feat: add app folder, remove allauthenticatedusers permissions for do…

…cker images and update local deployment docs (#221) Co-authored-by: Andrew Peabody <[email protected]>
GoogleCloudPlatform · Sep 9, 2024 · 99e5ede · 99e5ede
1 parent 8931836
commit 99e5ede
Show file tree

Hide file tree

Showing 21 changed files with 345 additions and 76 deletions.
diff --git a/1-bootstrap/README.md b/1-bootstrap/README.md
@@ -1,15 +1,16 @@
 # 1. Bootstrap phase
 
-
 The bootstrap phase establishes the 3 initial pipelines of the Enterprise Application blueprint. These pipelines are:
+
 - the Multitenant Infrastructure pipeline
 - the Application Factory
 - the Fleet-Scope pipeline
 
 An overview of the deployment methodology for the Enterprise Application blueprint is shown below.
-![Enterprise Application blueprint deployment diagram](assets/eab-deployment.svg)
+![Enterprise Application blueprint deployment diagram](../assets/eab-deployment.svg)
 
 Each pipeline has the following associated resources:
+
 - 2 Cloud Build triggers
   - 1 trigger to run Terraform Plan commands upon changes to a non-main git branch
   - 1 trigger to run Terraform Apply commands upon changes to the main git branch
@@ -19,17 +20,30 @@ Each pipeline has the following associated resources:
   - Build Logs bucket, to store the logs from the build process
 - 1 service account for executing the Cloud Build build process
 
-
 ## Usage
 
 ### Deploying with Cloud Build
+
 #### Deploying on Enterprise Foundation blueprint
+
 If you have previously deployed the Enterprise Foundation blueprint, create the pipelines in this phase by pushing the contents of this folder to a [workload repo created at stage 5](https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/5-app-infra/README.md). Instead of deploying to multiple environments, create these pipelines in the common folder of the foundation.
 
 Start at "5. Clone the `bu1-example-app` repo". Replace the contents of that repo with the contents of this folder.
 
 ### Running Terraform locally
 
+#### Requirements
+
+You will need a project to host your resources, you can manually create it:
+
+```txt
+example-organization
+└── fldr-common
+    └── prj-c-eab-bootstrap
+```
+
+#### Step-by-Step
+
 1. The next instructions assume that you are in the `terraform-google-enterprise-application/1-bootstrap` folder.
 
    ```bash
@@ -42,7 +56,7 @@ Start at "5. Clone the `bu1-example-app` repo". Replace the contents of that rep
    mv terraform.example.tfvars terraform.tfvars
    ```
 
-1. Update the file with values for your environment.
+1. Update the `terraform.tfvars` file with your project id.
 
 You can now deploy the common environment for these pipelines.
 

diff --git a/1-bootstrap/terraform.example.tfvars b/1-bootstrap/terraform.example.tfvars
@@ -0,0 +1 @@
+project_id = "REPLACE_WITH_YOUR_PROJECT"
diff --git a/2-multitenant/README.md b/2-multitenant/README.md
@@ -5,9 +5,10 @@
 This phase deploys the per-environment multitenant resources deployed via the multitenant infrastructure pipeline.
 
 An overview of the multitenant infrastructure pipeline is shown below.
-![Enterprise Application multitenant infrastructure diagram](assets/eab-multitenant.png)
+![Enterprise Application multitenant infrastructure diagram](../assets/eab-multitenant.png)
 
 The following resources are created:
+
 - GCP Project (cluster project)
 - GKE cluster(s)
 - Cloud Armor
@@ -22,10 +23,10 @@ The following resources are created:
 
 ### Running Terraform locally
 
-1. The next instructions assume that you are in the `terraform-google-enterprise-application/4-appfactory` folder.
+1. The next instructions assume that you are in the `terraform-google-enterprise-application/2-multitenant` folder.
 
    ```bash
-   cd terraform-google-enterprise-application/4-appfactory
+   cd ../2-multitenant
    ```
 
 1. Rename `terraform.example.tfvars` to `terraform.tfvars`.
@@ -40,7 +41,7 @@ on the values in the `terraform.tfvars` file. In addition to `envs` from
 prerequisites, each App must have it's own entry under `apps` with a list of any
 dedicated IP address to be provisioned.
 
-  ```
+  ```terraform
   apps = {
     "my-app" : {
       "ip_address_names" : [
@@ -58,14 +59,18 @@ You can now deploy each of your environments (e.g. production).
 1. Run `init` and `plan` and review the output.
 
    ```bash
-   terraform init -chdir=./envs/production
-   terraform plan -chdir=./envs/production
+   terraform -chdir=./envs/production init
+   terraform -chdir=./envs/production plan
    ```
 
 1. Run `apply production`.
 
    ```bash
-   terraform apply -chdir=./envs/production
+   terraform -chdir=./envs/production apply
    ```
 
-If you receive any errors or made any changes to the Terraform config or `terraform.tfvars`, re-run `terraform plan -chdir=./envs/production` before you run `terraform apply -chdir=./envs/production`.
+If you receive any errors or made any changes to the Terraform config or `terraform.tfvars`, re-run `terraform -chdir=./envs/production plan` before you run `terraform -chdir=./envs/production apply`.
+
+1. Repeat the same series of terraform commands but replace `-chdir=./envs/production` with `-chdir=./envs/nonproduction` to deploy the nonproduction environment.
+
+1. Repeat the same series of terraform commands but replace `-chdir=./envs/production` with `-chdir=./envs/development` to deploy the development environment.
diff --git a/3-fleetscope/README.md b/3-fleetscope/README.md
@@ -1,14 +1,16 @@
-# 4. Fleet Scope phase
+# 3. Fleet Scope phase
+
 The Fleet Scope phase defines the resources used to create the GKE Fleet Scopes, Fleet namespaces, and some Fleet features.
 
 ## Purpose
 
 This phase deploys the per-environment fleet resources deployed via the fleetscope infrastructure pipeline.
 
 An overview of the fleet-scope  pipeline is shown below.
-![Enterprise Application fleet-scope  diagram](assets/eab-multitenant.png)
+![Enterprise Application fleet-scope  diagram](../assets/eab-multitenant.png)
 
 The following resources are created:
+
 - Fleet scope
 - Fleet namespace
 - Cloud Source Repo
@@ -27,10 +29,10 @@ The following resources are created:
 
 ### Running Terraform locally
 
-1. The next instructions assume that you are in the `terraform-google-enterprise-application/4-fleetscope` folder.
+1. The next instructions assume that you are in the `terraform-google-enterprise-application/3-fleetscope` folder.
 
    ```bash
-   cd terraform-google-enterprise-application/4-fleetscope
+   cd ../3-fleetscope
    ```
 
 1. Rename `terraform.example.tfvars` to `terraform.tfvars`.
@@ -46,14 +48,18 @@ You can now deploy each of your environments (e.g. production).
 1. Run `init` and `plan` and review the output.
 
    ```bash
-   terraform init -chdir=./envs/production
-   terraform plan -chdir=./envs/production
+   terraform -chdir=./envs/production init
+   terraform -chdir=./envs/production plan
    ```
 
 1. Run `apply production`.
 
    ```bash
-   terraform apply -chdir=./envs/production
+   terraform -chdir=./envs/production apply
    ```
 
-If you receive any errors or made any changes to the Terraform config or `terraform.tfvars`, re-run `terraform plan -chdir=./envs/production` before you run `terraform apply -chdir=./envs/production`.
+If you receive any errors or made any changes to the Terraform config or `terraform.tfvars`, re-run `terraform -chdir=./envs/production plan` before you run `terraform -chdir=./envs/production apply`.
+
+1. Repeat the same series of terraform commands but replace `-chdir=./envs/production` with `-chdir=./envs/nonproduction` to deploy the nonproduction environment.
+
+1. Repeat the same series of terraform commands but replace `-chdir=./envs/production` with `-chdir=./envs/development` to deploy the development environment.
diff --git a/3-fleetscope/terraform.example.tfvars b/3-fleetscope/terraform.example.tfvars
@@ -14,9 +14,16 @@
  * limitations under the License.
  */
 
+fleet_project_id   = "{FLEET_PROJECT}"
 cluster_project_id = "{CLUSTER_PROJECT}"
 network_project_id = "{NETWORK_PROJECT}"
 cluster_membership_ids = [
   "//gkehub.googleapis.com/projects/{CLUSTER_PROJECT}/locations/{REGION}/memberships/{MEMBERSHIP_ID}",
   "//gkehub.googleapis.com/projects/{CLUSTER_PROJECT}/locations/{REGION}/memberships/{MEMBERSHIP_ID}",
 ]
+
+namespace_ids = {
+  "frontend"     = "[email protected]",
+  "accounts"     = "[email protected]",
+  "transactions" = "[email protected]"
+}
diff --git a/4-appfactory/README.md b/4-appfactory/README.md
@@ -1,10 +1,11 @@
 # 4. Application Factory phase
 
 ## Purpose
+
 The application factory creates application project groups, which contain resources responsible for deployment of a single application within the developer platform.
 
 An overview of the application factory pipeline is shown below.
-![Enterprise Application application factory diagram](assets/eab-app-factory.svg)
+![Enterprise Application application factory diagram](../assets/eab-app-factory.svg)
 
 The application factory creates the following resources as defined in the [`app-group-baseline`](./modules/app-group-baseline/) submodule:
 
@@ -13,6 +14,17 @@ The application factory creates the following resources as defined in the [`app-
 * **Infrastructure repository:** A Git repository containing the Terraform configuration for the application infrastructure.
 * **Application infrastucture pipeline:** A Cloud Build pipeline for deploying the application infrastructure specified as Terraform.
 
+It will also create an Application Folder to group your admin projects under it, for example:
+
+```txt
+.
+└── fldr-common/
+    ├── cymbal-bank/
+    │   ├── accounts-userservice-admin
+    │   ├── accounts-contacts-admin
+    │   ├── ledger-ledger-writer-admin
+    │   └── ...
+```
 
 ## Usage
 
@@ -21,7 +33,7 @@ The application factory creates the following resources as defined in the [`app-
 1. The next instructions assume that you are in the `terraform-google-enterprise-application/4-appfactory` folder.
 
    ```bash
-   cd terraform-google-enterprise-application/4-appfactory
+   cd ../4-appfactory
    ```
 
 1. Rename `terraform.example.tfvars` to `terraform.tfvars`.
@@ -32,19 +44,21 @@ The application factory creates the following resources as defined in the [`app-
 
 1. Update the file with values for your environment.
 
+   > TIP: To retrieve the remote state bucket variable, you can run `terraform -chdir=../1-bootstrap/ output -raw state_bucket` command.
+
 You can now deploy the into your common folder.
 
 1. Run `init` and `plan` and review the output.
 
    ```bash
-   terraform init -chdir=./apps/cymbal-bank
-   terraform plan -chdir=./apps/cymbal-bank
+   terraform -chdir=./apps/cymbal-bank init
+   terraform -chdir=./apps/cymbal-bank plan
    ```
 
 1. Run `apply`.
 
    ```bash
-   terraform apply -chdir=./apps/cymbal-bank
+   terraform -chdir=./apps/cymbal-bank apply
    ```
 
-If you receive any errors or made any changes to the Terraform config or `terraform.tfvars`, re-run `terraform plan -chdir=./apps/cymbal-bank` before you run `terraform apply -chdir=./apps/cymbal-bank`.
+If you receive any errors or made any changes to the Terraform config or `terraform.tfvars`, re-run `terraform -chdir=./apps/cymbal-bank plan` before you run `terraform -chdir=./apps/cymbal-bank apply`.
diff --git a/4-appfactory/apps/cymbal-bank/README.md b/4-appfactory/apps/cymbal-bank/README.md
@@ -6,17 +6,19 @@
 | billing\_account | Billing Account ID for application admin project resources. | `string` | n/a | yes |
 | bucket\_force\_destroy | When deleting a bucket, this boolean option will delete all contained objects. If false, Terraform will fail to delete buckets which contain objects. | `bool` | `false` | no |
 | bucket\_prefix | Name prefix to use for buckets created. | `string` | `"bkt"` | no |
-| common\_folder\_id | Folder ID in which to create all application admin projects | `string` | n/a | yes |
+| common\_folder\_id | Folder ID in which to create all application admin projects, must be prefixed with 'folders/' | `string` | n/a | yes |
 | envs | Environments | <pre>map(object({<br>    billing_account    = string<br>    folder_id          = string<br>    network_project_id = string<br>    network_self_link  = string<br>    org_id             = string<br>    subnets_self_links = list(string)<br>  }))</pre> | n/a | yes |
 | location | Location for build buckets. | `string` | `"us-central1"` | no |
 | org\_id | Google Cloud Organization ID. | `string` | n/a | yes |
+| remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |
 | tf\_apply\_branches | List of git branches configured to run terraform apply Cloud Build trigger. All other branches will run plan by default. | `list(string)` | <pre>[<br>  "development",<br>  "non\\-production",<br>  "production"<br>]</pre> | no |
 | trigger\_location | Location of for Cloud Build triggers created in the workspace. If using private pools should be the same location as the pool. | `string` | `"global"` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
+| app-folders-ids | Pair of app-name and folder\_id |
 | app-group | Description on the app-group components |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/4-appfactory/apps/cymbal-bank/iam.tf b/4-appfactory/apps/cymbal-bank/iam.tf
@@ -0,0 +1,41 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  all_environments_cluster_service_accounts_iam_members = [for sa in local.cluster_service_accounts : "serviceAccount:${sa}"]
+
+  expanded_cluster_service_accounts = flatten([
+    for key in keys(local.app_services) : [
+      for sa in local.all_environments_cluster_service_accounts_iam_members : {
+        app_name          = key
+        cluster_sa_member = sa
+      }
+    ]
+  ])
+}
+
+// Assign artifactregistry reader to cluster service accounts
+// This allows docker images on application projects to be downloaded on the cluster
+resource "google_folder_iam_member" "admin" {
+  // for each app folder, create permissions for dev/non prod and prod cluster service accounts
+  for_each = tomap({
+    for app_name_sa in local.expanded_cluster_service_accounts : "${app_name_sa.app_name}.${app_name_sa.cluster_sa_member}" => app_name_sa
+  })
+
+  folder = google_folder.app_folder[each.value.app_name].name
+  role   = "roles/artifactregistry.reader"
+  member = each.value.cluster_sa_member
+}
diff --git a/4-appfactory/apps/cymbal-bank/main.tf b/4-appfactory/apps/cymbal-bank/main.tf
@@ -15,26 +15,47 @@
  */
 
 locals {
-  components = [
-    "balancereader",
-    "contacts",
-    "frontend",
-    "ledgerwriter",
-    "transactionhistory",
-    "userservice",
-  ]
+  app_services = {
+    "cymbal-bank" = [
+      "balancereader",
+      "contacts",
+      "frontend",
+      "ledgerwriter",
+      "transactionhistory",
+      "userservice",
+    ]
+  }
+
+  expanded_app_services = flatten([
+    for key, services in local.app_services : [
+      for service in services : {
+        app_name     = key
+        service_name = service
+      }
+    ]
+  ])
+}
+
+// One folder per application, will group admin/service projects under it
+resource "google_folder" "app_folder" {
+  for_each = local.app_services
+
+  display_name = each.key
+  parent       = var.common_folder_id
 }
 
 module "components" {
-  for_each = toset(local.components)
-  source   = "../../modules/app-group-baseline"
+  for_each = tomap({
+    for app_service in local.expanded_app_services : "${app_service.app_name}.${app_service.service_name}" => app_service
+  })
+  source = "../../modules/app-group-baseline"
 
-  application_name    = each.value
+  application_name    = each.value.service_name
   create_env_projects = true
 
   org_id               = var.org_id
   billing_account      = var.billing_account
-  folder_id            = var.common_folder_id
+  folder_id            = google_folder.app_folder[each.value.app_name].folder_id
   envs                 = var.envs
   bucket_prefix        = var.bucket_prefix
   location             = var.location

diff --git a/4-appfactory/apps/cymbal-bank/outputs.tf b/4-appfactory/apps/cymbal-bank/outputs.tf
@@ -30,3 +30,10 @@ output "app-group" {
     }
   }
 }
+
+output "app-folders-ids" {
+  description = "Pair of app-name and folder_id"
+  value = {
+    for k, v in google_folder.app_folder : k => v.folder_id
+  }
+}