The foundations logic is located in the environment/foundation directory. Anything in this directory is used to help manage and govern the GCP platform. Services like org level IAM permissions, folder structures, and shared services projects.
The foundations contains serveral distinct Terraform projects each within their own directory that were deployed separately, but in sequence. Each of these Terraform projects are layered on top of each other, running in the following order. Each step has its own tfstate file to keep things separated and isolated. These tfstate files live in a bucket located in the rubin-automation project.
The purpose of this step is to setup top level shared folders, monitoring & networking projects, org level logging and set baseline security settings through organizational policy.
The purpose of this step is to setup any sub-level folders for environments like dev, integration and stable under each primary application that was deployed in the previous steps.
These are the documented steps performed manually that could not be automated at the time of deployment.
The purpose of this step is to setup shared VPCs with default DNS, NAT, and baseline firewall rules.
Each one of these steps has its own tfstate but also its own pipeline. There are three pipelines, one for each step (except manual). The pipelines are set to monitor for any push and for any changes to the modules corresponding directory.
To add an additional role, like roles/project.viewer, to the Org Admins group must be done in the 1-org directory. The IAM permissions are listed in the tf vars file 1-org.tfvars file and this must be updated.
default = [
"roles/billing.user",
"roles/resourcemanager.organizationAdmin",
"roles/resourcemanager.folderAdmin",
"roles/resourcemanager.projectCreator",
+ "roles/iam.organizationRoleAdmin",
+ "roles/project.Viewer
}Note that permissions are also set in the variables.tf file in this directory. 1-org.tfvars and tfvars in general will overwrite default values.
Organization Policies are in place for domain restricted sharing, removing the default network, preventing Public IPs in CloudSQL, requiring shielded VMs at the organization level. If Organization Policies need to be updated the Organization Policy Terraform File to remove or add an organization policy. If an Organization Policy needs to selected applied at folder level only change the input values for .
If you have a new environment and you need to create a new top-level folder plus subfolder for dev, int and stable. This must be done in two steps.
- Update the
1-orgmodule because this holds all the top level folder modules. - Update the
1-org-bmoulde because this holds all the subfolder modules.
Step 1 - Update the terraform.tvfars file and commit your changes.
- folder_names = ["QServ", "SQuaRE", "Science Platform", "Processing"]
+ folder_names = ["QServ", "SQuaRE", "Science Platform", "Processing", "PaNDA"]Step 2 - Once Step 1 completed successfully, update the variables.tf, data.tf and the sub_folders.tf files. Commit the changes.
variables.tf - Create a new variable with value.
variable "panda_display_name" {
description = "The display name of the parent folder."
type = string
default = "PaNDA"
}data.tf - Create a new data block to lookup the new folder name
data "google_active_folder" "panda_sub_folder" {
parent = local.parent
display_name = var.panda_display_name
}sub_folders.tf - Create subfolders under the new folder
// Build Sub Folders for PaNDA
module "sub_folders_panda" {
source = "terraform-google-modules/folders/google"
version = "~> 2.0"
parent = data.google_active_folder.panda_sub_folder.name
names = var.sub_folder_names
}