Skip to content

Commit

Permalink
fix: adjusting README steps, terraform version and breaking issues (G…
Browse files Browse the repository at this point in the history
…oogleCloudPlatform#64)

* fixing deploy

* update

* terraform fmt

* remove trailing whitespace

* move variable
  • Loading branch information
caetano-colin authored Jun 24, 2024
1 parent 4c487aa commit c85cab0
Show file tree
Hide file tree
Showing 29 changed files with 324 additions and 146 deletions.
2 changes: 1 addition & 1 deletion 0-bootstrap/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
FROM gcr.io/cloud-builders/gcloud-slim

# Use ARG so that values can be overriden by user/cloudbuild
ARG TERRAFORM_VERSION=1.3.0
ARG TERRAFORM_VERSION=1.5.7

ENV ENV_TERRAFORM_VERSION=$TERRAFORM_VERSION

Expand Down
6 changes: 3 additions & 3 deletions 0-bootstrap/README-GitHub.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ To run the instructions described in this document, install the following:
- [Google Cloud SDK](https://cloud.google.com/sdk/install) version 393.0.0 or later
- [terraform-tools](https://cloud.google.com/docs/terraform/policy-validation/validate-policies#install) component
- [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) version 2.28.0 or later
- [Terraform](https://www.terraform.io/downloads.html) version 1.3.0 or later
- [Terraform](https://www.terraform.io/downloads.html) version 1.5.7 or later

Also make sure that you have the following:

Expand Down Expand Up @@ -61,10 +61,10 @@ for each one of the repositories.

### Deploying step 0-bootstrap

1. Clone [terraform-google-enterprise-genai](https://github.com/terraform-google-modules/terraform-google-enterprise-genai) into your local environment.
1. Clone [terraform-google-enterprise-genai](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai) into your local environment.

```bash
git clone https://github.com/terraform-google-modules/terraform-google-enterprise-genai.git
git clone https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai.git
```

1. Clone the private repository you created to host the `0-bootstrap` terraform configuration at the same level of the `terraform-google-enterprise-genai` folder.
Expand Down
10 changes: 5 additions & 5 deletions 0-bootstrap/README-Jenkins.md
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ You arrived to these instructions because you are using the `jenkins_bootstrap`
- Access to the Jenkins Controller Web UI
- [SSH Agent Jenkins plugin](https://plugins.jenkins.io/ssh-agent) installed in your Jenkins Controller
- Private IP address for the Jenkins Agent: usually assigned by your network administrator. You will use this IP for the GCE instance that will be created in the `prj-b-cicd` GCP Project in step [II. Create the SEED and CI/CD projects using Terraform](#ii-create-the-seed-and-cicd-projects-using-terraform).
- Access to create five Git repositories, one for each directory in this [monorepo](https://github.com/terraform-google-modules/terraform-google-enterprise-genai) (`0-bootstrap, 1-org, 2-environments, 3-networks, 4-projects`). These are usually private repositories that might be on-prem.
- Access to create five Git repositories, one for each directory in this [monorepo](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai) (`0-bootstrap, 1-org, 2-environments, 3-networks, 4-projects`). These are usually private repositories that might be on-prem.

1. Generate a SSH key pair. In the Jenkins Controller host, use the `ssh-keygen` command to generate a SSH key pair.
- You will need this key pair to enable authentication between the Controller and Agent. Although the key pair can be generated in any linux machine, it is recommended not to copy the secret private key from one host to another, so you probably want to do this in the Jenkins Controller host command line.
Expand All @@ -78,7 +78,7 @@ You arrived to these instructions because you are using the `jenkins_bootstrap`
- Jenkins Agent’s private IP address (usually assigned by your Network Administrator. In the provided examples this IP is "172.16.1.6"). This private IP will be reachable through the VPN connection that you will create later.

1. Create five individual Git repositories in your Git server (This might be a task delegated to your infrastructure team)
- Note that although this infrastructure code is distributed to you as a [monorepo](https://github.com/terraform-google-modules/terraform-google-enterprise-genai), you will store the code in five different repositories, one for each directory:
- Note that although this infrastructure code is distributed to you as a [monorepo](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai), you will store the code in five different repositories, one for each directory:

```text
./0-bootstrap
Expand Down Expand Up @@ -113,7 +113,7 @@ You arrived to these instructions because you are using the `jenkins_bootstrap`
1. Clone this mono-repository with:

```bash
git clone https://github.com/terraform-google-modules/terraform-google-enterprise-genai
git clone https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai
```

1. Clone the repository you created to host the `0-bootstrap` directory with:
Expand Down Expand Up @@ -192,7 +192,7 @@ You arrived to these instructions because you are using the `jenkins_bootstrap`
### II. Create the SEED and CI/CD projects using Terraform

- Required information:
- Terraform version 1.3.0 - See [Requirements](#requirements) section for more details.
- Terraform version 1.5.7 - See [Requirements](#requirements) section for more details.
- The `terraform.tfvars` file with all the necessary values.

1. Get the appropriate credentials: run the following command with an account that has the [necessary permissions](./modules/jenkins-agent/README.md#permissions).
Expand All @@ -205,7 +205,7 @@ You arrived to these instructions because you are using the `jenkins_bootstrap`

1. Run terraform commands.
- After the credentials are configured, we will create the `prj-b-seed` project (which contains the GCS state bucket and Terraform custom service account) and the `prj-b-cicd` project (which contains the Jenkins Agent, its custom service account and where we will add VPN configuration)
- **Use Terraform 1.3.0** to run the terraform script with the commands below
- **Use Terraform 1.5.7** to run the terraform script with the commands below

```bash
terraform init
Expand Down
6 changes: 3 additions & 3 deletions 0-bootstrap/README-Terraform-Cloud.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ To run the instructions described in this document, install the following:
- [Google Cloud SDK](https://cloud.google.com/sdk/install) version 393.0.0 or later
- [terraform-tools](https://cloud.google.com/docs/terraform/policy-validation/validate-policies#install) component
- [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) version 2.28.0 or later
- [Terraform](https://www.terraform.io/downloads.html) version 1.3.0 or later
- [Terraform](https://www.terraform.io/downloads.html) version 1.5.7 or later
- [jq](https://jqlang.github.io/jq/download/) version 1.6.0 or later

Also make sure that you have the following:
Expand Down Expand Up @@ -59,10 +59,10 @@ that are created, see the organization bootstrap module

### Instructions

1. Clone [terraform-google-enterprise-genai](https://github.com/terraform-google-modules/terraform-google-enterprise-genai) into your local environment.
1. Clone [terraform-google-enterprise-genai](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai) into your local environment.

```bash
git clone https://github.com/terraform-google-modules/terraform-google-enterprise-genai.git
git clone https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai.git
```

1. Clone all the private repositories (or projects) you created at the same level of the `terraform-google-enterprise-genai` folder.
Expand Down
16 changes: 6 additions & 10 deletions 0-bootstrap/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -45,15 +45,11 @@ Hub and Spoke network model. It also sets up the global DNS hub.</td>
</tr>
<tr>
<td><a href="../5-app-infra">5-app-infra</a></td>
<td>Deploy a service catalog and artifacts pipeline.</td>
<td>Deploys Service Catalog Pipeline and Custom Artifacts Pipeline.</td>
</tr>
</tbody>
</table>

For an overview of the architecture and the parts, see the
[terraform-google-enterprise-genai README](https://github.com/terraform-google-modules/terraform-google-enterprise-genai)
file.

## Purpose

The purpose of this step is to bootstrap a Google Cloud organization, creating all the required resources and permissions to start using the Cloud Foundation Toolkit (CFT). This step also configures a [CI/CD Pipeline](/docs/GLOSSARY.md#foundation-cicd-pipeline) for foundations code in subsequent stages. The [CI/CD Pipeline](/docs/GLOSSARY.md#foundation-cicd-pipeline) can use either Cloud Build and Cloud Source Repos or Jenkins and your own Git repos (which might live on-premises).
Expand All @@ -64,10 +60,10 @@ To run the commands described in this document, install the following:

- [Google Cloud SDK](https://cloud.google.com/sdk/install) version 393.0.0 or later
- [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) version 2.28.0 or later
- [Terraform](https://www.terraform.io/downloads.html) version 1.3.0
- [Terraform](https://www.terraform.io/downloads.html) version 1.5.7
- [jq](https://jqlang.github.io/jq/download/) version 1.6.0 or later

**Note:** Make sure that you use version 1.3.0 of Terraform throughout this series. Otherwise, you might experience Terraform state snapshot lock errors.
**Note:** Make sure that you use version 1.5.7 of Terraform throughout this series. Otherwise, you might experience Terraform state snapshot lock errors.

Also make sure that you've done the following:

Expand Down Expand Up @@ -119,7 +115,7 @@ See [troubleshooting](../docs/TROUBLESHOOTING.md) if you run into issues during
## Deploying with Jenkins

If you are using the `jenkins_bootstrap` sub-module, see
[README-Jenkins](https://github.com/terraform-google-modules/terraform-google-enterprise-genai/blob/master/0-bootstrap/README-Jenkins.md)
[README-Jenkins](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai/blob/master/0-bootstrap/README-Jenkins.md)
for requirements and instructions on how to run the 0-bootstrap step. Using
Jenkins requires a few manual steps, including configuring connectivity with
your current Jenkins manager (controller) environment.
Expand All @@ -132,10 +128,10 @@ Using GitHub Actions requires manual creation of the GitHub repositories used in

## Deploying with Cloud Build

1. Clone [terraform-google-enterprise-genai](https://github.com/terraform-google-modules/terraform-google-enterprise-genai) into your local environment and navigate to the `0-bootstrap` folder.
1. Clone [terraform-google-enterprise-genai](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai) into your local environment and navigate to the `0-bootstrap` folder.

```bash
git clone https://github.com/terraform-google-modules/terraform-google-enterprise-genai.git
git clone https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai.git

cd terraform-google-enterprise-genai/0-bootstrap
```
Expand Down
3 changes: 2 additions & 1 deletion 0-bootstrap/cb.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@

locals {
// terraform version image configuration
terraform_version = "1.3.0"
terraform_version = "1.5.7"
// The version of the terraform docker image to be used in the workspace builds
docker_tag_version_terraform = "v1"

Expand Down Expand Up @@ -166,6 +166,7 @@ module "tf_cloud_builder" {
enable_worker_pool = true
worker_pool_id = module.tf_private_pool.private_worker_pool_id
bucket_name = "${var.bucket_prefix}-${module.tf_source.cloudbuild_project_id}-tf-cloudbuilder-build-logs"
build_timeout = "1200s"
}

module "bootstrap_csr_repo" {
Expand Down
6 changes: 3 additions & 3 deletions 0-bootstrap/modules/jenkins-agent/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ module "jenkins_bootstrap" {
| storage\_bucket\_prefix | Name prefix to use for storage buckets. | `string` | `"bkt"` | no |
| terraform\_sa\_names | Fully-qualified name of the Terraform Service Accounts. It must be supplied by the Seed Project | `map(string)` | n/a | yes |
| terraform\_state\_bucket | Default state bucket, used in Cloud Build substitutions. It must be supplied by the Seed Project | `string` | n/a | yes |
| terraform\_version | Default terraform version. | `string` | `"1.3.0"` | no |
| terraform\_version | Default terraform version. | `string` | `"1.5.7"` | no |
| terraform\_version\_sha256sum | sha256sum for default terraform version. | `string` | `"380ca822883176af928c80e5771d1c0ac9d69b13c6d746e6202482aedde7d457"` | no |
| tunnel0\_bgp\_peer\_address | BGP peer address for tunnel 0 | `string` | n/a | yes |
| tunnel0\_bgp\_session\_range | BGP session range for tunnel 0 | `string` | n/a | yes |
Expand All @@ -103,8 +103,8 @@ module "jenkins_bootstrap" {
### Software

- [gcloud sdk](https://cloud.google.com/sdk/install) >= 393.0.0
- [Terraform](https://www.terraform.io/downloads.html) = 1.3.0
- The scripts in this codebase use Terraform v1.3.0. You should use the same version in the manual steps to avoid [Terraform State Snapshot Lock](https://github.com/hashicorp/terraform/issues/23290) errors caused by differences in terraform versions.
- [Terraform](https://www.terraform.io/downloads.html) = 1.5.7
- The scripts in this codebase use Terraform v1.5.7. You should use the same version in the manual steps to avoid [Terraform State Snapshot Lock](https://github.com/hashicorp/terraform/issues/23290) errors caused by differences in terraform versions.

### Infrastructure

Expand Down
2 changes: 1 addition & 1 deletion 0-bootstrap/modules/jenkins-agent/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -215,7 +215,7 @@ variable "folder_id" {
variable "terraform_version" {
description = "Default terraform version."
type = string
default = "1.3.0"
default = "1.5.7"
}

variable "terraform_version_sha256sum" {
Expand Down
4 changes: 2 additions & 2 deletions 1-org/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -45,13 +45,13 @@ hub-and-spoke network model. It also sets up the global DNS hub.</td>
</tr>
<tr>
<td><a href="../5-app-infra">5-app-infra</a></td>
<td>Deploy a service catalog and artifacts pipeline.</td>
<td>Deploys Service Catalog Pipeline and Custom Artifacts Pipeline.</td>
</tr>
</tbody>
</table>

For an overview of the architecture and the parts, see the
[terraform-google-enterprise-genai README](https://github.com/terraform-google-modules/terraform-google-enterprise-genai).
[terraform-google-enterprise-genai README](https://github.com/GoogleCloudPlatform/terraform-google-enterprise-genai).

## Purpose

Expand Down
2 changes: 1 addition & 1 deletion 1-org/modules/cai-monitoring/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Uses Google Cloud Asset Inventory to create a feed of IAM Policy change events,

```hcl
module "secure_cai_notification" {
source = "terraform-google-modules/terraform-google-enterprise-genai/google//1-org/modules/cai-monitoring"
source = "GoogleCloudPlatform/terraform-google-enterprise-genai/google//1-org/modules/cai-monitoring"
org_id = <ORG ID>
billing_account = <BILLING ACCOUNT ID>
Expand Down
28 changes: 23 additions & 5 deletions 1-org/modules/cai-monitoring/iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,12 @@
*/

locals {
compute_engine_sa_project_roles = [
"roles/logging.logWriter",
"roles/storage.objectViewer",
"roles/artifactregistry.reader",
"roles/artifactregistry.writer",
]
cf_roles = [
"roles/pubsub.publisher",
"roles/eventarc.eventReceiver",
Expand All @@ -33,6 +39,14 @@ locals {
}
}

data "google_storage_project_service_account" "gcs_sa" {
project = var.project_id
}

data "google_compute_default_service_account" "default" {
project = var.project_id
}

// Service Accounts
resource "google_project_service_identity" "service_sa" {
for_each = local.services
Expand All @@ -42,10 +56,6 @@ resource "google_project_service_identity" "service_sa" {
service = each.value
}

data "google_storage_project_service_account" "gcs_sa" {
project = var.project_id
}

// Encrypter/Decrypter role
resource "google_kms_crypto_key_iam_member" "encrypter_decrypter" {
for_each = var.enable_cmek ? local.identities : {}
Expand All @@ -55,6 +65,13 @@ resource "google_kms_crypto_key_iam_member" "encrypter_decrypter" {
member = each.value
}

resource "google_project_iam_member" "log_writer" {
for_each = toset(local.compute_engine_sa_project_roles)
project = var.project_id
role = each.value
member = data.google_compute_default_service_account.default.member
}

// Cloud Function SA
resource "google_service_account" "cloudfunction" {
account_id = "cai-monitoring"
Expand All @@ -81,6 +98,7 @@ resource "time_sleep" "wait_kms_iam" {
depends_on = [
google_kms_crypto_key_iam_member.encrypter_decrypter,
google_organization_iam_member.cloudfunction_findings_editor,
google_project_iam_member.cloudfunction_iam
google_project_iam_member.cloudfunction_iam,
google_project_iam_member.log_writer
]
}
4 changes: 2 additions & 2 deletions 1-org/modules/centralized-logging/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ The following example exports audit logs from two folders to the same storage de

```hcl
module "logs_export" {
source = "terraform-google-modules/terraform-google-enterprise-genai/google//1-org/modules/centralized-logging"
source = "GoogleCloudPlatform/terraform-google-enterprise-genai/google//1-org/modules/centralized-logging"
resources = {
fldr1 = "<folder1_id>"
Expand All @@ -35,7 +35,7 @@ The following example exports all logs from three projects - including the loggi

```hcl
module "logging_logbucket" {
source = "terraform-google-modules/terraform-google-enterprise-genai/google//1-org/modules/centralized-logging"
source = "GoogleCloudPlatform/terraform-google-enterprise-genai/google//1-org/modules/centralized-logging"
resources = {
prj1 = "<log_destination_project_id>"
Expand Down
Loading

0 comments on commit c85cab0

Please sign in to comment.