increase) form to request a quota increase. The `terraform_sa_email` created in `0-bootstrap` should also be listed in "Email addresses that will be used to create projects" in that support form. If you face others quota errors, check the [Quota documentation](https://cloud.google.com/docs/quota) for guidence.
+
+- `Error code 8, message: The project cannot be created because you have exceeded your allotted project quota.`. That means you have reached your [Project creation quota](https://support.google.com/cloud/answer/6330231). In this case you can use this [Request Project Quota Increase](https://support.google.com/code/contact/project_quota_increase) form to request a quota increase. The `terraform_service_account` created in `0-bootstrap` should also be listed in "Email addresses that will be used to create projects" in that support form. If you face others quota errors, check the [Quota documentation](https://cloud.google.com/docs/quota) for guidance.
 - `Error: Error when reading or editing Organization Not Found : <organization-id>: googleapi: Error 403: The caller does not have permission, forbidden`.
-    - Check that your user have [Organization Admin](https://cloud.google.com/iam/docs/understanding-roles#resource-manager-roles) predefined role at the Organization level.
-    -  If this is the case, try the following:
-        ```
-        gcloud auth application-default login
-        gcloud auth list # <- confirm that correct account has a star next to it
-        ```
-    - Re-run `terraform` after.
+  - Check that your user have [Organization Admin](https://cloud.google.com/iam/docs/understanding-roles#resource-manager-roles) predefined role at the Organization level.
+  -  If this is the case, try the following:
+      ```
+      gcloud auth application-default login
+      gcloud auth list # <- confirm that correct account has a star next to it
+      ```
+  - Re-run `terraform` after.
 - `Error: Error setting billing account "XXXXXX-XXXXXX-XXXXXX" for project "projects/some-project": googleapi: Error 400: Precondition check failed., failedPrecondition`. Most likely this is related to billing quota issue.
-    - To confirm this, try `gcloud alpha billing projects link projects/some-project --billing-account XXXXXX-XXXXXX-XXXXXX`.
-    - If output states `Cloud billing quota exceeded`, please request increase via [https://support.google.com/code/contact/billing_quota_increase](https://support.google.com/code/contact/billing_quota_increase).
+  - To confirm this, try `gcloud alpha billing projects link projects/some-project --billing-account XXXXXX-XXXXXX-XXXXXX`.
+  - If output states `Cloud billing quota exceeded`, please request increase via [https://support.google.com/code/contact/billing_quota_increase](https://support.google.com/code/contact/billing_quota_increase).
 
 ## 0-bootstrap usage to deploy Jenkins
 
@@ -77,13 +78,13 @@ Currently, the bucket information is replaced in the state backends as a part of
 |------|-------------|
 | cloudbuild\_project\_id | Project where CloudBuild configuration and terraform container image will reside. |
 | csr\_repos | List of Cloud Source Repos created by the module, linked to Cloud Build triggers. |
-| gcs\_bucket\_cloudbuild\_artifacts | Bucket used to store Cloud/Build artefacts in CloudBuild project. |
+| gcs\_bucket\_cloudbuild\_artifacts | Bucket used to store Cloud/Build artifacts in CloudBuild project. |
 | gcs\_bucket\_tfstate | Bucket used for storing terraform state for foundations pipelines in seed project. |
 | kms\_crypto\_key | KMS key created by the module. |
 | kms\_keyring | KMS Keyring created by the module. |
 | seed\_project\_id | Project where service accounts and core APIs will be enabled. |
-| terraform\_sa\_email | Email for privileged service account for Terraform. |
 | terraform\_sa\_name | Fully qualified name for privileged service account for Terraform. |
+| terraform\_service\_account | Email for privileged service account for Terraform. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
@@ -93,4 +94,4 @@ Currently, the bucket information is replaced in the state backends as a part of
 
 - [gcloud sdk](https://cloud.google.com/sdk/install) >= 206.0.0
 - [Terraform](https://www.terraform.io/downloads.html) >= 0.13.6
-    - You should use the same version in the manual steps during 0-bootstrap to avoid possible  [Terraform State Snapshot Lock](https://github.com/hashicorp/terraform/issues/23290) errors caused by differences in terraform versions. This can usually be resolved with a version upgrade.
+  - You should use the same version in the manual steps during 0-bootstrap to avoid possible [Terraform State Snapshot Lock](https://github.com/hashicorp/terraform/issues/23290) errors caused by differences in terraform versions. This can usually be resolved with a version upgrade.

0-bootstrap/main.tf

@@ -214,7 +214,7 @@ resource "google_folder_iam_member" "folder_tf_compute_security_resource_admin"
 #  billing_account                         = var.billing_account
 #  group_org_admins                        = var.group_org_admins
 #  default_region                          = var.default_region
-#  terraform_sa_email                      = module.seed_bootstrap.terraform_sa_email
+#  terraform_service_account               = module.seed_bootstrap.terraform_sa_email
 #  terraform_sa_name                       = module.seed_bootstrap.terraform_sa_name
 #  terraform_state_bucket                  = module.seed_bootstrap.gcs_bucket_tfstate
 #  sa_enable_impersonation                 = true

0-bootstrap/modules/jenkins-agent/README.md

@@ -23,7 +23,7 @@ module "jenkins_bootstrap" {
   billing_account                         = "<BILLING_ACCOUNT_ID>"
   group_org_admins                        = "[email protected]"
   default_region                          = "us-central1"
-  terraform_sa_email                      = "<SERVICE_ACCOUNT_EMAIL>" # normally module.seed_bootstrap.terraform_sa_email
+  terraform_service_account               = "<SERVICE_ACCOUNT_EMAIL>" # normally module.seed_bootstrap.terraform_sa_email
   terraform_sa_name                       = "<SERVICE_ACCOUNT_NAME>" # normally module.seed_bootstrap.terraform_sa_name
   terraform_state_bucket                  = "<GCS_STATE_BUCKET_NAME>" # normally module.seed_bootstrap.gcs_bucket_tfstate
   sa_enable_impersonation                 = true
@@ -76,8 +76,8 @@ module "jenkins_bootstrap" {
 | service\_account\_prefix | Name prefix to use for service accounts. | `string` | `"sa"` | no |
 | storage\_bucket\_labels | Labels to apply to the storage bucket. | `map(string)` | `{}` | no |
 | storage\_bucket\_prefix | Name prefix to use for storage buckets. | `string` | `"bkt"` | no |
-| terraform\_sa\_email | Email for terraform service account. It must be supplied by the seed project | `string` | n/a | yes |
 | terraform\_sa\_name | Fully-qualified name of the terraform service account. It must be supplied by the seed project | `string` | n/a | yes |
+| terraform\_service\_account | Email for terraform service account. It must be supplied by the seed project | `string` | n/a | yes |
 | terraform\_state\_bucket | Default state bucket, used in Cloud Build substitutions. It must be supplied by the seed project | `string` | n/a | yes |
 | terraform\_version | Default terraform version. | `string` | `"0.13.6"` | no |
 | terraform\_version\_sha256sum | sha256sum for default terraform version. | `string` | `"55f2db00b05675026be9c898bdd3e8230ff0c5c78dd12d743ca38032092abfc9"` | no |
@@ -135,7 +135,7 @@ Error: google: could not find default credentials. See https://developers.google
 ```
 
 ```
-Error: Error setting billing account "aaaaaa-bbbbbb-cccccc" for project "projects/cft-jenkins-dc3a": googleapi: Error 400: Precondition check failed., failedPrecondition
+Error: Error setting billing account "aaaaaa-bbbbbb-cccccc" for project "projects/prj-jenkins-dc3a": googleapi: Error 400: Precondition check failed., failedPrecondition
       on .terraform/modules/jenkins/terraform-google-project-factory-7.1.0/modules/core_project_factory/main.tf line 96, in resource "google_project" "main":
       96: resource "google_project" "main" {
 ```

0-bootstrap/modules/jenkins-agent/variables.tf

@@ -141,7 +141,7 @@ variable "tunnel1_bgp_session_range" {
 /* ----------------------------------------
     Specific to Seed Project
    ---------------------------------------- */
-variable "terraform_sa_email" {
+variable "terraform_service_account" {
   description = "Email for terraform service account. It must be supplied by the seed project"
   type        = string
 }

0-bootstrap/outputs.tf

@@ -19,7 +19,7 @@ output "seed_project_id" {
   value       = module.seed_bootstrap.seed_project_id
 }
 
-output "terraform_sa_email" {
+output "terraform_service_account" {
   description = "Email for privileged service account for Terraform."
   value       = module.seed_bootstrap.terraform_sa_email
 }
@@ -44,7 +44,7 @@ output "cloudbuild_project_id" {
 }
 
 output "gcs_bucket_cloudbuild_artifacts" {
-  description = "Bucket used to store Cloud/Build artefacts in CloudBuild project."
+  description = "Bucket used to store Cloud/Build artifacts in CloudBuild project."
   value       = module.cloudbuild_bootstrap.gcs_bucket_cloudbuild_artifacts
 }