diff --git a/CHANGELOG.md b/CHANGELOG.md index 808fd9ef28..c43d3fda34 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ All notable changes to this project will be documented in this file. ### BLUEPRINTS +- [[#915](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/915)] TFE OIDC with GCP WIF blueprint added ([averbuks](https://github.com/averbuks)) - [[#899](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/899)] Static routes monitoring metrics added to network dashboard BP ([maunope](https://github.com/maunope)) - [[#909](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/909)] GCS2BQ: Move images and templates in sub-folders ([lcaggio](https://github.com/lcaggio)) - [[#907](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/907)] Fix CloudSQL blueprint ([lcaggio](https://github.com/lcaggio)) @@ -67,6 +68,8 @@ All notable changes to this project will be documented in this file. ### MODULES +- [[#908](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/908)] GKE module: autopilot fixes ([ludoo](https://github.com/ludoo)) +- [[#906](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/906)] GKE module: add managed_prometheus to features ([apichick](https://github.com/apichick)) - [[#916](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/916)] Add support for DNS routing policies ([juliocc](https://github.com/juliocc)) - [[#918](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/918)] Fix race condition in SimpleNVA ([sruffilli](https://github.com/sruffilli)) - [[#914](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/914)] **incompatible change:** Update DNS module ([juliocc](https://github.com/juliocc)) @@ -102,6 +105,7 @@ All notable changes to this project will be documented in this file. ### TOOLS +- [[#919](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/919)] Rename workflow names ([juliocc](https://github.com/juliocc)) - [[#902](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/902)] Bring back sorted variables check ([juliocc](https://github.com/juliocc)) - [[#887](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/887)] Disable parallel execution of tests and plugin cache ([ludoo](https://github.com/ludoo)) - [[#886](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/886)] Revert "Improve handling of tf plugin cache in tests" ([ludoo](https://github.com/ludoo)) diff --git a/README.md b/README.md index 70d5d666ba..6aa292d76a 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ This repository provides **end-to-end blueprints** and a **suite of Terraform mo - organization-wide [landing zone blueprint](fast/) used to bootstrap real-world cloud foundations - reference [blueprints](./blueprints/) used to deep dive on network patterns or product features -- a comprehensive source of lean [modules](./modules/dns) that lend themselves well to changes +- a comprehensive source of lean [modules](./modules/) that lend themselves well to changes The whole repository is meant to be cloned as a single unit, and then forked into separate owned repositories to seed production usage, or used as-is and periodically updated as a complete toolkit for prototyping. You can read more on this approach in our [contributing guide](./CONTRIBUTING.md), and a comparison against similar toolkits [here](./FABRIC-AND-CFT.md). @@ -29,16 +29,16 @@ The current list of modules supports most of the core foundational and networkin Currently available modules: -- **foundational** - [folder](./modules/folder), [organization](./modules/organization), [project](./modules/project), [service accounts](./modules/iam-service-account), [logging bucket](./modules/logging-bucket), [billing budget](./modules/billing-budget), [projects-data-source](./modules/projects-data-source), [organization-policy](./modules/organization-policy) -- **networking** - [VPC](./modules/net-vpc), [VPC firewall](./modules/net-vpc-firewall), [VPC peering](./modules/net-vpc-peering), [VPN static](./modules/net-vpn-static), [VPN dynamic](./modules/net-vpn-dynamic), [HA VPN](./modules/net-vpn-ha), [NAT](./modules/net-cloudnat), [address reservation](./modules/net-address), [DNS](./modules/dns), [L4 ILB](./modules/net-ilb), [L7 ILB](./modules/net-ilb-l7), [Service Directory](./modules/service-directory), [Cloud Endpoints](./modules/endpoints) -- **compute** - [VM/VM group](./modules/compute-vm), [MIG](./modules/compute-mig), [GKE cluster](./modules/gke-cluster), [GKE nodepool](./modules/gke-nodepool), [GKE hub](./modules/gke-hub), [COS container](./modules/cloud-config-container/cos-generic-metadata/) (coredns, mysql, onprem, squid) -- **data** - [GCS](./modules/gcs), [BigQuery dataset](./modules/bigquery-dataset), [Pub/Sub](./modules/pubsub), [Datafusion](./modules/datafusion), [Bigtable instance](./modules/bigtable-instance), [Cloud SQL instance](./modules/cloudsql-instance), [Data Catalog Policy Tag](./modules/data-catalog-policy-tag) -- **development** - [Cloud Source Repository](./modules/source-repository), [Container Registry](./modules/container-registry), [Artifact Registry](./modules/artifact-registry), [Apigee Organization](./modules/apigee-organization), [Apigee X Instance](./modules/apigee-x-instance), [API Gateway](./modules/api-gateway) -- **security** - [KMS](./modules/kms), [SecretManager](./modules/secret-manager), [VPC Service Control](./modules/vpc-sc) +- **foundational** - [billing budget](./modules/billing-budget), [Cloud Identity group](./modules/cloud-identity-group/), [folder](./modules/folder), [service accounts](./modules/iam-service-account), [logging bucket](./modules/logging-bucket), [organization](./modules/organization), [organization-policy](./modules/organization-policy), [project](./modules/project), [projects-data-source](./modules/projects-data-source) +- **networking** - [DNS](./modules/dns), [Cloud Endpoints](./modules/endpoints), [address reservation](./modules/net-address), [NAT](./modules/net-cloudnat), [Global Load Balancer (classic)](./modules/net-glb/), [L4 ILB](./modules/net-ilb), [L7 ILB](./modules/net-ilb-l7), [VPC](./modules/net-vpc), [VPC firewall](./modules/net-vpc-firewall), [VPC peering](./modules/net-vpc-peering), [VPN dynamic](./modules/net-vpn-dynamic), [HA VPN](./modules/net-vpn-ha), [VPN static](./modules/net-vpn-static), [Service Directory](./modules/service-directory) +- **compute** - [VM/VM group](./modules/compute-vm), [MIG](./modules/compute-mig), [COS container](./modules/cloud-config-container/cos-generic-metadata/) (coredns, mysql, onprem, squid), [GKE cluster](./modules/gke-cluster), [GKE hub](./modules/gke-hub), [GKE nodepool](./modules/gke-nodepool) +- **data** - [BigQuery dataset](./modules/bigquery-dataset), [Bigtable instance](./modules/bigtable-instance), [Cloud SQL instance](./modules/cloudsql-instance), [Data Catalog Policy Tag](./modules/data-catalog-policy-tag), [Datafusion](./modules/datafusion), [GCS](./modules/gcs), [Pub/Sub](./modules/pubsub) +- **development** - [API Gateway](./modules/api-gateway), [Apigee Organization](./modules/apigee-organization), [Apigee X Instance](./modules/apigee-x-instance), [Artifact Registry](./modules/artifact-registry), [Container Registry](./modules/container-registry), [Cloud Source Repository](./modules/source-repository) +- **security** - [Binauthz](./modules/binauthz/), [KMS](./modules/kms), [SecretManager](./modules/secret-manager), [VPC Service Control](./modules/vpc-sc) - **serverless** - [Cloud Function](./modules/cloud-function), [Cloud Run](./modules/cloud-run) For more information and usage examples see each module's README file. ## End-to-end blueprints -The [blueprints](./blueprints/) in this repository are split in several main sections: **[networking blueprints](./blueprints/networking/)** that implement core patterns or features, **[data solutions blueprints](./blueprints/data-solutions/)** that demonstrate how to integrate data services in complete scenarios, **[cloud operations blueprints](./blueprints/cloud-operations/)** that leverage specific products to meet specific operational needs and **[factories](./blueprints/factories/)** that implement resource factories for the repetitive creation of specific resources, and finally **[GKE](./blueprints/gke)** and **[serverless](./blueprints/serverless)** design blueprints. +The [blueprints](./blueprints/) in this repository are split in several main sections: **[networking blueprints](./blueprints/networking/)** that implement core patterns or features, **[data solutions blueprints](./blueprints/data-solutions/)** that demonstrate how to integrate data services in complete scenarios, **[cloud operations blueprints](./blueprints/cloud-operations/)** that leverage specific products to meet specific operational needs and **[factories](./blueprints/factories/)** that implement resource factories for the repetitive creation of specific resources, and finally **[GKE](./blueprints/gke)**, **[serverless](./blueprints/serverless)**, and **[third-party solutions](./blueprints/third-party-solutions/)** design blueprints. diff --git a/blueprints/cloud-operations/glb_and_armor/shell_button.png b/assets/images/cloud-shell-button.png similarity index 100% rename from blueprints/cloud-operations/glb_and_armor/shell_button.png rename to assets/images/cloud-shell-button.png diff --git a/blueprints/README.md b/blueprints/README.md index aad7cb0843..77e1390694 100644 --- a/blueprints/README.md +++ b/blueprints/README.md @@ -4,12 +4,12 @@ This section **[networking blueprints](./networking/)** that implement core patt Currently available blueprints: -- **cloud operations** - [Resource tracking and remediation via Cloud Asset feeds](./cloud-operations/asset-inventory-feed-remediation), [Granular Cloud DNS IAM via Service Directory](./cloud-operations/dns-fine-grained-iam), [Granular Cloud DNS IAM for Shared VPC](./cloud-operations/dns-shared-vpc), [Compute Engine quota monitoring](./cloud-operations/quota-monitoring), [Scheduled Cloud Asset Inventory Export to Bigquery](./cloud-operations/scheduled-asset-inventory-export-bq), [Packer image builder](./cloud-operations/packer-image-builder), [On-prem SA key management](./cloud-operations/onprem-sa-key-management), [TCP healthcheck for unmanaged GCE instances](./cloud-operations/unmanaged-instances-healthcheck), [HTTP Load Balancer with Cloud Armor](./cloud-operations/glb_and_armor) -- **data solutions** - [GCE/GCS CMEK via centralized Cloud KMS](./data-solutions/cmek-via-centralized-kms/), [Cloud Storage to Bigquery with Cloud Dataflow with least privileges](./data-solutions/gcs-to-bq-with-least-privileges/), [Data Platform Foundations](./data-solutions/data-platform-foundations/), [SQL Server AlwaysOn availability groups blueprint](./data-solutions/sqlserver-alwayson), [Cloud SQL instance with multi-region read replicas](./data-solutions/cloudsql-multiregion/), [Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key](./data-solutions/composer-2/) -- **factories** - [The why and the how of resource factories](./factories/README.md) -- **GKE** - [GKE multitenant fleet](./gke/multitenant-fleet/), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [Binary Authorization Pipeline](./gke/binauthz/), [Multi-cluster mesh on GKE (fleet API)](./gke/multi-cluster-mesh-gke-fleet-api/) -- **networking** - [hub and spoke via peering](./networking/hub-and-spoke-peering/), [hub and spoke via VPN](./networking/hub-and-spoke-vpn/), [DNS and Google Private Access for on-premises](./networking/onprem-google-access-dns/), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [ILB as next hop](./networking/ilb-next-hop), [Connecting to on-premise services leveraging PSC and hybrid NEGs](./networking/psc-hybrid/), [decentralized firewall](./networking/decentralized-firewall) -- **serverless** - [Multi-region deployments for API Gateway](./serverless/api-gateway/) -- **third party solutions** - [OpenShift cluster on Shared VPC](./third-party-solutions/openshift) +- **cloud operations** - [Active Directory Federation Services](./cloud-operations/adfs), [Cloud Asset Inventory feeds for resource change tracking and remediation](./cloud-operations/asset-inventory-feed-remediation), [Fine-grained Cloud DNS IAM via Service Directory](./cloud-operations/dns-fine-grained-iam), [Cloud DNS & Shared VPC design](./cloud-operations/dns-shared-vpc), [Delegated Role Grants](./cloud-operations/iam-delegated-role-grants), [Networking Dashboard](./cloud-operations/network-dashboard), [Managing on-prem service account keys by uploading public keys](./cloud-operations/onprem-sa-key-management), [Compute Image builder with Hashicorp Packer](./cloud-operations/packer-image-builder), [Packer example](./cloud-operations/packer-image-builder/packer), [Compute Engine quota monitoring](./cloud-operations/quota-monitoring), [Scheduled Cloud Asset Inventory Export to Bigquery](./cloud-operations/scheduled-asset-inventory-export-bq), [Configuring workload identity federation for Terraform Cloud/Enterprise workflow](./cloud-operations/terraform-enterprise-wif), [TCP healthcheck and restart for unmanaged GCE instances](./cloud-operations/unmanaged-instances-healthcheck), [Migrate for Compute Engine (v5) blueprints](./cloud-operations/vm-migration), [Configuring workload identity federation to access Google Cloud resources from apps running on Azure](./cloud-operations/workload-identity-federation) +- **data solutions** - [GCE and GCS CMEK via centralized Cloud KMS](./data-solutions/cmek-via-centralized-kms), [Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key](./data-solutions/composer-2), [Cloud SQL instance with multi-region read replicas](./data-solutions/cloudsql-multiregion), [Data Platform](./data-solutions/data-platform-foundations), [Spinning up a foundation data pipeline on Google Cloud using Cloud Storage, Dataflow and BigQuery](./data-solutions/gcs-to-bq-with-least-privileges), [#SQL Server Always On Groups blueprint](./data-solutions/sqlserver-alwayson), [Data Playground](./data-solutions/data-playground) +- **factories** - [[The why and the how of Resource Factories](./factories), [Google Cloud Identity Group Factory](./factories/cloud-identity-group-factory), [Google Cloud BQ Factory](./factories/bigquery-factory), [Google Cloud VPC Firewall Factory](./factories/net-vpc-firewall-yaml), [Minimal Project Factory](./factories/project-factory) +- **GKE** - [Binary Authorization Pipeline Blueprint](./gke/binauthz), [Storage API](./gke/binauthz/image), [Multi-cluster mesh on GKE (fleet API)](./gke/multi-cluster-mesh-gke-fleet-api), [GKE Multitenant Blueprint](./gke/multitenant-fleet), [Shared VPC with GKE support](./networking/shared-vpc-gke/) +- **networking** - [Decentralized firewall management](./networking/decentralized-firewall), [Decentralized firewall validator](./networking/decentralized-firewall/validator), [Network filtering with Squid](./networking/filtering-proxy), [HTTP Load Balancer with Cloud Armor](./networking/glb-and-armor), [Hub and Spoke via VPN](./networking/hub-and-spoke-vpn), [Hub and Spoke via VPC Peering](./networking/hub-and-spoke-peering), [Internal Load Balancer as Next Hop](./networking/ilb-next-hop), [Nginx-based reverse proxy cluster](./networking/nginx-reverse-proxy-cluster), [On-prem DNS and Google Private Access](./networking/onprem-google-access-dns), [Calling a private Cloud Function from On-premises](./networking/private-cloud-function-from-onprem), [Hybrid connectivity to on-premise services through PSC](./networking/psc-hybrid), [PSC Producer](./networking/psc-hybrid/psc-producer), [PSC Consumer](./networking/psc-hybrid/psc-consumer), [Shared VPC with optional GKE cluster](./networking/shared-vpc-gke) +- **serverless** - [Creating multi-region deployments for API Gateway](./serverless/api-gateway) +- **third party solutions** - [OpenShift on GCP user-provisioned infrastructure](./third-party-solutions/openshift), [Wordpress deployment on Cloud Run](./third-party-solutions/wordpress/cloudrun) For more information see the individual README files in each section. diff --git a/blueprints/cloud-operations/README.md b/blueprints/cloud-operations/README.md index 88d55d4e82..863aee5812 100644 --- a/blueprints/cloud-operations/README.md +++ b/blueprints/cloud-operations/README.md @@ -2,17 +2,17 @@ The blueprints in this folder show how to wire together different Google Cloud services to simplify operations, and are meant for testing, or as minimal but sufficiently complete starting points for actual use. -## Resource tracking and remediation via Cloud Asset feeds - - This [blueprint](./asset-inventory-feed-remediation) shows how to leverage [Cloud Asset Inventory feeds](https://cloud.google.com/asset-inventory/docs/monitoring-asset-changes) to stream resource changes in real time, and how to programmatically use the feed change notifications for alerting or remediation, via a Cloud Function wired to the feed PubSub queue. +## Active Directory Federation Services -The blueprint's feed tracks changes to Google Compute instances, and the Cloud Function enforces policy compliance on each change so that tags match a set of simple rules. The obvious use case is when instance tags are used to scope firewall rules, but the blueprint can easily be adapted to suit different use cases. + This [blueprint](./adfs/) Sets up managed AD, creates a server where AD FS will be installed which will also act as admin workstation for AD, and exposes ADFS using GLB. It can also optionally set up a GCP project and VPC if needed
-## Scheduled Cloud Asset Inventory Export to Bigquery +## Resource tracking and remediation via Cloud Asset feeds - This [blueprint](./scheduled-asset-inventory-export-bq) shows how to leverage the [Cloud Asset Inventory Exporting to Bigquery](https://cloud.google.com/asset-inventory/docs/exporting-to-bigquery) feature, to keep track of your organization's assets over time storing information in Bigquery. Data stored in Bigquery can then be used for different purposes like dashboarding or analysis. + This [blueprint](./asset-inventory-feed-remediation) shows how to leverage [Cloud Asset Inventory feeds](https://cloud.google.com/asset-inventory/docs/monitoring-asset-changes) to stream resource changes in real time, and how to programmatically use the feed change notifications for alerting or remediation, via a Cloud Function wired to the feed PubSub queue. + +The blueprint's feed tracks changes to Google Compute instances, and the Cloud Function enforces policy compliance on each change so that tags match a set of simple rules. The obvious use case is when instance tags are used to scope firewall rules, but the blueprint can easily be adapted to suit different use cases.
@@ -28,15 +28,21 @@ The blueprint's feed tracks changes to Google Compute instances, and the Cloud F
-## Compute Engine quota monitoring +## Delegated Role Grants - This [blueprint](./quota-monitoring) shows a practical way of collecting and monitoring [Compute Engine resource quotas](https://cloud.google.com/compute/quotas) via Cloud Monitoring metrics as an alternative to the recently released [built-in quota metrics](https://cloud.google.com/monitoring/alerts/using-quota-metrics). A simple alert on quota thresholds is also part of the blueprint. + This [blueprint](./iam-delegated-role-grants) shows how to use delegated role grants to restrict service usage.
-## Delegated Role Grants +## Network Dashboard - This [blueprint](./iam-delegated-role-grants) shows how to use delegated role grants to restrict service usage. + This [blueprint](./network-dashboard/) provides an end-to-end solution to gather some GCP Networking quotas and limits (that cannot be seen in the GCP console today) and display them in a dashboard. The goal is to allow for better visibility of these limits, facilitating capacity planning and avoiding hitting these limits.. + +
+ +## On-prem Service Account key management + +This [blueprint](./onprem-sa-key-management) shows how to manage IAM Service Account Keys by manually generating a key pair and uploading the public part of the key to GCP.
@@ -46,24 +52,38 @@ The blueprint's feed tracks changes to Google Compute instances, and the Cloud F
-## On-prem Service Account key management +## Compute Engine quota monitoring + This [blueprint](./quota-monitoring) shows a practical way of collecting and monitoring [Compute Engine resource quotas](https://cloud.google.com/compute/quotas) via Cloud Monitoring metrics as an alternative to the recently released [built-in quota metrics](https://cloud.google.com/monitoring/alerts/using-quota-metrics). A simple alert on quota thresholds is also part of the blueprint. -This [blueprint](./onprem-sa-key-management) shows how to manage IAM Service Account Keys by manually generating a key pair and uploading the public part of the key to GCP. +
+ +## Scheduled Cloud Asset Inventory Export to Bigquery + + This [blueprint](./scheduled-asset-inventory-export-bq) shows how to leverage the [Cloud Asset Inventory Exporting to Bigquery](https://cloud.google.com/asset-inventory/docs/exporting-to-bigquery) feature, to keep track of your organization's assets over time storing information in Bigquery. Data stored in Bigquery can then be used for different purposes like dashboarding or analysis.
-## Migrate for Compute Engine (v5) - This set of [blueprints](./vm-migration) shows how to deploy Migrate for Compute Engine (v5) on top of existing Cloud Foundations on different scenarios. An blueprint on how to deploy the M4CE connector on VMWare ESXi is also part of the blueprints. +## Workload identity federation for Terraform Enterprise workflow + + This [blueprint](./terraform-enterprise-wif) shows how to configure [Wokload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) between [Terraform Cloud/Enterprise](https://developer.hashicorp.com/terraform/enterprise) instance and Google Cloud.
## TCP healthcheck for unmanaged GCE instances + This [blueprint](./unmanaged-instances-healthcheck) shows how to leverage [Serverless VPC Access](https://cloud.google.com/vpc/docs/configure-serverless-vpc-access) and Cloud Functions to organize a highly performant TCP healtheck for unmanaged GCE instances.
-## Workload identity federation for Terraform Enterprise workflow - This [blueprint](./terraform-enterprise-wif) shows how to configure [Wokload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) between [Terraform Cloud/Enterprise](https://developer.hashicorp.com/terraform/enterprise) instance and Google Cloud. +## Migrate for Compute Engine (v5) + + This set of [blueprints](./vm-migration) shows how to deploy Migrate for Compute Engine (v5) on top of existing Cloud Foundations on different scenarios. An blueprint on how to deploy the M4CE connector on VMWare ESXi is also part of the blueprints. + +
+ +## Configuring Workload Identity Federation from apps running on Azure + + This [blueprint](./workload-identity-federation) shows how to set up everything, both in Azure and Google Cloud, so a workload in Azure can access Google Cloud resources without a service account key. This will be possible by configuring workload identity federation to trust access tokens generated for a specific application in an Azure Active Directory (AAD) tenant.
diff --git a/blueprints/cloud-operations/adfs/README.md b/blueprints/cloud-operations/adfs/README.md index a690f1ea75..0b9548846c 100644 --- a/blueprints/cloud-operations/adfs/README.md +++ b/blueprints/cloud-operations/adfs/README.md @@ -1,19 +1,19 @@ -# AD FS +# Active Directory Federation Services -This blueprint does the following: +This blueprint does the following: Terraform: - (Optional) Creates a project. - (Optional) Creates a VPC. - Sets up managed AD -- Creates a server where AD FS will be installed. This machine will also act as admin workstation for AD. +- Creates a server where AD FS will be installed. This machine will also act as admin workstation for AD. - Exposes AD FS using GLB. Ansible: - Installs the required Windows features and joins the computer to the AD domain. -- Provisions some tests users, groups and group memberships in AD. The data to provision is in the files directory of the ad-provisioning ansible role. There is script available in the scripts/ad-provisioning folder that you can use to generate an alternative users or memberships file. +- Provisions some tests users, groups and group memberships in AD. The data to provision is in the files directory of the ad-provisioning ansible role. There is script available in the scripts/ad-provisioning folder that you can use to generate an alternative users or memberships file. - Installs AD FS In addition to this, we also include a Powershell script that facilitates the configuration required for Anthos when authenticating users with AD FS as IdP. @@ -26,8 +26,8 @@ The diagram below depicts the architecture of the blueprint: Clone this repository or [open it in cloud shell](https://ssh.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fcloud-foundation-fabric&cloudshell_print=cloud-shell-readme.txt&cloudshell_working_dir=blueprints%2Fcloud-operations%2Fadfs), then go through the following steps to create resources: -* `terraform init` -* `terraform apply -var project_id=my-project-id -var ad_dns_domain_name=my-domain.org -var adfs_dns_domain_name=adfs.my-domain.org` +- `terraform init` +- `terraform apply -var project_id=my-project-id -var ad_dns_domain_name=my-domain.org -var adfs_dns_domain_name=adfs.my-domain.org` Once the resources have been created, do the following: diff --git a/blueprints/cloud-operations/workload-identity-federation/README.md b/blueprints/cloud-operations/workload-identity-federation/README.md index fb990342d6..ad6feaede1 100644 --- a/blueprints/cloud-operations/workload-identity-federation/README.md +++ b/blueprints/cloud-operations/workload-identity-federation/README.md @@ -1,9 +1,9 @@ -# Configuring workload identity federation to access Google Cloud resources from apps running on Azure +# Configuring Workload Identity Federation to access Google Cloud resources from apps running on Azure The most straightforward way for workloads running outside of Google Cloud to call Google Cloud APIs is by using a downloaded service account key. However, this approach has 2 major pain points: * A management hassle, keys need to be stored securely and rotated often. -* A security risk, keys are long term credentials that could be compromised. +* A security risk, keys are long term credentials that could be compromised. Workload identity federation enables applications running outside of Google Cloud to replace long-lived service account keys with short-lived access tokens. This is achieved by configuring Google Cloud to trust an external identity provider, so applications can use the credentials issued by the external identity provider to impersonate a service account. @@ -19,17 +19,17 @@ The provided terraform configuration will set up the following architecture: * On Azure: - * An Azure Active Directory application and a service principal. By default, the new application grants all users in the Azure AD tenant permission to obtain access tokens. So an app role assignment will be required to restrict which identities can obtain access tokens for the application. + * An Azure Active Directory application and a service principal. By default, the new application grants all users in the Azure AD tenant permission to obtain access tokens. So an app role assignment will be required to restrict which identities can obtain access tokens for the application. - * Optionally, all the resources required to have a VM configured to run with a system-assigned managed identity and accessible via SSH on a public IP using public key authentication, so we can log in to the machine and run the `gcloud` command to verify that everything works as expected. + * Optionally, all the resources required to have a VM configured to run with a system-assigned managed identity and accessible via SSH on a public IP using public key authentication, so we can log in to the machine and run the `gcloud` command to verify that everything works as expected. * On Google Cloud: - * A Google Cloud project with: + * A Google Cloud project with: - * A workload identity pool and provider configured to trust the AAD application + * A workload identity pool and provider configured to trust the AAD application - * A service account with the Viewer role granted on the project. The external identities in the workload identity pool would be assigned the Workload Identity User role on that service account. + * A service account with the Viewer role granted on the project. The external identities in the workload identity pool would be assigned the Workload Identity User role on that service account. ## Running the blueprint @@ -42,7 +42,7 @@ Clone this repository or [open it in cloud shell](https://ssh.cloud.google.com/c Once the resources have been created, do the following to verify that everything works as expected: -1. Log in to the VM. +1. Log in to the VM. If you have created the VM using this terraform configuration proceed the following way: @@ -72,7 +72,6 @@ Once the resources have been created, do the following to verify that everything `gcloud projects describe PROJECT_ID` - Once done testing, you can clean up resources by running `terraform destroy`. diff --git a/blueprints/data-solutions/README.md b/blueprints/data-solutions/README.md index 968d7b9c33..4919f29a42 100644 --- a/blueprints/data-solutions/README.md +++ b/blueprints/data-solutions/README.md @@ -6,32 +6,32 @@ They are meant to be used as minimal but complete starting points to create actu ## Blueprints +### Cloud SQL instance with multi-region read replicas + + +This [blueprint](./cloudsql-multiregion/) creates a [Cloud SQL instance](https://cloud.google.com/sql) with multi-region read replicas as described in the [Cloud SQL for PostgreSQL disaster recovery](https://cloud.google.com/architecture/cloud-sql-postgres-disaster-recovery-complete-failover-fallback) article. + +
+ ### GCE and GCS CMEK via centralized Cloud KMS This [blueprint](./cmek-via-centralized-kms/) implements [CMEK](https://cloud.google.com/kms/docs/cmek) for GCS and GCE, via keys hosted in KMS running in a centralized project. The blueprint shows the basic resources and permissions for the typical use case of application projects implementing encryption at rest via a centrally managed KMS service. +
-### Cloud Storage to Bigquery with Cloud Dataflow with least privileges +### Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key + + +This [blueprint](./composer-2/) creates a [Cloud Composer](https://cloud.google.com/composer/) version 2 instance on a VPC with a dedicated service account. The solution supports as inputs: a Shared VPC and Cloud KMS CMEK keys. - This [blueprint](./gcs-to-bq-with-least-privileges/) implements resources required to run GCS to BigQuery Dataflow pipelines. The solution rely on a set of Services account created with the least privileges principle.
### Data Platform Foundations This [blueprint](./data-platform-foundations/) implements a robust and flexible Data Foundation on GCP that provides opinionated defaults, allowing customers to build and scale out additional data pipelines quickly and reliably. -
- -### SQL Server Always On Availability Groups - - -This [blueprint](./data-platform-foundations/) implements SQL Server Always On Availability Groups using Fabric modules. It builds a two node cluster with a fileshare witness instance in an existing VPC and adds the necessary firewalling. The actual setup process (apart from Active Directory operations) has been scripted, so that least amount of manual works needs to performed. -
- -### Cloud SQL instance with multi-region read replicas - -This [blueprint](./cloudsql-multiregion/) creates a [Cloud SQL instance](https://cloud.google.com/sql) with multi-region read replicas as described in the [Cloud SQL for PostgreSQL disaster recovery](https://cloud.google.com/architecture/cloud-sql-postgres-disaster-recovery-complete-failover-fallback) article.
### Data Playground starter with Cloud Vertex AI Notebook and GCS @@ -40,11 +40,18 @@ This [blueprint](./cloudsql-multiregion/) creates a [Cloud SQL instance](https:/ This [blueprint](./data-playground/) creates a [Vertex AI Notebook](https://cloud.google.com/vertex-ai/docs/workbench/introduction) running on a VPC with a private IP and a dedicated Service Account. A GCS bucket and a BigQuery dataset are created to store inputs and outputs of data experiments. +
-### Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key +### Cloud Storage to Bigquery with Cloud Dataflow with least privileges - -This [blueprint](./composer-2/) creates a [Cloud Composer](https://cloud.google.com/composer/) version 2 instance on a VPC with a dedicated service account. The solution supports as inputs: a Shared VPC and Cloud KMS CMEK keys. -
\ No newline at end of file + This [blueprint](./gcs-to-bq-with-least-privileges/) implements resources required to run GCS to BigQuery Dataflow pipelines. The solution rely on a set of Services account created with the least privileges principle. + +
+ +### SQL Server Always On Availability Groups + + +This [blueprint](./data-platform-foundations/) implements SQL Server Always On Availability Groups using Fabric modules. It builds a two node cluster with a fileshare witness instance in an existing VPC and adds the necessary firewalling. The actual setup process (apart from Active Directory operations) has been scripted, so that least amount of manual works needs to performed. + +
diff --git a/blueprints/data-solutions/cloudsql-multiregion/README.md b/blueprints/data-solutions/cloudsql-multiregion/README.md index babacd5800..5bdc632933 100644 --- a/blueprints/data-solutions/cloudsql-multiregion/README.md +++ b/blueprints/data-solutions/cloudsql-multiregion/README.md @@ -39,7 +39,7 @@ If `project_create` is left to `null`, the identity performing the deployment ne Click on the image below, sign in if required and when the prompt appears, click on “confirm”. -[![Open Cloudshell](images/button.png)](https://goo.gle/GoCloudSQL) +[![Open Cloudshell](../../../assets/images/cloud-shell-button.png)](https://goo.gle/GoCloudSQL) This will clone the repository to your cloud shell and a screen like this one will appear: @@ -81,7 +81,8 @@ This implementation is intentionally minimal and easy to read. A real world use - Using VPC-SC to mitigate data exfiltration ### Shared VPC -The example supports the configuration of a Shared VPC as an input variable. + +The example supports the configuration of a Shared VPC as an input variable. To deploy the solution on a Shared VPC, you have to configure the `network_config` variable: ``` @@ -94,12 +95,14 @@ network_config = { ``` To run this example, the Shared VPC project needs to have: - - A Private Service Connect with a range of `/24` (example: `10.60.0.0/24`) to deploy the Cloud SQL instance. - - Internet access configured (for example Cloud NAT) to let the Test VM download packages. + +- A Private Service Connect with a range of `/24` (example: `10.60.0.0/24`) to deploy the Cloud SQL instance. +- Internet access configured (for example Cloud NAT) to let the Test VM download packages. In order to run the example and deploy Cloud SQL on a shared VPC the identity running Terraform must have the following IAM role on the Shared VPC Host project. - - Compute Network Admin (roles/compute.networkAdmin) - - Compute Shared VPC Admin (roles/compute.xpnAdmin) + +- Compute Network Admin (roles/compute.networkAdmin) +- Compute Shared VPC Admin (roles/compute.xpnAdmin) ## Test your environment diff --git a/blueprints/data-solutions/cloudsql-multiregion/images/button.png b/blueprints/data-solutions/cloudsql-multiregion/images/button.png deleted file mode 100644 index 21a3f3de9d..0000000000 Binary files a/blueprints/data-solutions/cloudsql-multiregion/images/button.png and /dev/null differ diff --git a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/README.md b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/README.md index 6025ad7f97..1d3f939743 100644 --- a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/README.md +++ b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/README.md @@ -60,8 +60,7 @@ __Note__: To grant a user a role, take a look at the [Granting and Revoking Acce Click on the button below, sign in if required and when the prompt appears, click on “confirm”. - -[![Open Cloudshell](images/shell_button.png)](https://goo.gle/GoDataPipe) +[![Open Cloudshell](../../../assets/images/cloud-shell-button.png)](https://goo.gle/GoDataPipe) This will clone the repository to your cloud shell and a screen like this one will appear: diff --git a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/images/cloud_shell.png b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/images/cloud_shell.png deleted file mode 100644 index 21bb72e018..0000000000 Binary files a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/images/cloud_shell.png and /dev/null differ diff --git a/blueprints/gke/README.md b/blueprints/gke/README.md index a2c4807134..30418ca419 100644 --- a/blueprints/gke/README.md +++ b/blueprints/gke/README.md @@ -6,24 +6,27 @@ They are meant to be used as minimal but complete starting points to create actu ## Blueprints -### Multitenant GKE fleet +### Binary Authorization Pipeline + + This [blueprint](../gke/binauthz/) shows how to create a CI and a CD pipeline in Cloud Build for the deployment of an application to a private GKE cluster with unrestricted access to a public endpoint. The blueprint enables a Binary Authorization policy in the project so only images that have been attested can be deployed to the cluster. The attestations are created using a cryptographic key pair that has been provisioned in KMS. - This [blueprint](./multitenant-fleet/) allows simple centralized management of similar sets of GKE clusters and their nodepools in a single project, and optional fleet management via GKE Hub templated configurations.
-### Shared VPC with GKE and per-subnet support +### Multi-cluster mesh on GKE (fleet API) - This [blueprint](../networking/shared-vpc-gke/) shows how to configure a Shared VPC, including the specific IAM configurations needed for GKE, and to give different level of access to the VPC subnets to different identities. + This [blueprint](../gke/multi-cluster-mesh-gke-fleet-api/) shows how to create a multi-cluster mesh for two private clusters on GKE. Anthos Service Mesh with automatic control plane management is set up for clusters using the Fleet API. This can only be done if the clusters are in a single project and in the same VPC. In this particular case both clusters having being deployed to different subnets in a shared VPC. -It is meant to be used as a starting point for most Shared VPC configurations, and to be integrated to the above blueprints where Shared VPC is needed in more complex network topologies.
-### Binary Authorization Pipeline +### Multitenant GKE fleet - This [blueprint](../gke/binauthz/) shows how to create a CI and a CD pipeline in Cloud Build for the deployment of an application to a private GKE cluster with unrestricted access to a public endpoint. The blueprint enables a Binary Authorization policy in the project so only images that have been attested can be deployed to the cluster. The attestations are created using a cryptographic key pair that has been provisioned in KMS. + This [blueprint](./multitenant-fleet/) allows simple centralized management of similar sets of GKE clusters and their nodepools in a single project, and optional fleet management via GKE Hub templated configurations.
-### Multi-cluster mesh on GKE (fleet API) +### Shared VPC with GKE and per-subnet support + + This [blueprint](../networking/shared-vpc-gke/) shows how to configure a Shared VPC, including the specific IAM configurations needed for GKE, and to give different level of access to the VPC subnets to different identities. + +It is meant to be used as a starting point for most Shared VPC configurations, and to be integrated to the above blueprints where Shared VPC is needed in more complex network topologies. - This [blueprint](../gke/multi-cluster-mesh-gke-fleet-api/) shows how to create a multi-cluster mesh for two private clusters on GKE. Anthos Service Mesh with automatic control plane management is set up for clusters using the Fleet API. This can only be done if the clusters are in a single project and in the same VPC. In this particular case both clusters having being deployed to different subnets in a shared VPC.
diff --git a/blueprints/networking/README.md b/blueprints/networking/README.md index e234cc25ba..c4a3d2f0fb 100644 --- a/blueprints/networking/README.md +++ b/blueprints/networking/README.md @@ -6,11 +6,30 @@ They are meant to be used as minimal but complete starting points to create actu ## Blueprints +### Decentralized firewall management + + This [blueprint](./decentralized-firewall/) shows how a decentralized firewall management can be organized using the [firewall factory](../factories/net-vpc-firewall-yaml/). + +
+ +### Network filtering with Squid + + This [blueprint](./filtering-proxy/) how to deploy a filtering HTTP proxy to restrict Internet access, in a simplified setup using a VPC with two subnets and a Cloud DNS zone, and an optional MIG for scaling. + +
+ +## HTTP Load Balancer with Cloud Armor + + This [blueprint](./glb-and-armor/) contains all necessary Terraform modules to build a multi-regional infrastructure with horizontally scalable managed instance group backends, HTTP load balancing and Google’s advanced WAF security tool (Cloud Armor) on top to securely deploy an application at global scale. + +
+ ### Hub and Spoke via Peering This [blueprint](./hub-and-spoke-peering/) implements a hub and spoke topology via VPC peering, a common design where a landing zone VPC (hub) is connected to on-premises, and then peered with satellite VPCs (spokes) to further partition the infrastructure. The sample highlights the lack of transitivity in peering: the absence of connectivity between spokes, and the need create workarounds for private service access to managed services. One such workaround is shown for private GKE, allowing access from hub and all spokes to GKE masters via a dedicated VPN. +
### Hub and Spoke via Dynamic VPN @@ -18,38 +37,45 @@ The sample highlights the lack of transitivity in peering: the absence of connec This [blueprint](./hub-and-spoke-vpn/) implements a hub and spoke topology via dynamic VPN tunnels, a common design where peering cannot be used due to limitations on the number of spokes or connectivity to managed services. The blueprint shows how to implement spoke transitivity via BGP advertisements, how to expose hub DNS zones to spokes via DNS peering, and allows easy testing of different VPN and BGP configurations. +
-### DNS and Private Access for On-premises +### ILB as next hop - This [blueprint](./onprem-google-access-dns/) uses an emulated on-premises environment running in Docker containers inside a GCE instance, to allow testing specific features like DNS policies, DNS forwarding zones across VPN, and Private Access for On-premises hosts. + This [blueprint](./ilb-next-hop/) allows testing [ILB as next hop](https://cloud.google.com/load-balancing/docs/internal/ilb-next-hop-overview) using simple Linux gateway VMS between two VPCs, to emulate virtual appliances. An optional additional ILB can be enabled to test multiple load balancer configurations and hashing. -The emulated on-premises environment can be used to test access to different services from outside Google Cloud, by implementing a VPN connection and BGP to Google CLoud via Strongswan and Bird.
-### Shared VPC with GKE and per-subnet support +### Nginx-based reverse proxy cluster - This [blueprint](./shared-vpc-gke/) shows how to configure a Shared VPC, including the specific IAM configurations needed for GKE, and to give different level of access to the VPC subnets to different identities. + This [blueprint](./nginx-reverse-proxy-cluster/) how to deploy an autoscaling reverse proxy cluster using Nginx, based on regional Managed Instance Groups. The autoscaling is driven by Nginx current connections metric, sent by Cloud Ops Agent. -It is meant to be used as a starting point for most Shared VPC configurations, and to be integrated to the above blueprints where Shared VPC is needed in more complex network topologies.
-### ILB as next hop +### DNS and Private Access for On-premises + + This [blueprint](./onprem-google-access-dns/) uses an emulated on-premises environment running in Docker containers inside a GCE instance, to allow testing specific features like DNS policies, DNS forwarding zones across VPN, and Private Access for On-premises hosts. + +The emulated on-premises environment can be used to test access to different services from outside Google Cloud, by implementing a VPN connection and BGP to Google CLoud via Strongswan and Bird. - This [blueprint](./ilb-next-hop/) allows testing [ILB as next hop](https://cloud.google.com/load-balancing/docs/internal/ilb-next-hop-overview) using simple Linux gateway VMS between two VPCs, to emulate virtual appliances. An optional additional ILB can be enabled to test multiple load balancer configurations and hashing.
### Calling a private Cloud Function from on-premises This [blueprint](./private-cloud-function-from-onprem/) shows how to invoke a [private Google Cloud Function](https://cloud.google.com/functions/docs/networking/network-settings) from the on-prem environment via a [Private Service Connect endpoint](https://cloud.google.com/vpc/docs/private-service-connect#benefits-apis). +
### Calling on-premise services through PSC and hybrid NEGs This [blueprint](./psc-hybrid/) shows how to privately connect to on-premise services (IP + port) from GCP, leveraging [Private Service Connect (PSC)](https://cloud.google.com/vpc/docs/private-service-connect) and [Hybrid Network Endpoint Groups](https://cloud.google.com/load-balancing/docs/negs/hybrid-neg-concepts). +
-### Decentralized firewall management +### Shared VPC with GKE and per-subnet support + + This [blueprint](./shared-vpc-gke/) shows how to configure a Shared VPC, including the specific IAM configurations needed for GKE, and to give different level of access to the VPC subnets to different identities. + +It is meant to be used as a starting point for most Shared VPC configurations, and to be integrated to the above blueprints where Shared VPC is needed in more complex network topologies. - This [blueprint](./decentralized-firewall/) shows how a decentralized firewall management can be organized using the [firewall factory](../factories/net-vpc-firewall-yaml/).
diff --git a/blueprints/cloud-operations/glb_and_armor/README.md b/blueprints/networking/glb-and-armor/README.md similarity index 96% rename from blueprints/cloud-operations/glb_and_armor/README.md rename to blueprints/networking/glb-and-armor/README.md index 25ffec905d..0c9a802ec0 100644 --- a/blueprints/cloud-operations/glb_and_armor/README.md +++ b/blueprints/networking/glb-and-armor/README.md @@ -2,7 +2,7 @@ ## Introduction -This repository contains all necessary Terraform modules to build a multi-regional infrastructure with horizontally scalable managed instance group backends, HTTP load balancing and Google’s advanced WAF security tool (Cloud Armor) on top to securely deploy an application at global scale. +This blueprint contains all necessary Terraform modules to build a multi-regional infrastructure with horizontally scalable managed instance group backends, HTTP load balancing and Google’s advanced WAF security tool (Cloud Armor) on top to securely deploy an application at global scale. This tutorial is general enough to fit in a variety of use-cases, from hosting a mobile app's backend to deploy proprietary workloads at scale. @@ -62,7 +62,7 @@ Note: To grant a user a role, take a look at the [Granting and Revoking Access]( Click on the button below, sign in if required and when the prompt appears, click on “confirm”. -[![Open Cloudshell](shell_button.png)](https://goo.gle/GoCloudArmor) +[![Open Cloudshell](../../../assets/images/cloud-shell-button.png)](https://goo.gle/GoCloudArmor) This will clone the repository to your cloud shell and a screen like this one will appear: diff --git a/blueprints/cloud-operations/glb_and_armor/architecture.png b/blueprints/networking/glb-and-armor/architecture.png similarity index 100% rename from blueprints/cloud-operations/glb_and_armor/architecture.png rename to blueprints/networking/glb-and-armor/architecture.png diff --git a/blueprints/cloud-operations/glb_and_armor/cloud_shell.png b/blueprints/networking/glb-and-armor/cloud_shell.png similarity index 100% rename from blueprints/cloud-operations/glb_and_armor/cloud_shell.png rename to blueprints/networking/glb-and-armor/cloud_shell.png diff --git a/blueprints/cloud-operations/glb_and_armor/main.tf b/blueprints/networking/glb-and-armor/main.tf similarity index 100% rename from blueprints/cloud-operations/glb_and_armor/main.tf rename to blueprints/networking/glb-and-armor/main.tf diff --git a/blueprints/cloud-operations/glb_and_armor/outputs.tf b/blueprints/networking/glb-and-armor/outputs.tf similarity index 100% rename from blueprints/cloud-operations/glb_and_armor/outputs.tf rename to blueprints/networking/glb-and-armor/outputs.tf diff --git a/blueprints/cloud-operations/glb_and_armor/variables.tf b/blueprints/networking/glb-and-armor/variables.tf similarity index 100% rename from blueprints/cloud-operations/glb_and_armor/variables.tf rename to blueprints/networking/glb-and-armor/variables.tf diff --git a/blueprints/networking/nginx-reverse-proxy-cluster/README.md b/blueprints/networking/nginx-reverse-proxy-cluster/README.md index c3101a1500..b84362835c 100644 --- a/blueprints/networking/nginx-reverse-proxy-cluster/README.md +++ b/blueprints/networking/nginx-reverse-proxy-cluster/README.md @@ -1,20 +1,17 @@ # Nginx-based reverse proxy cluster -This blueprint shows how to deploy an autoscaling reverse proxy cluster using Nginx, based on regional -Managed Instance Groups. +This blueprint shows how to deploy an autoscaling reverse proxy cluster using Nginx, based on regional Managed Instance Groups. ![High-level diagram](reverse-proxy.png "High-level diagram") -The autoscaling is driven by Nginx current connections metric, sent by Cloud Ops Agent. +The autoscaling is driven by Nginx current connections metric, sent by Cloud Ops Agent. -The example is for Nginx, but it could be easily adapted to any other reverse proxy software (eg. -Squid, Varnish, etc). +The example is for Nginx, but it could be easily adapted to any other reverse proxy software (eg. Squid, Varnish, etc). ## Ops Agent image -There is a simple [`Dockerfile`](Dockerfile) available for building Ops Agent to be run -inside the ContainerOS instance. Build the container, push it to your Container/Artifact -Repository and set the `ops_agent_image` to point to the image you built. +There is a simple [`Dockerfile`](Dockerfile) available for building Ops Agent to be run inside the ContainerOS instance. Build the container, push it to your Container/Artifact Repository and set the `ops_agent_image` to point to the image you built. + ## Variables diff --git a/blueprints/third-party-solutions/README.md b/blueprints/third-party-solutions/README.md index 10b7ced20d..c7cbec7379 100644 --- a/blueprints/third-party-solutions/README.md +++ b/blueprints/third-party-solutions/README.md @@ -7,3 +7,11 @@ The blueprints in this folder show how to automate installation of specific thir ### OpenShift cluster bootstrap on Shared VPC This [example](./openshift/) shows how to quickly bootstrap an OpenShift 4.7 cluster on GCP, using typical enterprise features like Shared VPC and CMEK for instance disks. + +
+ +### Wordpress deployment on Cloud Run + + This [example](./wordpress/cloudrun/) shows how to deploy a functioning new Wordpress website exposed to the public internet via CloudRun and Cloud SQL, with minimal technical overhead. + +
diff --git a/blueprints/third-party-solutions/wordpress/cloudrun/README.md b/blueprints/third-party-solutions/wordpress/cloudrun/README.md index ee1e2d909f..4ca10796fe 100644 --- a/blueprints/third-party-solutions/wordpress/cloudrun/README.md +++ b/blueprints/third-party-solutions/wordpress/cloudrun/README.md @@ -36,11 +36,11 @@ If `project_create` is left to null, the identity performing the deployment need If you want to deploy from your Cloud Shell, click on the image below, sign in if required and when the prompt appears, click on “confirm”. -[![Open Cloudshell](images/button.png)](https://shell.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2FGoogleCloudPlatform%2Fcloud-foundation-fabric&cloudshell_workspace=blueprints%2Fthird-party-solutions%2Fwordpress%2Fcloudrun) - +[![Open Cloudshell](../../../../assets/images/cloud-shell-button.png)](https://shell.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2FGoogleCloudPlatform%2Fcloud-foundation-fabric&cloudshell_workspace=blueprints%2Fthird-party-solutions%2Fwordpress%2Fcloudrun) Otherwise, in your console of choice: -``` {shell} + +```bash git clone https://github.com/GoogleCloudPlatform/cloud-foundation-fabric ``` @@ -70,6 +70,7 @@ Once you have the required information, head back to your cloned repository. Mak Configure the Terraform variables in your `terraform.tfvars` file. See [terraform.tfvars.sample](terraform.tfvars.sample) as starting point - just copy it to `terraform.tfvars` and edit the latter. See the variables documentation below. **Notes**: + 1. If you will want to change your admin password later on, please note that it will only work in the admin interface of Wordpress, but not with redeploying with Terraform, since Wordpress writes that password into the database upon installation and ignores the environment variables (that you can change with Terraform) after that. 2. If you have the [domain restriction org. policy](https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains) on your organization, you have to edit the `cloud_run_invoker` variable and give it a value that will be accepted in accordance to your policy. @@ -81,22 +82,27 @@ Initialize your Terraform environment and deploy the resources: terraform init terraform apply ``` + The resource creation will take a few minutes. **Note**: you might get the following error (or a similar one): + ``` {shell} │ Error: resource is in failed state "Ready:False", message: Revision '...' is not ready and cannot serve traffic.│ ``` + You might try to reapply at this point, the Cloud Run service just needs several minutes. ### Step 4: Use the created resources Upon completion, you will see the output with the values for the Cloud Run service and the user and password to access the `/admin` part of the website. You can also view it later with: + ``` {shell} terraform output # or for the concrete variable: terraform output cloud_run_service ``` + 1. Open your browser at the URL that you get with that last command, and you will see your Wordpress installation. 2. Add "/admin" in the end of the URL and log in to the admin interface, using the outputs "wp_user" and "wp_password". diff --git a/blueprints/third-party-solutions/wordpress/cloudrun/images/button.png b/blueprints/third-party-solutions/wordpress/cloudrun/images/button.png deleted file mode 100644 index 21a3f3de9d..0000000000 Binary files a/blueprints/third-party-solutions/wordpress/cloudrun/images/button.png and /dev/null differ diff --git a/modules/README.md b/modules/README.md index 92cf25fc04..129a8b8f98 100644 --- a/modules/README.md +++ b/modules/README.md @@ -13,11 +13,12 @@ These modules are not necessarily backward compatible. Changes breaking compatib These modules are used in the examples included in this repository. If you are using any of those examples in your own Terraform configuration, make sure that you are using the same version for all the modules, and switch module sources to GitHub format using references. The recommended approach to working with Fabric modules is the following: - Fork the repository and own the fork. This will allow you to: - - Evolve the existing modules. - - Create your own modules. - - Sync from the upstream repository to get all the updates. - + - Evolve the existing modules. + - Create your own modules. + - Sync from the upstream repository to get all the updates. + - Use GitHub sources with refs to reference the modules. See an example below: + ```terraform module "project" { source = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/project?ref=v13.0.0" @@ -30,62 +31,65 @@ These modules are used in the examples included in this repository. If you are u ## Foundational modules - [billing budget](./billing-budget) +- [Cloud Identity group](./cloud-identity-group/) - [folder](./folder) +- [service accounts](./iam-service-account) - [logging bucket](./logging-bucket) - [organization](./organization) +- [organization-policy](./organization-policy) - [project](./project) - [projects-data-source](./projects-data-source) -- [service account](./iam-service-account) -- [organization policy](./organization-policy) ## Networking modules -- [address reservation](./net-address) -- [Cloud DNS](./dns) -- [Cloud NAT](./net-cloudnat) +- [DNS](./dns) - [Cloud Endpoints](./endpoints) -- [L4 Internal Load Balancer](./net-ilb) -- [Service Directory](./service-directory) +- [address reservation](./net-address) +- [NAT](./net-cloudnat) +- [Global Load Balancer (classic)](./net-glb/) +- [L4 ILB](./net-ilb) +- [L7 ILB](./net-ilb-l7) - [VPC](./net-vpc) - [VPC firewall](./net-vpc-firewall) - [VPC peering](./net-vpc-peering) -- [VPN static](./net-vpn-static) - [VPN dynamic](./net-vpn-dynamic) - [HA VPN](./net-vpn-ha) -- [ ] TODO: xLB modules +- [VPN static](./net-vpn-static) +- [Service Directory](./service-directory) ## Compute/Container -- [COS container](./cloud-config-container/onprem/) (coredns, mysql, onprem, squid) +- [VM/VM group](./compute-vm) +- [MIG](./compute-mig) +- [COS container](./cloud-config-container/cos-generic-metadata/) (coredns/mysql/nva/onprem/squid) - [GKE cluster](./gke-cluster) -- [GKE nodepool](./gke-nodepool) - [GKE hub](./gke-hub) -- [Managed Instance Group](./compute-mig) -- [VM/VM group](./compute-vm) +- [GKE nodepool](./gke-nodepool) ## Data - [BigQuery dataset](./bigquery-dataset) -- [Datafusion](./datafusion) -- [GCS](./gcs) -- [Pub/Sub](./pubsub) - [Bigtable instance](./bigtable-instance) - [Cloud SQL instance](./cloudsql-instance) - [Data Catalog Policy Tag](./data-catalog-policy-tag) +- [Datafusion](./datafusion) +- [GCS](./gcs) +- [Pub/Sub](./pubsub) ## Development -- [Artifact Registry](./artifact-registry) -- [Container Registry](./container-registry) -- [Source Repository](./source-repository) +- [API Gateway](./api-gateway) - [Apigee Organization](./apigee-organization) - [Apigee X Instance](./apigee-x-instance) -- [API Gateway](./api-gateway) +- [Artifact Registry](./artifact-registry) +- [Container Registry](./container-registry) +- [Cloud Source Repository](./source-repository) ## Security -- [Cloud KMS](./kms) -- [Secret Manager](./secret-manager) +- [Binauthz](./binauthz/) +- [KMS](./kms) +- [SecretManager](./secret-manager) - [VPC Service Control](./vpc-sc) ## Serverless diff --git a/tests/blueprints/cloud_operations/glb_and_armor/__init__.py b/tests/blueprints/networking/glb_and_armor/__init__.py similarity index 100% rename from tests/blueprints/cloud_operations/glb_and_armor/__init__.py rename to tests/blueprints/networking/glb_and_armor/__init__.py diff --git a/tests/blueprints/cloud_operations/glb_and_armor/fixture/main.tf b/tests/blueprints/networking/glb_and_armor/fixture/main.tf similarity index 89% rename from tests/blueprints/cloud_operations/glb_and_armor/fixture/main.tf rename to tests/blueprints/networking/glb_and_armor/fixture/main.tf index e02d1093ba..155677b208 100644 --- a/tests/blueprints/cloud_operations/glb_and_armor/fixture/main.tf +++ b/tests/blueprints/networking/glb_and_armor/fixture/main.tf @@ -13,7 +13,7 @@ # limitations under the License. module "test" { - source = "../../../../../blueprints/cloud-operations/glb_and_armor" + source = "../../../../../blueprints/networking/glb-and-armor" project_create = var.project_create project_id = var.project_id enforce_security_policy = var.enforce_security_policy diff --git a/tests/blueprints/cloud_operations/glb_and_armor/fixture/variables.tf b/tests/blueprints/networking/glb_and_armor/fixture/variables.tf similarity index 100% rename from tests/blueprints/cloud_operations/glb_and_armor/fixture/variables.tf rename to tests/blueprints/networking/glb_and_armor/fixture/variables.tf diff --git a/tests/blueprints/cloud_operations/glb_and_armor/test_plan.py b/tests/blueprints/networking/glb_and_armor/test_plan.py similarity index 100% rename from tests/blueprints/cloud_operations/glb_and_armor/test_plan.py rename to tests/blueprints/networking/glb_and_armor/test_plan.py