Skip to content

Latest commit

 

History

History
228 lines (205 loc) · 10.3 KB

File metadata and controls

228 lines (205 loc) · 10.3 KB

2-environments

This repo is part of a multi-part guide that shows how to configure and deploy the example.com reference architecture described in Google Cloud security foundations guide (PDF). The following table lists the parts of the guide.

0-bootstrap Bootstraps a Google Cloud organization, creating all the required resources and permissions to start using the Cloud Foundation Toolkit (CFT). This step also configures a CI/CD pipeline for foundations code in subsequent stages.
1-org Sets up top level shared folders, monitoring and networking projects, and organization-level logging, and sets baseline security settings through organizational policy.
2-environments (this file) Sets up development, non-production, and production environments within the Google Cloud organization that you've created.
3-networks Sets up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, on-premises Dedicated Interconnect, and baseline firewall rules for each environment. It also sets up the global DNS hub.
4-projects Sets up a folder structure, projects, and application infrastructure pipeline for applications, which are connected as service projects to the shared VPC created in the previous stage.
5-app-infra Deploy a simple Compute Engine instance in one of the business unit projects using the infra pipeline set up in 4-projects.

For an overview of the architecture and the parts, see the terraform-example-foundation README.

Purpose

The purpose of this step is to setup development, non-production, and production environments within the Google Cloud organization that you've created.

Prerequisites

  1. 0-bootstrap executed successfully.
  2. 1-org executed successfully.
  3. Cloud Identity / Google Workspace group for monitoring admins.
  4. Membership in the monitoring admins group for user running Terraform.

Troubleshooting

Please refer to troubleshooting if you run into issues during this step.

Usage

Note: If you are using MacOS, replace cp -RT with cp -R in the relevant commands. The -T flag is needed for Linux, but causes problems for MacOS.

Deploying with Cloud Build

  1. Clone repo.

    gcloud source repos clone gcp-environments --project=YOUR_CLOUD_BUILD_PROJECT_ID
    
  2. Navigate into the repo and change to the non-master branch. All subsequent steps assume you are running them from the gcp-environments directory. If you run them from another directory, adjust your copy paths accordingly.

    cd gcp-environments
    git checkout -b plan
    
  3. Copy contents of foundation to new repo.

    cp -RT ../terraform-example-foundation/2-environments/ .
    
  4. Copy cloud build configuration files for Terraform.

    cp ../terraform-example-foundation/build/cloudbuild-tf-* .
    
  5. Copy Terraform wrapper script to the root of your new repository.

    cp ../terraform-example-foundation/build/tf-wrapper.sh .
    
  6. Ensure wrapper script can be executed.

    chmod 755 ./tf-wrapper.sh
    
  7. Rename terraform.example.tfvars to terraform.tfvars and update the file with values from your environment and bootstrap (you can re-run terraform output in the 0-bootstrap directory to find these values). See any of the envs folder README.md files for additional information on the values in the terraform.tfvars file.

  8. Commit changes.

    git add .
    git commit -m 'Your message'
    
  9. Push your plan branch to trigger a plan for all environments.

    git push --set-upstream origin plan
    
  10. Review the plan output in your cloud build project https://console.cloud.google.com/cloud-build/builds?project=YOUR_CLOUD_BUILD_PROJECT_ID

  11. Merge changes to development.

    git checkout -b development
    git push origin development
    
  12. Review the apply output in your cloud build project https://console.cloud.google.com/cloud-build/builds?project=YOUR_CLOUD_BUILD_PROJECT_ID

  13. Merge changes to non-production.

    git checkout -b non-production
    git push origin non-production
    
  14. Review the apply output in your cloud build project https://console.cloud.google.com/cloud-build/builds?project=YOUR_CLOUD_BUILD_PROJECT_ID

  15. Merge changes to production branch.

    git checkout -b production
    git push origin production
    
  16. Review the apply output in your cloud build project https://console.cloud.google.com/cloud-build/builds?project=YOUR_CLOUD_BUILD_PROJECT_ID

  17. You can now move to the instructions in the step 3-networks.

Deploying with Jenkins

  1. Clone the repo you created manually in 0-bootstrap.

    git clone <YOUR_NEW_REPO-2-environments>
    
  2. Navigate into the repo and change to a non-production branch. All subsequent steps assume you are running them from the gcp-environments directory. If you run them from another directory, adjust your copy paths accordingly.

    cd YOUR_NEW_REPO_CLONE-2-environments
    git checkout -b plan
    
  3. Copy contents of foundation to new repo.

    cp -RT ../terraform-example-foundation/2-environments/ .
    
  4. Copy the Jenkinsfile script to the root of your new repository.

    cp ../terraform-example-foundation/build/Jenkinsfile .
    
  5. Update the variables located in the environment {} section of the Jenkinsfile with values from your environment:

    _TF_SA_EMAIL
    _STATE_BUCKET_NAME
    _PROJECT_ID (the CI/CD project id)
    
  6. Copy Terraform wrapper script to the root of your new repository.

    cp ../terraform-example-foundation/build/tf-wrapper.sh .
    
  7. Ensure wrapper script can be executed.

    chmod 755 ./tf-wrapper.sh
    
  8. Rename terraform.example.tfvars to terraform.tfvars and update the file with values from your environment and bootstrap (you can re-run terraform output in the 0-bootstrap directory to find these values). See any of the envs folder README.md files for additional information on the values in the terraform.tfvars file.

  9. Commit changes.

    git add .
    git commit -m 'Your message'
    
  10. Push your plan branch.

    git push --set-upstream origin plan
    
    • Assuming you configured an automatic trigger in your Jenkins Master (see Jenkins sub-module README), this will trigger a plan. You can also trigger a Jenkins job manually. Given the many options to do this in Jenkins, it is out of the scope of this document see Jenkins website for more details.
  11. Review the plan output in your Master's web UI.

  12. Merge changes to development.

    git checkout -b development
    git push origin development
    
  13. Review the apply output in your Master's web UI (you might want to use the option to "Scan Multibranch Pipeline Now" in your Jenkins Master UI).

  14. Merge changes to non-production with.

    git checkout -b non-production
    git push origin non-production
    
  15. Review the apply output in your Master's web UI (you might want to use the option to "Scan Multibranch Pipeline Now" in your Jenkins Master UI).

  16. Merge changes to production branch.

    git checkout -b production
    git push origin production
    
  17. Review the apply output in your Master's web UI (you might want to use the option to "Scan Multibranch Pipeline Now" in your Jenkins Master UI).

Run Terraform locally

  1. Change into 2-environments folder.
  2. Run cp ../build/tf-wrapper.sh .
  3. Run chmod 755 ./tf-wrapper.sh.
  4. Rename terraform.example.tfvars to terraform.tfvars and update the file with values from your environment and bootstrap. See any of the envs folder README.md files for additional information on the values in the terraform.tfvars file.
  5. Update backend.tf with your bucket from bootstrap.
    for i in `find -name 'backend.tf'`; do sed -i 's/UPDATE_ME/<YOUR-BUCKET-NAME>/' $i; done
    

You can run terraform output gcs_bucket_tfstate in the 0-bootstrap folder to obtain the bucket name.

We will now deploy each of our environments(development/production/non-production) using this script. When using Cloud Build or Jenkins as your CI/CD tool each environment corresponds to a branch is the repository for 2-environments step and only the corresponding environment is applied.

To use the validate option of the tf-wrapper.sh script, please follow the instructions in the Install Terraform Validator section and install version v0.4.0 in your system. You will also need to rename the binary from terraform-validator-<your-platform> to terraform-validator and the terraform-validator binary must be in your PATH.

  1. Run ./tf-wrapper.sh init development.
  2. Run ./tf-wrapper.sh plan development and review output.
  3. Run ./tf-wrapper.sh validate development $(pwd)/../policy-library <YOUR_CLOUD_BUILD_PROJECT_ID> and check for violations.
  4. Run ./tf-wrapper.sh apply development.
  5. Run ./tf-wrapper.sh init non-production.
  6. Run ./tf-wrapper.sh plan non-production and review output.
  7. Run ./tf-wrapper.sh validate non-production $(pwd)/../policy-library <YOUR_CLOUD_BUILD_PROJECT_ID> and check for violations.
  8. Run ./tf-wrapper.sh apply non-production.
  9. Run ./tf-wrapper.sh init production.
  10. Run ./tf-wrapper.sh plan production and review output.
  11. Run ./tf-wrapper.sh validate production $(pwd)/../policy-library <YOUR_CLOUD_BUILD_PROJECT_ID> and check for violations.
  12. Run ./tf-wrapper.sh apply production.

If you received any errors or made any changes to the Terraform config or terraform.tfvars you must re-run ./tf-wrapper.sh plan <env> before running ./tf-wrapper.sh apply <env>.