The purpose of this step is to set up folder structure and projects for applications, which are connected as service projects to the shared VPC created in the previous stage.
- 0-bootstrap executed successfully.
- 1-org executed successfully.
- 2-environments executed successfully.
- 3-networks executed successfully.
- Obtain the value for the access_context_manager_policy_id variable. Can be obtained by running
gcloud access-context-manager policies list --organization YOUR-ORGANIZATION_ID --format="value(name)"
. - Obtain the values for the
perimeter_name
for each environment variable by runninggcloud access-context-manager perimeters list --policy ACCESS_CONTEXT_MANAGER_POLICY_ID --format="value(name)"
.
Troubleshooting:
If your user does not have access to run the commands above and you are in the organization admins group, you can append --impersonate-service-account=org-terraform@<SEED_PROJECT_ID>.iam.gserviceaccount.com
to run the command as the terraform service account.
- Clone repo
gcloud source repos clone gcp-projects --project=YOUR_CLOUD_BUILD_PROJECT_ID
. - Change freshly cloned repo and change to non master branch
git checkout -b plan
(the branchplan
is not a special one. Any branch which name is different fromdevelopment
,non-production
orproduction
will trigger a terraform plan). - Copy contents of foundation to new repo
cp -RT ../terraform-example-foundation/4-projects/ .
(modify accordingly based on your current directory). - Copy cloud build configuration files for terraform
cp ../terraform-example-foundation/build/cloudbuild-tf-* .
(modify accordingly based on your current directory). - Copy terraform wrapper script
cp ../terraform-example-foundation/build/tf-wrapper.sh .
to the root of your new repository (modify accordingly based on your current directory). - Ensure wrapper script can be executed
chmod 755 ./tf-wrapper.sh
. - Rename
common.auto.example.tfvars
tocommon.auto.tfvars
and update the file with values from your environment and bootstrap. - Rename
development.auto.example.tfvars
todevelopment.auto.tfvars
and update the file with theperimeter_name
that starts withsp_d_shared_restricted
. - Rename
non-production.auto.example.tfvars
tonon-production.auto.tfvars
and update the file with theperimeter_name
that starts withsp_n_shared_restricted
. - Rename
production.auto.example.tfvars
toproduction.auto.tfvars
and update the file with theperimeter_name
that starts withsp_p_shared_restricted
. - Commit changes with
git add .
andgit commit -m 'Your message'
. - Push your plan branch to trigger a plan
git push --set-upstream origin plan
(the branchplan
is not a special one. Any branch which name is different fromdevelopment
,non-production
orproduction
will trigger a terraform plan).- Review the plan output in your cloud build project https://console.cloud.google.com/cloud-build/builds?project=YOUR_CLOUD_BUILD_PROJECT_ID
- Merge changes to development with
git checkout -b development
andgit push origin development
.- Review the apply output in your cloud build project https://console.cloud.google.com/cloud-build/builds?project=YOUR_CLOUD_BUILD_PROJECT_ID
- Merge changes to non-production with
git checkout -b non-production
andgit push origin non-production
.- Review the apply output in your cloud build project. https://console.cloud.google.com/cloud-build/builds?project=YOUR_CLOUD_BUILD_PROJECT_ID
- Merge changes to production with
git checkout -b production
andgit push origin production
.- Review the apply output in your cloud build project. https://console.cloud.google.com/cloud-build/builds?project=YOUR_CLOUD_BUILD_PROJECT_ID
-
Clone the repo you created manually in bootstrap:
git clone <YOUR_NEW_REPO-4-projects>
. -
Navigate into the repo
cd YOUR_NEW_REPO_CLONE-4-projects
and change to a non production branchgit checkout -b plan
(the branchplan
is not a special one. Any branch which name is different fromdevelopment
,non-production
orproduction
will trigger a terraform plan). -
Copy contents of foundation to new repo
cp -RT ../terraform-example-foundation/4-projects/ .
(modify accordingly based on your current directory). -
Copy the Jenkinsfile script
cp ../terraform-example-foundation/build/Jenkinsfile .
to the root of your new repository (modify accordingly based on your current directory). -
Update the variables located in the
environment {}
section of theJenkinsfile
with values from your environment:_TF_SA_EMAIL _STATE_BUCKET_NAME _PROJECT_ID (the cicd project id)
-
Copy terraform wrapper script
cp ../terraform-example-foundation/build/tf-wrapper.sh .
to the root of your new repository (modify accordingly based on your current directory). -
Ensure wrapper script can be executed
chmod 755 ./tf-wrapper.sh
. -
Rename
common.auto.example.tfvars
tocommon.auto.tfvars
and update the file with values from your environment and bootstrap. -
Rename
development.auto.example.tfvars
todevelopment.auto.tfvars
and update the file with theperimeter_name
that starts withsp_d_shared_restricted
. -
Rename
non-production.auto.example.tfvars
tonon-production.auto.tfvars
and update the file with theperimeter_name
that starts withsp_n_shared_restricted
. -
Rename
production.auto.example.tfvars
toproduction.auto.tfvars
and update the file with theperimeter_name
that starts withsp_p_shared_restricted
. -
Commit changes with
git add .
andgit commit -m 'Your message'
-
Push your plan branch
git push --set-upstream origin plan
. The branchplan
is not a special one. Any branch which name is different fromdevelopment
,non-production
orproduction
will trigger a terraform plan.- Assuming you configured an automatic trigger in your Jenkins Master (see Jenkins sub-module README), this will trigger a plan. You can also trigger a Jenkins job manually. Given the many options to do this in Jenkins, it is out of the scope of this document see Jenkins website for more details.
- Review the plan output in your Master's web UI.
-
After production has been applied apply development and non-production.
-
Merge changes to development branch with
git checkout -b development
andgit push origin development
.- Review the apply output in your Master's web UI (You might want to use the option to "Scan Multibranch Pipeline Now" in your Jenkins Master UI).
-
Merge changes to non-production branch with
git checkout -b non-production
andgit push origin non-production
.- Review the apply output in your Master's web UI (You might want to use the option to "Scan Multibranch Pipeline Now" in your Jenkins Master UI).
-
Merge changes to production branch with
git checkout -b production
andgit push origin production
.- Review the apply output in your Master's web UI (You might want to use the option to "Scan Multibranch Pipeline Now" in your Jenkins Master UI).
-
You can now move to the instructions in the step 4-projects.
- Change into 4-projects folder.
- Run
cp ../build/tf-wrapper.sh .
- Run
chmod 755 ./tf-wrapper.sh
. - Rename
common.auto.example.tfvars
tocommon.auto.tfvars
and update the file with values from your environment and bootstrap. - Rename
development.auto.example.tfvars
todevelopment.auto.tfvars
and update the file with theperimeter_name
that starts withsp_d_shared_restricted
. - Rename
non-production.auto.example.tfvars
tonon-production.auto.tfvars
and update the file with theperimeter_name
that starts withsp_n_shared_restricted
. - Rename
production.auto.example.tfvars
toproduction.auto.tfvars
and update the file with theperimeter_name
that starts withsp_p_shared_restricted
. - Update backend.tf with your bucket from bootstrap. You can run
for i in `find -name 'backend.tf'`; do sed -i 's/UPDATE_ME/<YOUR-BUCKET-NAME>/' $i; done
. You can runterraform output gcs_bucket_tfstate
in the 0-bootstap folder to obtain the bucket name.
We will now deploy each of our environments(development/production/non-production) using this script. When using Cloud Build or Jenkins as your CI/CD tool each environment corresponds to a branch is the repository for 4-projects step and only the corresponding environment is applied.
To use the validate
option of the tf-wrapper.sh
script, the latest version of terraform-validator
must be installed in your system and in you PATH
.
- Run
./tf-wrapper.sh init production
. - Run
./tf-wrapper.sh plan production
and review output. - Run
./tf-wrapper.sh validate production $(pwd)/../policy-library <YOUR_CLOUD_BUILD_PROJECT_ID>
and check for violations. - Run
./tf-wrapper.sh apply production
. - Run
./tf-wrapper.sh init non-production
. - Run
./tf-wrapper.sh plan non-production
and review output. - Run
./tf-wrapper.sh plan non-production
and review output. - Run
./tf-wrapper.sh validate non-production $(pwd)/../policy-library <YOUR_CLOUD_BUILD_PROJECT_ID>
and check for violations. - Run
./tf-wrapper.sh apply non-production
. - Run
./tf-wrapper.sh init development
. - Run
./tf-wrapper.sh plan development
and review output. - Run
./tf-wrapper.sh validate development $(pwd)/../policy-library <YOUR_CLOUD_BUILD_PROJECT_ID>
and check for violations. - Run
./tf-wrapper.sh apply development
.
If you received any errors or made any changes to the Terraform config or terraform.tfvars
you must re-run ./tf-wrapper.sh plan <env>
before run ./tf-wrapper.sh apply <env>
.