GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → terraform-google-modules → terraform-google-bootstrap

terraform-google-modules / terraform-google-bootstrap

Licence: Apache-2.0 license
Bootstraps Terraform usage and related CI/CD in a new Google Cloud organization

Programming Languages

HCL
1544 projects
go
31211 projects - #10 most used programming language
ruby
36898 projects - #4 most used programming language
Makefile
30231 projects
Dockerfile
14818 projects
shell
77523 projects

Labels

operationsdeveloper-toolscft-terraform

Projects that are alternatives of or similar to terraform-google-bootstrap

terraform-google-slo
Creates SLOs on Google Cloud from custom Stackdriver metrics capability to export SLOs to Google Cloud services and other systems
Stars: ✭ 59 (-61.18%)
Mutual labels:  operations, cft-terraform
Flow
Operation Oriented Programming in Swift
Stars: ✭ 215 (+41.45%)
Mutual labels:  operations
Rundeck
Enable Self-Service Operations: Give specific users access to your existing tools, services, and scripts
Stars: ✭ 4,426 (+2811.84%)
Mutual labels:  operations
Honcho
Honcho: a python clone of Foreman. For managing Procfile-based applications.
Stars: ✭ 1,395 (+817.76%)
Mutual labels:  operations
Vulcanizer
GitHub's ops focused Elasticsearch library
Stars: ✭ 608 (+300%)
Mutual labels:  operations
Juju
Universal Operator Lifecycle Manager (OLM) for Kubernetes operators, and operators for traditional Linux and Windows apps, with declarative integration between operators for automated microservice integration.
Stars: ✭ 1,942 (+1177.63%)
Mutual labels:  operations
Naos
A mildly opiniated modern cloud service architecture blueprint + reference implementation
Stars: ✭ 19 (-87.5%)
Mutual labels:  operations
terraform-google-scheduled-function
Sets up a scheduled job to trigger events and run functions
Stars: ✭ 55 (-63.82%)
Mutual labels:  cft-terraform
Satellite
easy-to-use payload hosting
Stars: ✭ 193 (+26.97%)
Mutual labels:  operations
Recurring Integrations Scheduler
Recurring Integrations Scheduler (RIS) is a solution that can be used in file-based integration scenarios for Dynamics 365 Finance and Dynamics 365 Supply Chain Management.
Stars: ✭ 96 (-36.84%)
Mutual labels:  operations
Trusted Overlord
Aggregate AWS Trusted Advisor alarms, AWS Health notifications and AWS Support cases from several AWS accounts
Stars: ✭ 73 (-51.97%)
Mutual labels:  operations
Spug
开源运维平台:面向中小型企业设计的轻量级无Agent的自动化运维平台,整合了主机管理、主机批量执行、主机在线终端、文件在线上传下载、应用发布部署、在线任务计划、配置中心、监控、报警等一系列功能。
Stars: ✭ 6,810 (+4380.26%)
Mutual labels:  operations
Reckoner
Declaratively install and manage multiple Helm chart releases
Stars: ✭ 177 (+16.45%)
Mutual labels:  operations
Runbook
A framework for gradual system automation
Stars: ✭ 531 (+249.34%)
Mutual labels:  operations
Akka Management
Akka Management is a suite of tools for operating Akka Clusters.
Stars: ✭ 218 (+43.42%)
Mutual labels:  operations
Portion
portion, a Python library providing data structure and operations for intervals.
Stars: ✭ 255 (+67.76%)
Mutual labels:  operations
Crowbar
Cloud Operations Platform
Stars: ✭ 760 (+400%)
Mutual labels:  operations
Control Tower
Deploy and operate Concourse CI in a single command
Stars: ✭ 105 (-30.92%)
Mutual labels:  operations
terraform-google-vpc-service-controls
Handles opinionated VPC Service Controls and Access Context Manager configuration and deployments
Stars: ✭ 48 (-68.42%)
Mutual labels:  cft-terraform
crowbar-core
Core deployment for Crowbar
Stars: ✭ 16 (-89.47%)
Mutual labels:  operations
View All Similar Projects ➔

terraform-google-bootstrap

The purpose of this module is to help bootstrap a GCP organization, creating all the required GCP resources & permissions to start using the Cloud Foundation Toolkit (CFT). For users who want to use Cloud Build & Cloud Source Repos for foundations code, there is also a submodule to help bootstrap all the required resources to do this.

Usage

Basic usage of this module is as follows:

module "bootstrap" {
  source  = "terraform-google-modules/bootstrap/google"
  version = "~> 6.4"

  org_id               = "<ORGANIZATION_ID>"
  billing_account      = "<BILLING_ACCOUNT_ID>"
  group_org_admins     = "[email protected]"
  group_billing_admins = "[email protected]"
  default_region       = "australia-southeast1"
}

Functional examples are included in the examples directory.

Features

The Organization Bootstrap module will take the following actions:

  1. Create a new GCP seed project using project_prefix. Use project_id if you need to use custom project ID.
  2. Enable APIs in the seed project using activate_apis
  3. Create a new service account for terraform in seed project
  4. Create GCS bucket for Terraform state and grant access to service account
  5. Grant IAM permissions required for CFT modules & Organization setup
    1. Overwrite organization wide project creator and billing account creator roles
    2. Grant Organization permissions to service account using sa_org_iam_permissions
    3. Grant access to billing account for service account
    4. Grant Organization permissions to group_org_admins using org_admins_org_iam_permissions
    5. Grant billing permissions to group_billing_admins
    6. (optional) Permissions required for service account impersonation using sa_enable_impersonation

For the cloudbuild submodule, see the README cloudbuild.

Inputs

Name Description Type Default Required
activate_apis List of APIs to enable in the seed project. list(string) 
[
  "serviceusage.googleapis.com",
  "servicenetworking.googleapis.com",
  "compute.googleapis.com",
  "logging.googleapis.com",
  "bigquery.googleapis.com",
  "cloudresourcemanager.googleapis.com",
  "cloudbilling.googleapis.com",
  "iam.googleapis.com",
  "admin.googleapis.com",
  "appengine.googleapis.com",
  "storage-api.googleapis.com",
  "monitoring.googleapis.com"
]
 no
billing_account The ID of the billing account to associate projects with. string n/a yes
create_terraform_sa If the Terraform service account should be created. bool true no
default_region Default region to create resources where applicable. string "us-central1" no
encrypt_gcs_bucket_tfstate Encrypt bucket used for storing terraform state files in seed project. bool false no
folder_id The ID of a folder to host this project string "" no
force_destroy If supplied, the state bucket will be deleted even while containing objects. bool false no
grant_billing_user Grant roles/billing.user role to CFT service account bool true no
group_billing_admins Google Group for GCP Billing Administrators string n/a yes
group_org_admins Google Group for GCP Organization Administrators string n/a yes
key_protection_level The protection level to use when creating a version based on this template. Default value: "SOFTWARE" Possible values: ["SOFTWARE", "HSM"] string "SOFTWARE" no
key_rotation_period The rotation period of the key. string null no
kms_prevent_destroy Set the prevent_destroy lifecycle attribute on keys. bool true no
org_admins_org_iam_permissions List of permissions granted to the group supplied in group_org_admins variable across the GCP organization. list(string) 
[
  "roles/billing.user",
  "roles/resourcemanager.organizationAdmin"
]
 no
org_id GCP Organization ID string n/a yes
org_project_creators Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. list(string) [] no
parent_folder GCP parent folder ID in the form folders/{id} string "" no
project_id Custom project ID to use for project created. If not supplied, the default id is {project_prefix}-seed-{random suffix}. string "" no
project_labels Labels to apply to the project. map(string) {} no
project_prefix Name prefix to use for projects created. string "cft" no
random_suffix Appends a 4 character random suffix to project ID and GCS bucket name. bool true no
sa_enable_impersonation Allow org_admins group to impersonate service account & enable APIs required. bool false no
sa_org_iam_permissions List of permissions granted to Terraform service account across the GCP organization. list(string) 
[
  "roles/billing.user",
  "roles/compute.networkAdmin",
  "roles/compute.xpnAdmin",
  "roles/iam.securityAdmin",
  "roles/iam.serviceAccountAdmin",
  "roles/logging.configWriter",
  "roles/orgpolicy.policyAdmin",
  "roles/resourcemanager.folderAdmin",
  "roles/resourcemanager.organizationViewer"
]
 no
state_bucket_name Custom state bucket name. If not supplied, the default name is {project_prefix}-tfstate-{random suffix}. string "" no
storage_bucket_labels Labels to apply to the storage bucket. map(string) {} no
tf_service_account_id ID of service account for terraform in seed project string "org-terraform" no
tf_service_account_name Display name of service account for terraform in seed project string "CFT Organization Terraform Account" no

Outputs

Name Description
gcs_bucket_tfstate Bucket used for storing terraform state for foundations pipelines in seed project.
seed_project_id Project where service accounts and core APIs will be enabled.
terraform_sa_email Email for privileged service account for Terraform.
terraform_sa_name Fully qualified name for privileged service account for Terraform.

Requirements

Software

Permissions

  • roles/resourcemanager.organizationAdmin on GCP Organization
  • roles/orgpolicy.policyAdmin on GCP Organization
  • roles/billing.admin on supplied billing account
  • Account running terraform should be a member of group provided in group_org_admins variable, otherwise they will loose roles/resourcemanager.projectCreator access. Additional members can be added by using the org_project_creators variable.

Credentials

For users interested in using service account impersonation which this module helps enable with sa_enable_impersonation, please see this blog post which explains how it works.

APIs

A project with the following APIs enabled must be used to host the resources of this module:

  • Google Cloud Resource Manager API: cloudresourcemanager.googleapis.com
  • Google Cloud Billing API: cloudbilling.googleapis.com
  • Google Cloud IAM API: iam.googleapis.com
  • Google Cloud Storage API storage-api.googleapis.com
  • Google Cloud Service Usage API: serviceusage.googleapis.com

This API can be enabled in the default project created during establishing an organization.

Contributing

Refer to the contribution guidelines for information on contributing to this module.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].