Skip to content

Files

Failed to load latest commit information.

Latest commit

 Cannot retrieve latest commit at this time.

History

History
 
 

0-bootstrap

README.md

0-bootstrap

The purpose of this step is to bootstrap a GCP organization, creating all the required resources & permissions to start using the Cloud Foundation Toolkit (CFT). This step also configures a CICD pipeline for foundations code in subsequent stages. The CICD pipeline can use either Cloud Build & Cloud Source Repos or Jenkins & your own Git repos (which might live on-prem).

Prerequisites

  1. A GCP Organization
  2. A GCP Billing Account
  3. Cloud Identity / Google Workspace (former G Suite) groups for organization and billing admins
  4. User account should be used for running this step, service accounts are not supported.
  5. Membership in the group_org_admins group for user running terraform.
  6. Grant the roles mentioned in bootstrap README.md, as well as roles/resourcemanager.folderCreator for the user running the step.

Further details of permissions required and resources created, can be found in the bootstrap module documentation.

Note: when running the examples in this repository, you may receive various errors when applying terraform:

  • Error code 8, message: The project cannot be created because you have exceeded your allotted project quota.. That means you have reached your Project creation quota. In this case you can use this Request Project Quota Increase form to request a quota increase. The terraform_sa_email created in 0-bootstrap should also be listed in "Email addresses that will be used to create projects" in that support form. If you face others quota errors, check the Quota documentation for guidence.
  • Error: Error when reading or editing Organization Not Found : <organization-id>: googleapi: Error 403: The caller does not have permission, forbidden.
    • Check that your user have Organization Admin predefined role at the Organization level.
    • If this is the case, try the following:
      gcloud auth application-default login
      gcloud auth list # <- confirm that correct account has a star next to it
      
    • Re-run terraform after.
  • Error: Error setting billing account "XXXXXX-XXXXXX-XXXXXX" for project "projects/some-project": googleapi: Error 400: Precondition check failed., failedPrecondition. Most likely this is related to billing quota issue.

0-bootstrap usage to deploy Jenkins

If you are using the jenkins_bootstrap sub-module, please see README-Jenkins for requirements and instructions on how to run the 0-bootstrap step. Using Jenkins requires a few manual steps, including configuring connectivity with your current Jenkins Master environment.

0-bootstrap usage to deploy Cloud Build

  1. Change into 0-bootstrap folder
  2. Copy tfvars by running cp terraform.example.tfvars terraform.tfvars and update terraform.tfvars with values from your environment.
  3. Run terraform init
  4. Run terraform plan and review output
  5. To run terraform-validator steps please follow these instructions and install the latest version.
    1. Run terraform plan -input=false -out bootstrap.tfplan
    2. Run terraform show -json bootstrap.tfplan > bootstrap.json
    3. Run terraform-validator validate bootstrap.json --policy-path="../policy-library" --project <A-VALID-PROJECT> and check for violations.
  6. Run terraform apply
  7. Run terraform output gcs_bucket_tfstate to get your GCS bucket from the apply step
  8. Copy the backend by running cp backend.tf.example backend.tf and update backend.tf with your GCS bucket.
  9. Re-run terraform init agree to copy state to GCS when prompted
    1. (Optional) Run terraform apply to verify state is configured correctly

(Optional) State backends for running terraform locally

Currently, the bucket information is replaced in the state backends as a part of the build process when executed by Cloud Build. If you would like to execute terraform locally, you will need to add your GCS bucket to the backend.tf files. You can update all of these files with the following steps:

  1. Change into the main directory for the terraform-example-foundation.
  2. Run this command for i in `find -name 'backend.tf'`; do sed -i 's/UPDATE_ME/GCS_BUCKET_NAME/' $i; done where GCS_BUCKET_NAME is the name of your bucket from the steps executed above.

Inputs

Name Description Type Default Required
billing_account The ID of the billing account to associate projects with. string n/a yes
cloud_source_repos List of Cloud Source Repositories created during bootstrap project build stage list(string)
[
"gcp-org",
"gcp-environments",
"gcp-networks",
"gcp-projects",
"gcp-policies"
]
no
default_region Default region to create resources where applicable. string "us-central1" no
folder_prefix Name prefix to use for folders created. string "fldr" no
group_billing_admins Google Group for GCP Billing Administrators string n/a yes
group_org_admins Google Group for GCP Organization Administrators string n/a yes
org_id GCP Organization ID string n/a yes
org_policy_admin_role Additional Org Policy Admin role for admin group. You can use this for testing purposes. bool false no
org_project_creators Additional list of members to have project creator role across the organization. Prefix of group: user: or serviceAccount: is required. list(string) [] no
parent_folder Optional - if using a folder for testing. string "" no
project_prefix Name prefix to use for projects created. string "prj" no

Outputs

Name Description
cloudbuild_project_id Project where CloudBuild configuration and terraform container image will reside.
csr_repos List of Cloud Source Repos created by the module, linked to Cloud Build triggers.
gcs_bucket_cloudbuild_artifacts Bucket used to store Cloud/Build artefacts in CloudBuild project.
gcs_bucket_tfstate Bucket used for storing terraform state for foundations pipelines in seed project.
kms_crypto_key KMS key created by the module.
kms_keyring KMS Keyring created by the module.
seed_project_id Project where service accounts and core APIs will be enabled.
terraform_sa_email Email for privileged service account for Terraform.
terraform_sa_name Fully qualified name for privileged service account for Terraform.

Requirements

Software

  • gcloud sdk >= 206.0.0
  • Terraform >= 0.13.6
    • You should use the same version in the manual steps during 0-bootstrap to avoid possible Terraform State Snapshot Lock errors caused by differences in terraform versions. This can usually be resolved with a version upgrade.