Skip to content

Latest commit

 

History

History
 
 

0-bootstrap

README.md

0-bootstrap

The purpose of this step is to bootstrap a GCP organization, creating all the required resources & permissions to start using the Cloud Foundation Toolkit (CFT). This step also configures a CICD pipeline for foundations code in subsequent stages. The CICD pipeline can use either Cloud Build & Cloud Source Repos or Jenkins & your own Git repos (which might live on-prem).

Prerequisites

  1. A GCP Organization
  2. A GCP Billing Account
  3. Cloud Identity / G Suite groups for organization and billing admins
  4. Membership in the group_org_admins group for user running terraform
  5. Grant the roles mentioned in bootstrap README.md, as well as roles/resourcemanager.folderCreator for the user running the step.

Further details of permissions required and resources created, can be found in the bootstrap module documentation.

Note: when running the examples in this repository, you may receive an error like Error code 8, message: The project cannot be created because you have exceeded your allotted project quota. when applying terraform. That means you have reached your Project creation quota. In this case you can use this Request Project Quota Increase form to request a quota increase. The terraform_sa_email created in 0-bootstrap should also be listed in "Email addresses that will be used to create projects" in that support form. If you face others quota errors, check the Quota documentation for guidence.

0-bootstrap usage to deploy Jenkins

If you are using the jenkins_bootstrap sub-module, please see README-Jenkins for requirements and instructions on how to run the 0-bootstrap step. Using Jenkins requires a few manual steps, including configuring connectivity with your current Jenkins Master environment.

0-bootstrap usage to deploy Cloud Build

  1. Change into 0-bootstrap folder
  2. Copy tfvars by running cp terraform.example.tfvars terraform.tfvars and update terraform.tfvars with values from your environment.
  3. Run terraform init
  4. Run terraform plan and review output
  5. Run terraform apply
  6. Run terraform output gcs_bucket_tfstate to get your GCS bucket from the apply step
  7. Copy the backend by running cp backend.tf.example backend.tf and update backend.tf with your GCS bucket.
  8. Re-run terraform init agree to copy state to GCS when prompted
    1. (Optional) Run terraform apply to verify state is configured correctly

(Optional) State backends for running terraform locally

Currently, the bucket information is replaced in the state backends as a part of the build process when executed by Cloud Build. If you would like to execute terraform locally, you will need to add your GCS bucket to the backend.tf files. You can update all of these files with the following steps:

  1. Change into the main directory for the terraform-example-foundation.
  2. Run this command for i in `find -name 'backend.tf'`; do sed -i 's/UPDATE_ME/GCS_BUCKET_NAME/' $i; done where GCS_BUCKET_NAME is the name of your bucket from the steps executed above.

Inputs

Name Description Type Default Required
billing_account The ID of the billing account to associate projects with. string n/a yes
default_region Default region to create resources where applicable. string "us-central1" no
group_billing_admins Google Group for GCP Billing Administrators string n/a yes
group_org_admins Google Group for GCP Organization Administrators string n/a yes
org_id GCP Organization ID string n/a yes
org_project_creators Additional list of members to have project creator role across the organization. Prefix of group: user: or serviceAccount: is required. list(string) <list> no
parent_folder Optional - if using a folder for testing. string "" no
skip_gcloud_download Whether to skip downloading gcloud (assumes gcloud is already available outside the module) bool "true" no

Outputs

Name Description
cloudbuild_project_id Project where CloudBuild configuration and terraform container image will reside.
csr_repos List of Cloud Source Repos created by the module, linked to Cloud Build triggers.
gcs_bucket_cloudbuild_artifacts Bucket used to store Cloud/Build artefacts in CloudBuild project.
gcs_bucket_tfstate Bucket used for storing terraform state for foundations pipelines in seed project.
kms_crypto_key KMS key created by the module.
kms_keyring KMS Keyring created by the module.
seed_project_id Project where service accounts and core APIs will be enabled.
terraform_sa_email Email for privileged service account for Terraform.
terraform_sa_name Fully qualified name for privileged service account for Terraform.

Requirements

Software

  • gcloud sdk >= 206.0.0
  • Terraform >= 0.12.6
    • You should use the same version in the manual steps during 0-bootstrap to avoid possible Terraform State Snapshot Lock errors caused by differences in terraform versions. This can usually be resolved with a version upgrade.