Skip to content

Latest commit

 

History

History
347 lines (322 loc) · 17.8 KB

README.md

File metadata and controls

347 lines (322 loc) · 17.8 KB
Raw

4-projects

This repo is part of a multi-part guide that shows how to configure and deploy the example.com reference architecture described in Google Cloud security foundations guide. The following table lists the parts of the guide.

0-bootstrap Bootstraps a Google Cloud organization, creating all the required resources and permissions to start using the Cloud Foundation Toolkit (CFT). This step also configures a CI/CD Pipeline for foundations code in subsequent stages.
1-org Sets up top level shared folders, monitoring and networking projects, and organization-level logging, and sets baseline security settings through organizational policy.
2-environments Sets up development, non-production, and production environments within the Google Cloud organization that you've created.
3-networks-dual-svpc Sets up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, on-premises Dedicated Interconnect, and baseline firewall rules for each environment. It also sets up the global DNS hub.
3-networks-hub-and-spoke Sets up base and restricted shared VPCs with all the default configuration found on step 3-networks-dual-svpc, but here the architecture will be based on the Hub and Spoke network model. It also sets up the global DNS hub
4-projects (this file) Sets up a folder structure, projects, and application infrastructure pipeline for applications, which are connected as service projects to the shared VPC created in the previous stage.
5-app-infra Deploy a simple Compute Engine instance in one of the business unit projects using the infra pipeline set up in 4-projects.

For an overview of the architecture and the parts, see the terraform-example-foundation README.

Purpose

The purpose of this step is to set up the folder structure, projects, and infrastructure pipelines for applications that are connected as service projects to the shared VPC created in the previous stage. For each business unit, a shared infra-pipeline project is created along with Cloud Build triggers, CSRs for application infrastructure code and Google Cloud Storage buckets for state storage. This step follows the same conventions as the CI/CD Pipeline deployed in 0-bootstrap. The Cloud Build SA used by this pipeline can impersonate the project SA by enabling the enable_cloudbuild_deploy flag and necessary roles can be granted to this SA via sa_roles as shown in this example. This pipeline can be utilized for deploying resources in projects across development/non-production/production with granular permissions.

Prerequisites

  1. 0-bootstrap executed successfully.

  2. 1-org executed successfully.

  3. 2-environments executed successfully.

  4. 3-networks executed successfully.

  5. For the manual step described in this document, you need Terraform version 1.0.0 or later to be installed.

    Note: Make sure that you use version 1.0.0 or later of Terraform throughout this series. Otherwise, you might experience Terraform state snapshot lock errors.

Troubleshooting

Please refer to troubleshooting if you run into issues during this step.

Usage

Note: If you are using MacOS, replace cp -RT with cp -R in the relevant commands. The -T flag is needed for Linux, but causes problems for MacOS.

Deploying with Cloud Build

  1. Clone repo. 
    gcloud source repos clone gcp-projects --project=YOUR_CLOUD_BUILD_PROJECT_ID
  2. Change freshly cloned repo and change to non-main branch. 
    cd gcp-projects
git checkout -b plan
  3. Copy contents of foundation to new repo. 
    cp -RT ../terraform-example-foundation/4-projects/ .
  4. Copy Cloud Build configuration files for Terraform. 
    cp ../terraform-example-foundation/build/cloudbuild-tf-* .
  5. Copy Terraform wrapper script to the root of your new repository. 
    cp ../terraform-example-foundation/build/tf-wrapper.sh .
  6. Ensure wrapper script can be executed. 
    chmod 755 ./tf-wrapper.sh
  7. Rename common.auto.example.tfvars to common.auto.tfvars and update the file with values from your environment and bootstrap. See any of the business unit envs folders README.md files for additional information on the values in the common.auto.tfvars file.
  8. Rename shared.auto.example.tfvars to shared.auto.tfvars and update the file with values from your environment and bootstrap. See any of the business unit shared envs folders README.md files for additional information on the values in the shared.auto.example.tfvars.
  9. Rename development.auto.example.tfvars to development.auto.tfvars.
  10. Rename non-production.auto.example.tfvars to non-production.auto.tfvars.
  11. Rename production.auto.example.tfvars to production.auto.tfvars.
  12. You need to manually plan and apply only once the business_unit_1/shared environment since development, non-production, and production depend on it.
    1. Run cd ./business_unit_1/shared/.
    2. Update backend.tf with your bucket name from the 0-bootstrap step.
    3. Export the projects (terraform-proj-sa) service account for impersonation export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT="<IMPERSONATE_SERVICE_ACCOUNT>"
    4. Run terraform init.
    5. Run terraform plan and review output.
    6. Run terraform apply.
    7. If you would like the bucket to be replaced by cloud build at run time, change the bucket name back to UPDATE_ME
  13. Once you have done the instructions for the business_unit_1, you need to repeat same steps for business_unit_2 folder.
  14. Commit changes. 
    git add .
git commit -m 'Your message'
  15. Push your plan branch to trigger a plan for all environments. Because the plan branch is not a named environment branch), pushing your plan branch triggers terraform plan but not terraform apply. 
    git push --set-upstream origin plan
  16. Review the plan output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds?project=YOUR_CLOUD_BUILD_PROJECT_ID
  17. Merge changes to production. Because this is a named environment branch, pushing to this branch triggers both terraform plan and terraform apply. 
    git checkout -b production
git push origin production
  18. Review the apply output in your Cloud Build project. https://console.cloud.google.com/cloud-build/builds?project=YOUR_CLOUD_BUILD_PROJECT_ID
  19. After production has been applied, apply development.
  20. Merge changes to development. Because this is a named environment branch, pushing to this branch triggers both terraform plan and terraform apply. 
    git checkout -b development
git push origin development
  21. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds?project=YOUR_CLOUD_BUILD_PROJECT_ID
  22. After development has been applied, apply non-production.
  23. Merge changes to non-production. Because this is a named environment branch, pushing to this branch triggers both terraform plan and terraform apply. 
    git checkout -b non-production
git push origin non-production
  24. Review the apply output in your Cloud Build project. https://console.cloud.google.com/cloud-build/builds?project=YOUR_CLOUD_BUILD_PROJECT_ID
  25. You can now move to the instructions in the step 5-app-infra.

Deploying with Jenkins

  1. Clone the repo you created manually in 0-bootstrap. 
    git clone <YOUR_NEW_REPO-4-projects>
  2. Navigate into the repo and change to a non-production branch. All subsequent steps assume you are running them from the <YOUR_NEW_REPO-4-projects> directory. If you run them from another directory, adjust your copy paths accordingly. 
    cd YOUR_NEW_REPO_CLONE-4-projects
git checkout -b plan
  3. Copy contents of foundation to new repo. 
    cp -RT ../terraform-example-foundation/4-projects/ .
  4. Copy the Jenkinsfile script to the root of your new repository. 
    cp ../terraform-example-foundation/build/Jenkinsfile .
  5. Update the variables located in the environment {} section of the Jenkinsfile with values from your environment: 
    _TF_SA_EMAIL
_STATE_BUCKET_NAME
_PROJECT_ID (the CI/CD project ID)
  6. Copy Terraform wrapper script to the root of your new repository. 
    cp ../terraform-example-foundation/build/tf-wrapper.sh .
  7. Ensure wrapper script can be executed. 
    chmod 755 ./tf-wrapper.sh
  8. Rename common.auto.example.tfvars to common.auto.tfvars and update the file with values from your environment and bootstrap.
  9. Rename shared.auto.example.tfvars to shared.auto.tfvars and update the file with values from your environment and bootstrap.
  10. Rename development.auto.example.tfvars to development.auto.tfvars and update the file with the perimeter_name that starts with sp_d_shared_restricted.
  11. Rename non-production.auto.example.tfvars to non-production.auto.tfvars and update the file with the perimeter_name that starts with sp_n_shared_restricted.
  12. Rename production.auto.example.tfvars to production.auto.tfvars and update the file with the perimeter_name that starts with sp_p_shared_restricted.
  13. Rename access_context.auto.example.tfvars to access_context.auto.tfvars and update the file with the access_context_manager_policy_id.
  14. You need to manually plan and apply only once the business_unit_1/shared environment since development, non-production, and production depend on it.
    1. Run cd ./business_unit_1/shared/.
    2. Update backend.tf with your bucket name from the 0-bootstrap step.
    3. Export the projects (terraform-proj-sa) service account for impersonation export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT="<IMPERSONATE_SERVICE_ACCOUNT>"
    4. Run terraform init.
    5. Run terraform plan and review output.
    6. Run terraform apply.
    7. Run terraform output cloudbuild_sa to get the cloud build service account from the apply step.
    8. If you would like the bucket to be replaced by cloud build at run time, change the bucket name back to UPDATE_ME
  15. Once you have done the instructions for the business_unit_1, you need to repeat same steps for business_unit_2 folder.
  16. Rename business_unit_1.auto.example.tfvars to business_unit_1.auto.tfvars and update the file with the app_infra_pipeline_cloudbuild_sa which is the output of cloudbuild_sa from business_unit_1/shared steps.
  17. Rename business_unit_2.auto.example.tfvars to business_unit_2.auto.tfvars and update the file with the app_infra_pipeline_cloudbuild_sa which is the output of cloudbuild_sa from business_unit_2/shared steps.
  18. Commit changes. 
    git add .
git commit -m 'Your message'
  19. Push your plan branch. 
    git push --set-upstream origin plan
    • Assuming you configured an automatic trigger in your Jenkins Controller (see Jenkins sub-module README), this will trigger a plan. You can also trigger a Jenkins job manually. Given the many options to do this in Jenkins, it is out of the scope of this document see Jenkins website for more details.
  20. Review the plan output in your Controller's web UI.
  21. Merge changes to production branch. 
    git checkout -b production
git push origin production
  22. Review the apply output in your Controller's web UI (you might want to use the option to "Scan Multibranch Pipeline Now" in your Jenkins Controller UI).
  23. After production has been applied, apply development.
  24. Merge changes to development branch. 
    git checkout -b development
git push origin development
  25. Review the apply output in your Controller's web UI (you might want to use the option to "Scan Multibranch Pipeline Now" in your Jenkins Controller UI).
  26. After development has been applied, apply non-production.
  27. Merge changes to non-production branch. 
    git checkout -b non-production
git push origin non-production
  28. Review the apply output in your Controller's web UI (you might want to use the option to "Scan Multibranch Pipeline Now" in your Jenkins Controller UI).

Run Terraform locally

  1. Change into 4-projects folder, copy the Terraform wrapper script and ensure it can be executed. 
    cd 4-projects
cp ../build/tf-wrapper.sh .
chmod 755 ./tf-wrapper.sh
  2. Rename auto.example.tfvars files to auto.tfvars. 
    mv common.auto.example.tfvars common.auto.tfvars
mv shared.auto.example.tfvars shared.auto.tfvars
mv development.auto.example.tfvars development.auto.tfvars
mv non-production.auto.example.tfvars non-production.auto.tfvars
mv production.auto.example.tfvars production.auto.tfvars
  3. See any of the envs folder README.md files for additional information on the values in the common.auto.tfvars, development.auto.tfvars, non-production.auto.tfvars, and production.auto.tfvars files.
  4. See any of the shared folder README.md files for additional information on the values in the shared.auto.tfvars file.
  5. Use terraform output to get the backend bucket value from 0-bootstrap output. 
    export backend_bucket=$(terraform -chdir="../0-bootstrap/" output -raw gcs_bucket_tfstate)
echo "backend_bucket = ${backend_bucket}"
sed -i "s/TERRAFORM_STATE_BUCKET/${backend_bucket}/" ./common.auto.tfvars
  6. Also update backend.tf with your backend bucket from 0-bootstrap output. 
    for i in `find -name 'backend.tf'`; do sed -i "s/UPDATE_ME/${backend_bucket}/" $i; done

We will now deploy each of our environments(development/production/non-production) using this script. When using Cloud Build or Jenkins as your CI/CD tool each environment corresponds to a branch is the repository for 4-projects step and only the corresponding environment is applied. Environment shared must be applied first because development, non-production, and production depend on it.

To use the validate option of the tf-wrapper.sh script, please follow the instructions to install the terraform-tools component.

  1. Use terraform output to get the Cloud Build project ID and the environment step Terraform Service Account from 0-bootstrap output. An environment variable GOOGLE_IMPERSONATE_SERVICE_ACCOUNT will be set using the Terraform Service Account to enable impersonation. 
    export CLOUD_BUILD_PROJECT_ID=$(terraform -chdir="../0-bootstrap/" output -raw cloudbuild_project_id)
echo ${CLOUD_BUILD_PROJECT_ID}

export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../0-bootstrap/" output -raw projects_step_terraform_service_account_email)
echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT}
  2. Run init and plan and review output for environment shared. 
    ./tf-wrapper.sh init shared
./tf-wrapper.sh plan shared
  3. Run validate and check for violations. 
    ./tf-wrapper.sh validate shared $(pwd)/../policy-library ${CLOUD_BUILD_PROJECT_ID}
  4. Run apply shared. 
    ./tf-wrapper.sh apply shared
  5. Run init and plan and review output for environment production. 
    ./tf-wrapper.sh init production
./tf-wrapper.sh plan production
  6. Run validate and check for violations. 
    ./tf-wrapper.sh validate production $(pwd)/../policy-library ${CLOUD_BUILD_PROJECT_ID}
  7. Run apply production. 
    ./tf-wrapper.sh apply production
  8. Run init and plan and review output for environment non-production. 
    ./tf-wrapper.sh init non-production
./tf-wrapper.sh plan non-production
  9. Run validate and check for violations. 
    ./tf-wrapper.sh validate non-production $(pwd)/../policy-library ${CLOUD_BUILD_PROJECT_ID}
  10. Run apply non-production. 
    ./tf-wrapper.sh apply non-production
  11. Run init and plan and review output for environment development. 
    ./tf-wrapper.sh init development
./tf-wrapper.sh plan development
  12. Run validate and check for violations. 
    ./tf-wrapper.sh validate development $(pwd)/../policy-library ${CLOUD_BUILD_PROJECT_ID}
  13. Run apply development. 
    ./tf-wrapper.sh apply development

If you received any errors or made any changes to the Terraform config or any .tfvars, you must re-run ./tf-wrapper.sh plan <env> before running ./tf-wrapper.sh apply <env>.

Before executing the next stages, unset the GOOGLE_IMPERSONATE_SERVICE_ACCOUNT environment variable.

unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT