tranquilitybase-io / Tb Gcp
Labels
Projects that are alternatives of or similar to Tb Gcp
Tranquility Base
Hi, and welcome to Tranquility Base - the open source multi-cloud infrastructure-as-code Landing Zone together with a self-service portal for automating the provisioning of a set of DevOps-ready reference architectures. For further description of Tranquility Base, please head over to tranquilitybase.io.
The current version is feature complete for this release but we are aware there will be bugs to be fixed and patches to be made. For example there will be security improvements to be made and we are working to identify and update the codebase to address them. Please review the issues list for an idea of the enhancements and fixes we're planning to implement. If you want to help us with this or contribute to Tranquility Base in general please contact us on [[email protected]]
There are 2 ways to deploy Tranquility base:
- Deploy using Market Place
- Manual process
Deploying using Google Marketplace:
Follow the instructions in the README.md file of the tb-marketplace
directory.
Manual Deployment instructions
The following instructions assume the following requisites are met:
- a project exists to host a service account and GCE images which will be used to deploy Tranquility Base;
- an organization exists as well as a folder under it. Tranquility Base's folder structure and projects will be created under this organization or folder;
- a billing account has been previously setup and can be used for all projects created by Tranquility Base;
-
terraform
~0.12
is installed; -
packer
~1.4
is installed.
Initial setup:
- Setup environment variables to help through the deployment process:
BILLING_ACCOUNT=<billing_account_id>
PARENT_FOLDER_ID=<parent_folder_id>
PROJECT_ID=<project_id>
Create Tranquility Base Folder
- Create a folder to contain the tranquility base deployment:
gcloud resource-manager folders create --display-name="${TBASE_FOLDER_NAME}" --folder="${PARENT_FOLDER_ID}"
- Get the folder ID and set as another environment variable:
FOLDER_ID=<folder_id>
Service Account Creation
- Create a service account which will be used during the initial deployment process:
gcloud --project ${PROJECT_ID} iam service-accounts create tb-bootstrap-builder
gcloud --project ${PROJECT_ID} iam service-accounts keys create tb-bootstrap-builder.json --iam-account [email protected]${PROJECT_ID}.iam.gserviceaccount.com
Grant permissions to manage billling
- Give the new service account the ability to link projects to the billing account.
gcloud beta billing accounts get-iam-policy ${BILLING_ACCOUNT} > billing.yaml
- Edit
billing.yaml
and add the following entry to the existing bindings (replacePROJECT_ID
below before saving):
members:
- serviceAccount:[email protected]_ID.iam.gserviceaccount.com
role: roles/billing.admin
- Deploy the new IAM binding:
gcloud beta billing accounts set-iam-policy ${BILLING_ACCOUNT} billing.yaml
Grant permissions to Share VPCs
- Give the service account the ability to share VPCs among projects:
gcloud resource-manager folders add-iam-policy-binding ${FOLDER_ID} --member=serviceAccount:[email protected]${PROJECT_ID}.iam.gserviceaccount.com --role=roles/compute.xpnAdmin
Grant permissions to manage the folder
- Give the service account the ability to create new folders and manage their IAM policies:
gcloud resource-manager folders add-iam-policy-binding ${FOLDER_ID} --member=serviceAccount:[email protected]${PROJECT_ID}.iam.gserviceaccount.com --role=roles/resourcemanager.folderAdmin
Grant permissions to create new projects
- Give the service account the ability to create new project under the new folder structure:
gcloud resource-manager folders add-iam-policy-binding ${FOLDER_ID} --member=serviceAccount:[email protected]${PROJECT_ID}.iam.gserviceaccount.com --role=roles/resourcemanager.projectCreator
Grant permissions to create GCE instances and images
- Give the service account the ability to create and use GCE disk images:
gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=serviceAccount:[email protected]${PROJECT_ID}.iam.gserviceaccount.com --role=roles/compute.instanceAdmin.v1
Activate essential APIs
gcloud --project ${PROJECT_ID} services enable compute.googleapis.com
gcloud --project ${PROJECT_ID} services enable cloudresourcemanager.googleapis.com
gcloud --project ${PROJECT_ID} services enable cloudbilling.googleapis.com
gcloud --project ${PROJECT_ID} services enable iam.googleapis.com
gcloud --project ${PROJECT_ID} services enable serviceusage.googleapis.com
gcloud --project ${PROJECT_ID} services enable storage-api.googleapis.com
Start using the service account:
- Authenticate
gcloud
with the new service account:
gcloud auth activate-service-account [email protected]${PROJECT_ID}.iam.gserviceaccount.com --key-file=tb-bootstrap-builder.json
- Setup the environment for Terraform:
export GOOGLE_CREDENTIALS="$(pwd)/tb-bootstrap-builder.json"
Build Tranquility Base terraform-server GCE image
- Clone the repository:
git clone [email protected]:tranquilitybase-io/tb-gcp.git
cd tb-gcp
NOTE: If the cloning operation fails, make sure you have an SSH key added to your GitHub profile or just use the https
URL [https://github.com/tranquilitybase-io/tb-gcp.git] instead.
-
Use packer to create a GCE for the terraform-server:
Note: Use
packer-no-itop.json
instead ofpacker.json
in order to disable iTop.
cd tb-gcp-deploy/pack/
packer build -var "project_id=${PROJECT_ID}" packer.json
cd ../../
Deploy Tranquility Base's bootstrap project
cd tb-gcp-tr/bootstrap/
- Edit your setup's specific variables on
input.tfvars
. There's aenable_itop
variable, set it tofalse
to disable iTop andtrue
to enable it.
vim input.tfvars
- Run terraform to deploy Tranquility Base's bootstrap.
terraform init
terraform apply -var-file=input.tfvars
Note: Tranquility Base's bootstrap deployment (phase 1) is followed automatically by a landingZone deployment (phase 2) which is run from the terraform-server
hosted under a bootstrap-
project under the folder ID stated on the input.tfvars
.
Follow the landingZone deployment
- The landingZone deployment's progress can be followed by inspecting the
terraform-server
's Stackdriver logs.
Note: All resources are deployed under the folder ID stated on the input.tfvars
file.
Note: Tranquility Base deploys under a two tier folder hierarchy under the folder ID stated stated on the input.tfvars
file.
Wrap-up tasks
- After the bootstrap deployment, you may want to disable the
tb-bootstrap-builder
service account; - An initial password for the
itop
user used to access the Cloud SQL instance on theshared-itsm-
project, this password is displayed on theterraform-server
logs and should be reset as soon as possible; - vault: root token should be surfaced from the vault terraform module to the root terraform module and changed as soon as possible.
Inspec tests
Attributes can be defined in tb-test/attributes.yml
The actual tests are defined in tb-test/controls/example.rb
- Download inspec
- Create a service account with permissions to view the resources you wish to test, and set an environment variable to point to the location of the service account key
export GOOGLE_APPLICATION_CREDENTIALS='/Users/me/Downloads/myservice-account-key.json'
- Run the tests
cd tb-test
inspec exec . -t gcp:// --input-file=attributes.yml
Inspec is documented quite well