From 12ce6563909081650cfed16fafbdb712d979af58 Mon Sep 17 00:00:00 2001 From: Antonio Lopez <94461129+ajlopezn@users.noreply.github.com> Date: Fri, 2 Sep 2022 11:00:25 +0200 Subject: [PATCH 1/8] Create COMPANION.md creating file index --- fast/stages/COMPANION.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 fast/stages/COMPANION.md diff --git a/fast/stages/COMPANION.md b/fast/stages/COMPANION.md new file mode 100644 index 0000000000..17ce5c2c0f --- /dev/null +++ b/fast/stages/COMPANION.md @@ -0,0 +1,19 @@ +# FAST deployment companion guide + +## Prerequisites + +### Clean Up your organization +### Create Required groups +### Billing setup + +## Stage 0 (Bootstrap) + +## Stage 1 (Resource Management) + +## Stage 2 (Networking) + +## Stage 2 (Security) + +## Stage 3 (GKE) + +## Stage 3 (Project Factory) From 4d585269283f4ca1c48b45df0791766ba2556595 Mon Sep 17 00:00:00 2001 From: ajlopezn Date: Fri, 2 Sep 2022 12:28:47 +0200 Subject: [PATCH 2/8] pre-requisites added to companion guide --- fast/stages/COMPANION.md | 61 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 58 insertions(+), 3 deletions(-) diff --git a/fast/stages/COMPANION.md b/fast/stages/COMPANION.md index 17ce5c2c0f..54091f4383 100644 --- a/fast/stages/COMPANION.md +++ b/fast/stages/COMPANION.md @@ -1,10 +1,65 @@ # FAST deployment companion guide +In order to successfully deploy your GCP Landing Zone using FAST in your organization, a series of prerequisites are required to be followed before starting. Then, FAST deployment is splitted in different stages that are required to be executed in order as some of them depend on previous stages output. + +Detailed explanation of each stage execution, configuration or possible modifications and adaptations are included in each stage section. The target of this companion guide is to serve as a cheat sheet with the list of commands to be executed during FAST deployment. + +**Warning** +Executing FAST sets organization policies and authoritative role bindings in your GCP Organization. We recommend using FAST on a clean organization, or to fork and adapt FAST to support your existing Organization. ## Prerequisites +1. First of all, go to Workspace / Cloud Identity and create (or validate they already exist) all the required groups closely mirroring the [GCP Enterprise Setup checklist](https://cloud.google.com/docs/enterprise/setup-checklist): +- gcp-billing-admins@ +- gcp-devops@ +- gcp-network-admins@ +- gcp-organization-admins@ +- gcp-security-admins@ +- gcp-support@ +2. Grant your user “Organization Administrator” role in your Organization and add it to the gcp-organization-admins@ group +3. If you already executed FAST in your Organization, [clean it up](CLEANUP.md) before executing it again +4. Login +```bash +gcloud auth list +gcloud auth login +gcloud auth application-default login +``` +5. Clone Fabric +```bash +git clone https://github.com/GoogleCloudPlatform/cloud-foundation-fabric.git +``` +6. Grant required roles to your user +```bash +# set a variable to the fast folder +export FAST_PWD="$(pwd)/fast/stages" + +# set the initial user variable via gcloud +export FAST_BU=$(gcloud config list --format 'value(core.account)') + +# find your org id +gcloud organizations list --filter display_name:[part of your domain] + +# set your org id +export FAST_ORG_ID=123456 + +# set needed roles (do not change this) +export FAST_ROLES="roles/billing.admin roles/logging.admin \ +roles/iam.organizationRoleAdmin roles/resourcemanager.projectCreator" -### Clean Up your organization -### Create Required groups -### Billing setup +for role in $FAST_ROLES; do +gcloud organizations add-iam-policy-binding $FAST_ORG_ID \ +--member user:$FAST_BU --role $role +done +``` +7. Configure Billing Account permissions. +If you are using a standalone billing account, the identity applying this stage for the first time needs to be a Billing Administrator +```bash +# find your billing account id +# replace with your billing id! +export FAST_BA_ID=0186A4-36005F-9ADEDE +# set needed roles (do not change this) +gcloud beta billing accounts add-iam-policy-binding $FAST_BA_ID \ +--member user:$FAST_BU --role roles/billing.admin +``` +If you are using a billing account in a different organization, please follow [these steps](00-bootstrap#billing-account-in-a-different-organization) instead ## Stage 0 (Bootstrap) From 544650c988b9ef9fc60553ff7388d60588a30035 Mon Sep 17 00:00:00 2001 From: ajlopezn Date: Mon, 5 Sep 2022 10:30:05 +0200 Subject: [PATCH 3/8] first version of companion guide --- fast/stages/COMPANION.md | 131 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 130 insertions(+), 1 deletion(-) diff --git a/fast/stages/COMPANION.md b/fast/stages/COMPANION.md index 54091f4383..28faeb19fe 100644 --- a/fast/stages/COMPANION.md +++ b/fast/stages/COMPANION.md @@ -62,13 +62,142 @@ gcloud beta billing accounts add-iam-policy-binding $FAST_BA_ID \ If you are using a billing account in a different organization, please follow [these steps](00-bootstrap#billing-account-in-a-different-organization) instead ## Stage 0 (Bootstrap) +This initial stage will create common projects for iac, logging & billing, and bootstrap IAM policies. + +```bash +# move to the 00-bootstrap directory +cd $FAST_PWD/00-bootstrap + +# copy the template terraform tfvars file and save as `terraform.tfvars` +# then edit to match your environment! +edit terraform.tfvars.sample +``` + +```hcl +# fetch the required id by running `gcloud beta billing accounts list` +billing_account={ + id="012345-67890A-BCDEF0" + organization_id="01234567890" +} +# get the required info by running `gcloud organizations list` +organization={ + id="01234567890" + domain="fast.example.com" + customer_id="Cxxxxxxx" +} +# create your own 4-letters prefix +prefix="abcd" + +# path for automatic generation of configs +outputs_location = "~/fast-config" +``` + +```bash +# run init and apply +terraform init +terraform apply -var bootstrap_user=$FAST_BU + +# link the generated provider file +ln -s ~/fast-config/providers/00-bootstrap* . + +# re-run init and apply to remove user-level IAM +terraform init -migrate-state +# answer 'yes' to terraform's question +terraform apply +``` ## Stage 1 (Resource Management) +In this stage, we will deploy first level of folders. Initially: Networking, Security, GKE, Data Platform and optionally Teams (to host company teams sandbox environments) +```bash +# move to the 01-resman directory +cd $FAST_PWD/01-resman + +# Link providers and variables from previous stages +ln -s ~/fast-config/providers/01-resman-providers.tf . +ln -s ~/fast-config/tfvars/00-bootstrap.auto.tfvars.json . +ln -s ~/fast-config/tfvars/globals.auto.tfvars.json . + +# Edit your terraform.tfvars to append the code in the box below +edit terraform.tfvars +``` +In the following terraform.tfvars it is shown an example of configuration for teams provisioning: +```hcl +outputs_location = "~/fast-config" + +# optional +team_folders = { + team-1 = { + descriptive_name = "Team 1" + group_iam = { + // "team-1-users@example.com" = ["roles/viewer"] + } + impersonation_groups = [ + // "team-1-admins@example.com" + ] + } +} +``` +```bash +# Showtime! +terraform init +terraform apply +``` ## Stage 2 (Networking) +In this stage, we will deploy one of the 3 available Hub&Spoke networking topologies: +1. Peering +2. VPN +3. Appliances (NVA) +```bash +# move to the 02-networking-vpn directory +cd $FAST_PWD/02-networking-XXX + +# setup providers and variables from previous stages +ln -s ~/fast-config/providers/02-networking-providers.tf . +ln -s ~/fast-config/tfvars/00-bootstrap.auto.tfvars.json . +ln -s ~/fast-config/tfvars/01-resman.auto.tfvars.json . +ln -s ~/fast-config/tfvars/globals.auto.tfvars.json . +cp ../00-bootstrap/terraform.tfvars . + +# You can leave terraform.tfvars as-is in this stage. If you’re curious… +edit terraform.tfvars + +# Showtime! +terraform init +terraform apply +``` ## Stage 2 (Security) +This stage sets up security resources (KMS and VPC-SC) and configurations which impact the whole organization, or are shared across the hierarchy to other projects and teams. +```bash +# move to the 02-security directory +cd $FAST_PWD/02-security -## Stage 3 (GKE) +# link providers and variables from previous stages +ln -s ~/fast-config/providers/02-security* . +ln -s ~/fast-config/tfvars/0[0,1]* . +cp ../00-bootstrap/terraform.tfvars . + +# Edit your terraform.tfvars to include KMS and/or VPC-SC configuration +edit terraform.tfvars +``` +Some examples of terraform.tfvars configurations for KMS and VPC-SC can be found [here](02-security#customizations) +```bash +terraform init +terraform apply +``` ## Stage 3 (Project Factory) +The Project Factory (PF) builds on top of your foundations to create and set up projects (and related resources) to be used for your workloads. It is organized in folders representing environments (e.g. "dev", "prod"), each implemented by a stand-alone terraform resource factory. +```bash +# Variable `outputs_location` is set to `~/fast-config` in stage 01-resman +$ cd $FAST_PWD/03-project-factory/ENVIRONMENT +ln -s ~/fast-config/providers/03-project-factory-ENVIRONMENT-providers.tf . + +ln -s ~/fast-config/tfvars/00-bootstrap.auto.tfvars.json . +ln -s ~/fast-config/tfvars/01-resman.auto.tfvars.json . +ln -s ~/fast-config/tfvars/02-networking.auto.tfvars.json . + +terraform init +terraform apply +``` From 4c2da1903f8934a7e8439b638f1dc53383c0bea0 Mon Sep 17 00:00:00 2001 From: ajlopezn Date: Mon, 5 Sep 2022 14:24:01 +0200 Subject: [PATCH 4/8] edited companion guide --- fast/stages/COMPANION.md | 41 +++++++++++++++++++++++----------------- 1 file changed, 24 insertions(+), 17 deletions(-) diff --git a/fast/stages/COMPANION.md b/fast/stages/COMPANION.md index 28faeb19fe..a947c97f17 100644 --- a/fast/stages/COMPANION.md +++ b/fast/stages/COMPANION.md @@ -1,10 +1,9 @@ # FAST deployment companion guide -In order to successfully deploy your GCP Landing Zone using FAST in your organization, a series of prerequisites are required to be followed before starting. Then, FAST deployment is splitted in different stages that are required to be executed in order as some of them depend on previous stages output. +In order to successfully deploy your GCP Landing Zone using FAST in your organization, a series of prerequisites are required before starting. Then, FAST deployment is splitted in different stages that are required to be executed in order as some of them depend on previous stages output. -Detailed explanation of each stage execution, configuration or possible modifications and adaptations are included in each stage section. The target of this companion guide is to serve as a cheat sheet with the list of commands to be executed during FAST deployment. +Detailed explanation of each stage execution, configuration or possible modifications and adaptations are included in each stage section. The target of this companion guide is to serve as a cheat sheet, including the list of commands to be executed during FAST deployment. -**Warning** -Executing FAST sets organization policies and authoritative role bindings in your GCP Organization. We recommend using FAST on a clean organization, or to fork and adapt FAST to support your existing Organization. +**Warning! Executing FAST sets organization policies and authoritative role bindings in your GCP Organization. We recommend using FAST on a clean organization, or to fork and adapt FAST to support your existing Organization needs.** ## Prerequisites 1. First of all, go to Workspace / Cloud Identity and create (or validate they already exist) all the required groups closely mirroring the [GCP Enterprise Setup checklist](https://cloud.google.com/docs/enterprise/setup-checklist): @@ -52,7 +51,7 @@ done 7. Configure Billing Account permissions. If you are using a standalone billing account, the identity applying this stage for the first time needs to be a Billing Administrator ```bash -# find your billing account id +# find your billing account id with gcloud beta billing accounts list # replace with your billing id! export FAST_BA_ID=0186A4-36005F-9ADEDE # set needed roles (do not change this) @@ -107,7 +106,9 @@ terraform apply ``` ## Stage 1 (Resource Management) -In this stage, we will deploy first level of folders. Initially: Networking, Security, GKE, Data Platform and optionally Teams (to host company teams sandbox environments) +This stage performs two important tasks: +- Create the top-level hierarchy of folders, and the associated resources used later on to automate each part of the hierarchy (eg. Networking). +- Set organization policies on the organization, and any exception required on specific folders. ```bash # move to the 01-resman directory cd $FAST_PWD/01-resman @@ -117,22 +118,20 @@ ln -s ~/fast-config/providers/01-resman-providers.tf . ln -s ~/fast-config/tfvars/00-bootstrap.auto.tfvars.json . ln -s ~/fast-config/tfvars/globals.auto.tfvars.json . -# Edit your terraform.tfvars to append the code in the box below +# Edit your terraform.tfvars to append Teams configuration edit terraform.tfvars ``` In the following terraform.tfvars it is shown an example of configuration for teams provisioning: ```hcl -outputs_location = "~/fast-config" - # optional team_folders = { team-1 = { descriptive_name = "Team 1" group_iam = { - // "team-1-users@example.com" = ["roles/viewer"] + "team-1-users@example.com" = ["roles/viewer"] } impersonation_groups = [ - // "team-1-admins@example.com" + "team-1-admins@example.com" ] } } @@ -145,9 +144,9 @@ terraform apply ## Stage 2 (Networking) In this stage, we will deploy one of the 3 available Hub&Spoke networking topologies: -1. Peering -2. VPN -3. Appliances (NVA) +1. VPC Peering +2. HA VPN +3. Multi-NIC appliances (NVA) ```bash # move to the 02-networking-vpn directory cd $FAST_PWD/02-networking-XXX @@ -174,8 +173,9 @@ This stage sets up security resources (KMS and VPC-SC) and configurations which cd $FAST_PWD/02-security # link providers and variables from previous stages -ln -s ~/fast-config/providers/02-security* . -ln -s ~/fast-config/tfvars/0[0,1]* . +ln -s ~/fast-config/providers/02-security-providers.tf . +ln -s ~/fast-config/tfvars/00-bootstrap.auto.tfvars.json . +ln -s ~/fast-config/tfvars/01-resman.auto.tfvars.json . cp ../00-bootstrap/terraform.tfvars . # Edit your terraform.tfvars to include KMS and/or VPC-SC configuration @@ -188,7 +188,7 @@ terraform apply ``` ## Stage 3 (Project Factory) -The Project Factory (PF) builds on top of your foundations to create and set up projects (and related resources) to be used for your workloads. It is organized in folders representing environments (e.g. "dev", "prod"), each implemented by a stand-alone terraform resource factory. +The Project Factory stage builds on top of your foundations to create and set up projects (and related resources) to be used for your workloads. It is organized in folders representing environments (e.g. "dev", "prod"), each implemented by a stand-alone terraform resource factory. ```bash # Variable `outputs_location` is set to `~/fast-config` in stage 01-resman $ cd $FAST_PWD/03-project-factory/ENVIRONMENT @@ -198,6 +198,13 @@ ln -s ~/fast-config/tfvars/00-bootstrap.auto.tfvars.json . ln -s ~/fast-config/tfvars/01-resman.auto.tfvars.json . ln -s ~/fast-config/tfvars/02-networking.auto.tfvars.json . +# Define your environment default values (eg for billing alerts and labels) +edit data/defaults.yaml + +# Create one yaml file per project to be created. Yaml file will include project configuration. Projects will be named after the filename +cp data/projects/project.yaml.sample data/projects/YOUR_PROJECT_NAME.yaml +edit data/projects/YOUR_PROJECT_NAME.yaml + terraform init terraform apply ``` From a7d663ca37c677b6ca8ba707fe4642a85675aea3 Mon Sep 17 00:00:00 2001 From: ajlopezn Date: Mon, 5 Sep 2022 14:26:38 +0200 Subject: [PATCH 5/8] edited companion guide --- fast/stages/COMPANION.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fast/stages/COMPANION.md b/fast/stages/COMPANION.md index a947c97f17..4a477efa66 100644 --- a/fast/stages/COMPANION.md +++ b/fast/stages/COMPANION.md @@ -190,8 +190,8 @@ terraform apply ## Stage 3 (Project Factory) The Project Factory stage builds on top of your foundations to create and set up projects (and related resources) to be used for your workloads. It is organized in folders representing environments (e.g. "dev", "prod"), each implemented by a stand-alone terraform resource factory. ```bash -# Variable `outputs_location` is set to `~/fast-config` in stage 01-resman -$ cd $FAST_PWD/03-project-factory/ENVIRONMENT +# Variable `outputs_location` is set to `~/fast-config` +cd $FAST_PWD/03-project-factory/ENVIRONMENT ln -s ~/fast-config/providers/03-project-factory-ENVIRONMENT-providers.tf . ln -s ~/fast-config/tfvars/00-bootstrap.auto.tfvars.json . From 2dc2f669a3fda4a39f508c1fe155ab6dad7e81d4 Mon Sep 17 00:00:00 2001 From: ajlopezn Date: Wed, 7 Sep 2022 15:08:10 +0200 Subject: [PATCH 6/8] added required step to execute networking stage: tfvars with output variable is needed to generate network.tfvars for proyect factory --- fast/stages/COMPANION.md | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/fast/stages/COMPANION.md b/fast/stages/COMPANION.md index 4a477efa66..c31171cfce 100644 --- a/fast/stages/COMPANION.md +++ b/fast/stages/COMPANION.md @@ -61,7 +61,7 @@ gcloud beta billing accounts add-iam-policy-binding $FAST_BA_ID \ If you are using a billing account in a different organization, please follow [these steps](00-bootstrap#billing-account-in-a-different-organization) instead ## Stage 0 (Bootstrap) -This initial stage will create common projects for iac, logging & billing, and bootstrap IAM policies. +This initial stage will create common projects for IaC, Logging & Billing, and bootstrap IAM policies. ```bash # move to the 00-bootstrap directory @@ -118,11 +118,13 @@ ln -s ~/fast-config/providers/01-resman-providers.tf . ln -s ~/fast-config/tfvars/00-bootstrap.auto.tfvars.json . ln -s ~/fast-config/tfvars/globals.auto.tfvars.json . -# Edit your terraform.tfvars to append Teams configuration +# Edit your terraform.tfvars to append Teams configuration (optional) edit terraform.tfvars ``` In the following terraform.tfvars it is shown an example of configuration for teams provisioning: ```hcl +outputs_location = "~/fast-config" + # optional team_folders = { team-1 = { @@ -156,11 +158,16 @@ ln -s ~/fast-config/providers/02-networking-providers.tf . ln -s ~/fast-config/tfvars/00-bootstrap.auto.tfvars.json . ln -s ~/fast-config/tfvars/01-resman.auto.tfvars.json . ln -s ~/fast-config/tfvars/globals.auto.tfvars.json . -cp ../00-bootstrap/terraform.tfvars . -# You can leave terraform.tfvars as-is in this stage. If you’re curious… +# Copy and edit terraform.tfvars. output_location variable is required to generate networking stage output +cp ../00-bootstrap/terraform.tfvars . edit terraform.tfvars - +``` +```hcl +# path for automatic generation of configs +outputs_location = "~/fast-config" +``` +```bash # Showtime! terraform init terraform apply @@ -176,9 +183,10 @@ cd $FAST_PWD/02-security ln -s ~/fast-config/providers/02-security-providers.tf . ln -s ~/fast-config/tfvars/00-bootstrap.auto.tfvars.json . ln -s ~/fast-config/tfvars/01-resman.auto.tfvars.json . -cp ../00-bootstrap/terraform.tfvars . +ln -s ~/fast-config/tfvars/globals.auto.tfvars.json . -# Edit your terraform.tfvars to include KMS and/or VPC-SC configuration +# Copy and edit terraform.tfvars to include KMS and/or VPC-SC configuration +cp ../00-bootstrap/terraform.tfvars . edit terraform.tfvars ``` Some examples of terraform.tfvars configurations for KMS and VPC-SC can be found [here](02-security#customizations) From ad75ec4ee05a1850666ae067ffc1beaf083368dc Mon Sep 17 00:00:00 2001 From: ajlopezn Date: Wed, 7 Sep 2022 16:08:48 +0200 Subject: [PATCH 7/8] solved content issues --- fast/stages/COMPANION.md | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/fast/stages/COMPANION.md b/fast/stages/COMPANION.md index c31171cfce..269bd5cb44 100644 --- a/fast/stages/COMPANION.md +++ b/fast/stages/COMPANION.md @@ -1,5 +1,5 @@ # FAST deployment companion guide -In order to successfully deploy your GCP Landing Zone using FAST in your organization, a series of prerequisites are required before starting. Then, FAST deployment is splitted in different stages that are required to be executed in order as some of them depend on previous stages output. +In order to successfully deploy your GCP Landing Zone using FAST in your Organization, a series of prerequisites are required before starting. Then, FAST deployment is splitted in different stages that are required to be executed in order as some of them depend on previous stages output. Detailed explanation of each stage execution, configuration or possible modifications and adaptations are included in each stage section. The target of this companion guide is to serve as a cheat sheet, including the list of commands to be executed during FAST deployment. @@ -13,19 +13,18 @@ Detailed explanation of each stage execution, configuration or possible modifica - gcp-organization-admins@ - gcp-security-admins@ - gcp-support@ -2. Grant your user “Organization Administrator” role in your Organization and add it to the gcp-organization-admins@ group -3. If you already executed FAST in your Organization, [clean it up](CLEANUP.md) before executing it again -4. Login +2. If you already executed FAST in your Organization, [clean it up](CLEANUP.md) before executing it again. +3. Grant your user “Organization Administrator” role in your Organization and add it to the gcp-organization-admins@ group. +4. If not already done, Login with your user using gcloud. ```bash gcloud auth list gcloud auth login -gcloud auth application-default login ``` -5. Clone Fabric +5. Clone Fabric. ```bash git clone https://github.com/GoogleCloudPlatform/cloud-foundation-fabric.git ``` -6. Grant required roles to your user +6. Grant required roles to your user. ```bash # set a variable to the fast folder export FAST_PWD="$(pwd)/fast/stages" @@ -49,7 +48,8 @@ gcloud organizations add-iam-policy-binding $FAST_ORG_ID \ done ``` 7. Configure Billing Account permissions. -If you are using a standalone billing account, the identity applying this stage for the first time needs to be a Billing Administrator + +If you are using a standalone billing account, the user applying this stage for the first time needs to be a Billing Administrator. ```bash # find your billing account id with gcloud beta billing accounts list # replace with your billing id! @@ -58,7 +58,7 @@ export FAST_BA_ID=0186A4-36005F-9ADEDE gcloud beta billing accounts add-iam-policy-binding $FAST_BA_ID \ --member user:$FAST_BU --role roles/billing.admin ``` -If you are using a billing account in a different organization, please follow [these steps](00-bootstrap#billing-account-in-a-different-organization) instead +If you are using a billing account in a different organization, please follow [these steps](00-bootstrap#billing-account-in-a-different-organization) instead. ## Stage 0 (Bootstrap) This initial stage will create common projects for IaC, Logging & Billing, and bootstrap IAM policies. @@ -139,7 +139,7 @@ team_folders = { } ``` ```bash -# Showtime! +# run init and apply terraform init terraform apply ``` @@ -150,7 +150,7 @@ In this stage, we will deploy one of the 3 available Hub&Spoke networking topolo 2. HA VPN 3. Multi-NIC appliances (NVA) ```bash -# move to the 02-networking-vpn directory +# move to the 02-networking-XXX directory (where XXX should be one of vpn|peering|nva) cd $FAST_PWD/02-networking-XXX # setup providers and variables from previous stages @@ -168,7 +168,7 @@ edit terraform.tfvars outputs_location = "~/fast-config" ``` ```bash -# Showtime! +# run init and apply terraform init terraform apply ``` @@ -191,6 +191,7 @@ edit terraform.tfvars ``` Some examples of terraform.tfvars configurations for KMS and VPC-SC can be found [here](02-security#customizations) ```bash +# run init and apply terraform init terraform apply ``` @@ -205,6 +206,7 @@ ln -s ~/fast-config/providers/03-project-factory-ENVIRONMENT-providers.tf . ln -s ~/fast-config/tfvars/00-bootstrap.auto.tfvars.json . ln -s ~/fast-config/tfvars/01-resman.auto.tfvars.json . ln -s ~/fast-config/tfvars/02-networking.auto.tfvars.json . +ln -s ~/fast-config/tfvars/globals.auto.tfvars.json . # Define your environment default values (eg for billing alerts and labels) edit data/defaults.yaml @@ -213,6 +215,7 @@ edit data/defaults.yaml cp data/projects/project.yaml.sample data/projects/YOUR_PROJECT_NAME.yaml edit data/projects/YOUR_PROJECT_NAME.yaml +# run init and apply terraform init terraform apply ``` From 4afd01e6a25a3de8991f5f712781bfdc7c9f461f Mon Sep 17 00:00:00 2001 From: ajlopezn Date: Fri, 9 Sep 2022 18:20:00 +0200 Subject: [PATCH 8/8] corrections to companion.md --- fast/stages/COMPANION.md | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/fast/stages/COMPANION.md b/fast/stages/COMPANION.md index 269bd5cb44..10a86dca94 100644 --- a/fast/stages/COMPANION.md +++ b/fast/stages/COMPANION.md @@ -1,5 +1,5 @@ # FAST deployment companion guide -In order to successfully deploy your GCP Landing Zone using FAST in your Organization, a series of prerequisites are required before starting. Then, FAST deployment is splitted in different stages that are required to be executed in order as some of them depend on previous stages output. +In order to successfully deploy your GCP Landing Zone using FAST in your Organization, a series of prerequisites are required before starting. Then, FAST deployment is split in different stages that are required to be executed in order as some of them depend on previous stages output. Detailed explanation of each stage execution, configuration or possible modifications and adaptations are included in each stage section. The target of this companion guide is to serve as a cheat sheet, including the list of commands to be executed during FAST deployment. @@ -19,6 +19,7 @@ Detailed explanation of each stage execution, configuration or possible modifica ```bash gcloud auth list gcloud auth login +gcloud auth application-default login ``` 5. Clone Fabric. ```bash @@ -32,11 +33,11 @@ export FAST_PWD="$(pwd)/fast/stages" # set the initial user variable via gcloud export FAST_BU=$(gcloud config list --format 'value(core.account)') -# find your org id -gcloud organizations list --filter display_name:[part of your domain] +# find your org id. change "fast.example.com" with your own org domain +gcloud organizations list --filter display_name:fast.example.com # set your org id -export FAST_ORG_ID=123456 +export FAST_ORG_ID=1234567890 # set needed roles (do not change this) export FAST_ROLES="roles/billing.admin roles/logging.admin \ @@ -53,7 +54,7 @@ If you are using a standalone billing account, the user applying this stage for ```bash # find your billing account id with gcloud beta billing accounts list # replace with your billing id! -export FAST_BA_ID=0186A4-36005F-9ADEDE +export FAST_BA_ID=XXXXXX-YYYYYY-ZZZZZZ # set needed roles (do not change this) gcloud beta billing accounts add-iam-policy-binding $FAST_BA_ID \ --member user:$FAST_BU --role roles/billing.admin @@ -71,11 +72,11 @@ cd $FAST_PWD/00-bootstrap # then edit to match your environment! edit terraform.tfvars.sample ``` - +Here you have a terraform.tfvars example: ```hcl # fetch the required id by running `gcloud beta billing accounts list` billing_account={ - id="012345-67890A-BCDEF0" + id="XXXXXX-YYYYYY-ZZZZZZ" organization_id="01234567890" } # get the required info by running `gcloud organizations list` @@ -130,10 +131,10 @@ team_folders = { team-1 = { descriptive_name = "Team 1" group_iam = { - "team-1-users@example.com" = ["roles/viewer"] + "team-1-users@fast.example.com" = ["roles/viewer"] } impersonation_groups = [ - "team-1-admins@example.com" + "team-1-admins@fast.example.com" ] } } @@ -159,10 +160,10 @@ ln -s ~/fast-config/tfvars/00-bootstrap.auto.tfvars.json . ln -s ~/fast-config/tfvars/01-resman.auto.tfvars.json . ln -s ~/fast-config/tfvars/globals.auto.tfvars.json . -# Copy and edit terraform.tfvars. output_location variable is required to generate networking stage output -cp ../00-bootstrap/terraform.tfvars . +# Create terraform.tfvars. output_location variable is required to generate networking stage output file edit terraform.tfvars ``` +In the following terraform.tfvars we configure output_location variable to generate networking stage output file: ```hcl # path for automatic generation of configs outputs_location = "~/fast-config" @@ -185,8 +186,7 @@ ln -s ~/fast-config/tfvars/00-bootstrap.auto.tfvars.json . ln -s ~/fast-config/tfvars/01-resman.auto.tfvars.json . ln -s ~/fast-config/tfvars/globals.auto.tfvars.json . -# Copy and edit terraform.tfvars to include KMS and/or VPC-SC configuration -cp ../00-bootstrap/terraform.tfvars . +# Edit terraform.tfvars to include KMS and/or VPC-SC configuration edit terraform.tfvars ``` Some examples of terraform.tfvars configurations for KMS and VPC-SC can be found [here](02-security#customizations)