Skip to content

Latest commit

 

History

History
106 lines (93 loc) · 7.48 KB

File metadata and controls

106 lines (93 loc) · 7.48 KB

4-projects

The purpose of this step is to set up a folder structure, projects, and infrastructure and application pipelines, which are connected as service projects to deploy an example application called Bank of Anthos.

Prerequisites

  1. 0-bootstrap executed successfully.
  2. 1-org executed successfully.
  3. 2-environments executed successfully.
  4. 3-networks executed successfully.

Usage

Update terraform-validator constraints

Update the terraform-validator policies repo to allow the new APIs used GKE and Anthos.

  1. Change directory to outside of terraform-example-foundation-app and go to the gcp-policies repo cloned in step 1-org.
    cd ..
    ls # should see terraform-example-foundation-app and gcp-policies
    cd gcp-policies
    
  2. Add the new allowed APIs to the end of the services list in the constraint policies/constraints/serviceusage_allow_basic_apis.yaml:
     - "anthos.googleapis.com"
     - "binaryauthorization.googleapis.com"
     - "containerscanning.googleapis.com"
     - "gkeconnect.googleapis.com"
     - "gkehub.googleapis.com"
     - "iap.googleapis.com"
     - "meshca.googleapis.com"
     - "meshconfig.googleapis.com"
     - "meshtelemetry.googleapis.com"
     - "multiclusteringress.googleapis.com"
     - "privateca.googleapis.com"
     - "sqladmin.googleapis.com"
     - "stackdriver.googleapis.com"
     - "storage.googleapis.com"
    
  3. Commit changes.
    git add .
    git commit -m 'Add new APIS to allowed list'
    
  4. Push your changes.
    git push origin master
    

Setup to run via Cloud Build

  1. Change directory to outside gcp-policies using cd .., to confirm you run ls and you should see terraform-example-foundation-app listed
  2. Clone repo gcloud source repos clone gcp-projects --project=YOUR_CLOUD_BUILD_PROJECT_ID.
  3. Change into freshly cloned repo cd gcp-projects and change to non master branch git checkout -b plan (the branch plan is not a special one. Any branch which name is different from development, non-production or production will trigger a terraform plan).
  4. Copy example foundation to new repo cp -RT ../terraform-example-foundation-app/foundation-extension/4-projects/ . (modify accordingly based on your current directory).
  5. Copy cloud build configuration files for terraform cp ../terraform-example-foundation-app/build/cloudbuild-tf-* . (modify accordingly based on your current directory).
  6. Copy terraform wrapper script cp ../terraform-example-foundation-app/build/tf-wrapper.sh . to the root of your new repository (modify accordingly based on your current directory).
  7. Ensure wrapper script can be executed chmod 755 ./tf-wrapper.sh.

Run terraform locally

  1. You will need to only once manually plan + apply the shared pipeline environments since development, non-production and production will depend on it.
  2. Change into business_unit_1/shared folder.
  3. Run cp ../../tf-wrapper.sh .
  4. Run chmod 755 tf-wrapper.sh.
  5. Rename shared.auto.example.tfvars to shared.auto.tfvars and update the file with values from your environment and bootstrap.
  6. Update backend.tf with your bucket from example-foundation. You can run cd .. && for i in `find -name 'backend.tf'`; do sed -i 's/UPDATE_ME/<YOUR-BUCKET-NAME>/' $i; done && cd shared.
  7. Run terraform init
  8. Run terraform plan
  9. Run terraform apply ensure you have the correct permissions before doing this.

Run cloudbuild dev/npd/prd envs

  1. Go back to root folder cd ../..
  2. Rename mv business_unit_1/development/development.auto.example.tfvars business_unit_1/development/development.auto.tfvars and update the file with values from your environment and outputs from 4-projects/shared.
  3. Rename mv business_unit_1/non-production/non-production.auto.example.tfvars business_unit_1/non-production/non-production.auto.tfvars and update the file with values from your environment and outputs from 4-projects/shared.
  4. Rename mv business_unit_1/production/production.auto.example.tfvars business_unit_1/production/production.auto.tfvars and update the file with values from your environment and outputs from 4-projects/shared.
  5. Commit changes with git add . and git commit -m 'Your message'.
  6. Push your plan branch to trigger a plan git push --set-upstream origin plan (the branch plan is not a special one. Any branch which name is different from development, non-production or production will trigger a terraform plan).
    1. Review the plan output in your cloud build project https://console.cloud.google.com/cloud-build/builds?project=prj-b-cicd-xxxx
  7. Merge changes to development with git checkout -b development and git push origin development.
    1. Review the apply output in your cloud build project https://console.cloud.google.com/cloud-build/builds?project=prj-b-cicd-xxxx
  8. Merge changes to non-production with git checkout -b non-production and git push origin non-production.
    1. Review the apply output in your cloud build project. https://console.cloud.google.com/cloud-build/builds?project=prj-b-cicd-xxxx
  9. Merge changes to production with git checkout -b production and git push origin production.
    1. Review the apply output in your cloud build project. https://console.cloud.google.com/cloud-build/builds?project=prj-b-cicd-xxxx

Troubleshooting: If your user does not have access to run the terraform modules locally and you are in the organization admins group, you can append --impersonate-service-account=org-terraform@prj-b-cicd-xxxx.iam.gserviceaccount.com to run terraform modules as the service account.

TF Validate (Optional)

To use the validate option of the tf-wrapper.sh script, please follow the instructions in the Install Terraform Validator section and install version 2021-03-22 in your system. You will also need to rename the binary from terraform-validator-<your-platform> to terraform-validator and the terraform-validator binary must be in your PATH.

  1. Run ./tf-wrapper.sh init production.
  2. Run ./tf-wrapper.sh plan production and review output.
  3. Run ./tf-wrapper.sh validate production $(pwd)/../policy-library <YOUR_INFRA_PIPELINE_PROJECT> and check for violations.
  4. Run ./tf-wrapper.sh apply production.
  5. Run ./tf-wrapper.sh init non-production.
  6. Run ./tf-wrapper.sh plan non-production and review output.
  7. Run ./tf-wrapper.sh plan non-production and review output.
  8. Run ./tf-wrapper.sh validate non-production $(pwd)/../policy-library <YOUR_INFRA_PIPELINE_PROJECT> and check for violations.
  9. Run ./tf-wrapper.sh apply non-production.
  10. Run ./tf-wrapper.sh init development.
  11. Run ./tf-wrapper.sh plan development and review output.
  12. Run ./tf-wrapper.sh validate development $(pwd)/../policy-library <YOUR_INFRA_PIPELINE_PROJECT> and check for violations.
  13. Run ./tf-wrapper.sh apply development.

If you received any errors or made any changes to the Terraform config or terraform.tfvars you must re-run ./tf-wrapper.sh plan <env> before run ./tf-wrapper.sh apply <env>.