The objective of the following instructions is to configure the infrastructure that allows CI/CD deployments using
GitLab CI/CD for the deploy of the Terraform Example Foundation stages (0-bootstrap
, 1-org
, 2-environments
, 3-networks
, 4-projects
).
This infrastructure consists in two Google Cloud Platform projects (prj-b-seed
and prj-b-cicd-wif-gl
).
It is a best practice to have two separate projects here (prj-b-seed
and prj-b-cicd-wif-gl
) for separation of concerns.
On one hand, prj-b-seed
stores terraform state and has the Service Accounts able to create / modify infrastructure.
On the other hand, the authentication infrastructure using Workload identity federation is implemented in prj-b-cicd-wif-gl
.
To run the instructions described in this document, install the following:
- Google Cloud SDK version 393.0.0 or later
- terraform-tools component
- Git version 2.28.0 or later
- Terraform version 1.3.0 or later
- jq version 1.6 or later.
Also make sure that you have the following:
- A GitLab account for your User or Group.
- A private GitLab project (repository) for each one of the stages of Foundation and one for the GitLab runner Image:
- Bootstrap
- Organization
- Environments
- Networks
- Projects
- CI/CD Runner
- A Personal access token or a Group access token configured with the following scopes:
- api
- read_api
- create_runner
- read_repository
- write_repository
- read_registry
- write_registry
- A Google Cloud organization.
- A Google Cloud billing account.
- Cloud Identity or Google Workspace groups for organization and billing admins.
- For the user who will run the procedures in this document, grant the following roles:
- The
roles/resourcemanager.organizationAdmin
role on the Google Cloud organization. - The
roles/orgpolicy.policyAdmin
role on the Google Cloud organization. - The
roles/resourcemanager.projectCreator
role on the Google Cloud organization. - The
roles/billing.admin
role on the billing account. - The
roles/resourcemanager.folderCreator
role.
- The
-
Clone terraform-example-foundation into your local environment.
git clone https://github.com/terraform-google-modules/terraform-example-foundation.git
-
The instructions described in this document require that the branches used in the Terraform Example Foundation deploy to exist and to be protected. Follow the instructions on this section to create all the branches.
-
Clone all the private projects you created at the same level of the
terraform-example-foundation
folder. You must have SSH keys configured with GitLab for authentication.git clone [email protected]:<GITLAB-OWNER>/<GITLAB-BOOTSTRAP-REPO>.git gcp-bootstrap
git clone [email protected]:<GITLAB-OWNER>/<GITLAB-ORGANIZATION-REPO>.git gcp-org
git clone [email protected]:<GITLAB-OWNER>/<GITLAB-ENVIRONMENTS-REPO>.git gcp-environments
git clone [email protected]:<GITLAB-OWNER>/<GITLAB-NETWORKS-REPO>.git gcp-networks
git clone [email protected]:<GITLAB-OWNER>/<GITLAB-PROJECTS-REPO>.git gcp-projects
git clone [email protected]:<GITLAB-OWNER>/<GITLAB-RUNNER-REPO>.git gcp-cicd-runner
-
The layout should be:
gcp-bootstrap/ gcp-cicd-runner/ gcp-environments/ gcp-networks/ gcp-org/ gcp-projects/ terraform-example-foundation/
-
The following branches must be created in your git projects .
- CI/CD Runner:
image
- Bootstrap:
plan
andproduction
- Organization:
plan
andproduction
- Environments:
plan
,development
,nonproduction
, andproduction
- Networks:
plan
,development
,nonproduction
, andproduction
- Projects:
plan
,development
,nonproduction
, andproduction
- CI/CD Runner:
-
These branches must not be empty, so that they can be the target branch of a merge request. Run the
0-bootstrap/scripts/git_create_branches_helper.sh
script to create these branches with a seed file for each repository automatically../terraform-example-foundation/0-bootstrap/scripts/git_create_branches_helper.sh GITLAB
-
The script will output logs related to the branches creation in the console and it will output the message
"Branch creation and push completed for all repositories"
at the end of the script execution. -
Terraform configuration on stage
0-bootstrap
will make these branches protected
-
Navigate into CI/CD runner the repo. All subsequent steps assume you are running them from the
gcp-cicd-runner
directory. If you run them from another directory, adjust your copy paths accordingly.cd gcp-cicd-runner
-
Checkout branch
image
. It will contain the Docker image used in the GitLab Pipelines.git checkout image
-
Copy contents of foundation to cloned project (modify accordingly based on your current directory).
cp ../terraform-example-foundation/build/gitlab-ci.yml ./.gitlab-ci.yml cp ../terraform-example-foundation/0-bootstrap/Dockerfile ./Dockerfile
-
Save the CI/CD runner configuration to
gcp-cicd-runner
GitLab project:git add . git commit -m 'Initialize CI/CD runner project' git push
-
Review the CI/CD Job output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-RUNNER-REPO/-/jobs under name
build-image
. -
If the CI/CD Job is successful proceed with the next steps.
- Go to https://gitlab.com/GITLAB-OWNER/GITLAB-RUNNER-REPO/-/settings/ci_cd#js-token-access
- Add all the repositories: Bootstrap, Organization, Environments, Networks, and Projects to the allow list tha allow access to the CI/CD runner image.
- In "Allow CI job tokens from the following projects to access this project" add the other projects/repositories. Format is /
-
Navigate into the Bootstrap repo. All subsequent steps assume you are running them from the
gcp-bootstrap
directory. If you run them from another directory, adjust your copy paths accordingly.cd gcp-bootstrap
-
change to a nonproduction branch.
git checkout plan
-
Copy contents of foundation to cloned project (modify accordingly based on your current directory).
mkdir -p envs/shared cp -RT ../terraform-example-foundation/0-bootstrap/ ./envs/shared cp -RT ../terraform-example-foundation/policy-library/ ./policy-library cp ../terraform-example-foundation/build/gitlab-ci.yml ./.gitlab-ci.yml cp ../terraform-example-foundation/build/run_gcp_auth.sh . cp ../terraform-example-foundation/build/tf-wrapper.sh . chmod 755 ./*.sh cd ./envs/shared
-
In the versions file
./versions.tf
un-comment thegitlab
required provider -
In the variables file
./variables.tf
un-comment variables in the sectionSpecific to gitlab_bootstrap
-
In the outputs file
./outputs.tf
Comment-out outputs in the sectionSpecific to cloudbuild_module
-
In the outputs file
./outputs.tf
un-comment outputs in the sectionSpecific to gitlab_bootstrap
-
Rename file
./cb.tf
to./cb.tf.example
mv ./cb.tf ./cb.tf.example
-
Rename file
./gitlab.tf.example
to./gitlab.tf
mv ./gitlab.tf.example ./gitlab.tf
-
Rename file
terraform.example.tfvars
toterraform.tfvars
mv ./terraform.example.tfvars ./terraform.tfvars
-
Update the file
terraform.tfvars
with values from your Google Cloud environment -
Update the file
terraform.tfvars
with values from your GitLab projects -
To prevent saving the
gitlab_token
in plain text in theterraform.tfvars
file, export the GitLab personal or group access token as an environment variable:export TF_VAR_gitlab_token="YOUR-PERSONAL-OR-GROUP-ACCESS-TOKEN"
-
Use the helper script validate-requirements.sh to validate your environment:
../../../terraform-example-foundation/scripts/validate-requirements.sh -o <ORGANIZATION_ID> -b <BILLING_ACCOUNT_ID> -u <END_USER_EMAIL> -e
Note: The script is not able to validate if the user is in a Cloud Identity or Google Workspace group with the required roles.
-
Run
terraform init
andterraform plan
and review the output.terraform init terraform plan -input=false -out bootstrap.tfplan
-
To validate your policies, run
gcloud beta terraform vet
. For installation instructions, see Validate policies instructions for the Google Cloud CLI. -
Run the following commands and check for violations:
export VET_PROJECT_ID=A-VALID-PROJECT-ID terraform show -json bootstrap.tfplan > bootstrap.json gcloud beta terraform vet bootstrap.json --policy-library="../../policy-library" --project ${VET_PROJECT_ID}
A-VALID-PROJECT-ID
must be an existing project you have access to. This is necessary becausegcloud beta terraform vet
needs to link resources to a valid Google Cloud Platform project. -
No violations and an output with
done
means the validation was successful. -
Run
terraform apply
.terraform apply bootstrap.tfplan
-
Run
terraform output
to get the email address of the terraform service accounts that will be used to run manual steps forshared
environments in steps3-networks-dual-svpc
,3-networks-hub-and-spoke
, and4-projects
.export network_step_sa=$(terraform output -raw networks_step_terraform_service_account_email) export projects_step_sa=$(terraform output -raw projects_step_terraform_service_account_email) echo "network step service account = ${network_step_sa}" echo "projects step service account = ${projects_step_sa}"
-
Run
terraform output
to get the ID of your CI/CD project:export cicd_project_id=$(terraform output -raw cicd_project_id) echo "CI/CD Project ID = ${cicd_project_id}"
-
Copy the backend and update
backend.tf
with the name of your Google Cloud Storage bucket for Terraform's state. Also update thebackend.tf
of all steps.export backend_bucket=$(terraform output -raw gcs_bucket_tfstate) echo "backend_bucket = ${backend_bucket}" cp backend.tf.example backend.tf cd ../../../ for i in `find . -name 'backend.tf'`; do sed -i'' -e "s/UPDATE_ME/${backend_bucket}/" $i; done for i in `find . -name 'backend.tf'`; do sed -i'' -e "s/UPDATE_PROJECTS_BACKEND/${backend_bucket}/" $i; done cd gcp-bootstrap/envs/shared
-
Re-run
terraform init
. When you're prompted, agree to copy Terraform state to Cloud Storage.terraform init
-
(Optional) Run
terraform plan
to verify that state is configured correctly. You should see no changes from the previous state. -
Save the Terraform configuration to
gcp-bootstrap
GitLab project:cd ../.. git add . git commit -m 'Initialize bootstrap project' git push
-
Open a merge request in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-BOOTSTRAP-REPO/-/merge_requests?scope=all&state=opened from the
plan
branch to theproduction
branch and review the output. -
The merge request will trigger a GitLab pipelines that will run Terraform
init
/plan
/validate
in theproduction
environment. -
Review the GitLab pipelines output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-BOOTSTRAP-REPO/-/pipelines.
-
If the GitLab pipelines is successful, merge the merge request in to the
production
branch. -
The merge will trigger a GitLab pipelines that will apply the terraform configuration for the
production
environment. -
Review merge output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-BOOTSTRAP-REPO/-/pipelines under
tf-apply
. -
If the GitLab pipelines is successful, apply the next environment.
-
Before moving to the next step, go back to the parent directory.
cd ..
Note 1: The stages after 0-bootstrap
use terraform_remote_state
data source to read common configuration like the organization ID from the output of the 0-bootstrap
stage.
They will fail if the state is not copied to the Cloud Storage bucket.
Note 2: After the deploy, to prevent the project quota error described in the Troubleshooting guide, we recommend that you request 50 additional projects for the projects step service account created in this step.
Note 3: In case GitLab variables are not being created on GitLab projects, it may be related to the existence of an Access Token in both User/Group profile and in the repo settings. The deploy will fail.
Note 4: If the GitLab pipelines fail in 0-bootstrap or next steps with access denied in the runner image, you may need to add all projects to the Token Access allow list in the CI/CD Runner repository.
-
Navigate into the repo. All subsequent steps assume you are running them from the
gcp-org
directory. If you run them from another directory, adjust your copy paths accordingly.cd gcp-org
-
change to a nonproduction branch.
git checkout plan
-
Copy contents of foundation to new repo.
cp -RT ../terraform-example-foundation/1-org/ . cp -RT ../terraform-example-foundation/policy-library/ ./policy-library cp ../terraform-example-foundation/build/gitlab-ci.yml ./.gitlab-ci.yml cp ../terraform-example-foundation/build/run_gcp_auth.sh . cp ../terraform-example-foundation/build/tf-wrapper.sh . chmod 755 ./*.sh
-
Rename
./envs/shared/terraform.example.tfvars
to./envs/shared/terraform.tfvars
mv ./envs/shared/terraform.example.tfvars ./envs/shared/terraform.tfvars
-
Update the file
envs/shared/terraform.tfvars
with values from your GCP environment. See the shared folder README.md for additional information on the values in theterraform.tfvars
file. -
Un-comment the variable
create_access_context_manager_access_policy = false
if your organization already has an Access Context Manager Policy.export ORGANIZATION_ID=$(terraform -chdir="../gcp-bootstrap/envs/shared" output -json common_config | jq '.org_id' --raw-output) export ACCESS_CONTEXT_MANAGER_ID=$(gcloud access-context-manager policies list --organization ${ORGANIZATION_ID} --format="value(name)") echo "access_context_manager_policy_id = ${ACCESS_CONTEXT_MANAGER_ID}" if [ ! -z "${ACCESS_CONTEXT_MANAGER_ID}" ]; then sed -i'' -e "s=//create_access_context_manager_access_policy=create_access_context_manager_access_policy=" ./envs/shared/terraform.tfvars; fi
-
Update the
remote_state_bucket
variable with the backend bucket from step Bootstrap.export backend_bucket=$(terraform -chdir="../gcp-bootstrap/envs/shared" output -raw gcs_bucket_tfstate) echo "remote_state_bucket = ${backend_bucket}" sed -i'' -e "s/REMOTE_STATE_BUCKET/${backend_bucket}/" ./envs/shared/terraform.tfvars
-
Check if a Security Command Center Notification with the default name, scc-notify, already exists in your organization.
export ORG_STEP_SA=$(terraform -chdir="../gcp-bootstrap/envs/shared" output -raw organization_step_terraform_service_account_email) gcloud scc notifications describe "scc-notify" --format="value(name)" --organization=${ORGANIZATION_ID} --impersonate-service-account=${ORG_STEP_SA}
-
If the notification exists the output will be:
organizations/ORGANIZATION_ID/notificationConfigs/scc-notify
-
If the notification does not exist the output will be:
ERROR: (gcloud.scc.notifications.describe) NOT_FOUND: Requested entity was not found.
-
If the notification exists, choose a different value for the
scc_notification_name
variable in the./envs/shared/terraform.tfvars
file. -
Commit changes and Push your plan branch.
git add . git commit -m 'Initialize org repo' git push
-
Open a merge request in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-ORGANIZATION-REPO/-/merge_requests?scope=all&state=opened from the
plan
branch to theproduction
branch and review the output. -
The merge request will trigger a GitLab pipelines that will run Terraform
init
/plan
/validate
in theproduction
environment. -
Review the GitLab pipelines output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-ORGANIZATION-REPO/-/pipelines.
-
If the GitLab pipelines is successful, merge the merge request in to the
production
branch. -
The merge will trigger a GitLab pipelines that will apply the terraform configuration for the
production
environment. -
Review merge output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-ORGANIZATION-REPO/-/pipelines under
tf-apply
. -
If the GitLab pipelines is successful, apply the next environment.
-
Before moving to the next step, go back to the parent directory.
cd ..
-
Navigate into the repo. All subsequent steps assume you are running them from the
gcp-environments
directory. If you run them from another directory, adjust your copy paths accordingly.cd gcp-environments
-
change to a nonproduction branch.
git checkout plan
-
Copy contents of foundation to new repo.
cp -RT ../terraform-example-foundation/2-environments/ . cp -RT ../terraform-example-foundation/policy-library/ ./policy-library cp ../terraform-example-foundation/build/gitlab-ci.yml ./.gitlab-ci.yml cp ../terraform-example-foundation/build/run_gcp_auth.sh . cp ../terraform-example-foundation/build/tf-wrapper.sh . chmod 755 ./*.sh
-
Rename
terraform.example.tfvars
toterraform.tfvars
.mv terraform.example.tfvars terraform.tfvars
-
Update the file with values from your GCP environment. See any of the envs folder README.md files for additional information on the values in the
terraform.tfvars
file. -
Update the
remote_state_bucket
variable with the backend bucket from step Bootstrap.export backend_bucket=$(terraform -chdir="../gcp-bootstrap/envs/shared" output -raw gcs_bucket_tfstate) echo "remote_state_bucket = ${backend_bucket}" sed -i'' -e "s/REMOTE_STATE_BUCKET/${backend_bucket}/" terraform.tfvars
-
Commit changes and push your plan branch.
git add . git commit -m 'Initialize environments repo' git push
-
Open a merge request in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-ENVIRONMENTS-REPO/-/merge_requests?scope=all&state=opened from the
plan
branch to thedevelopment
branch and review the output. -
The merge request will trigger a GitLab pipelines that will run Terraform
init
/plan
/validate
in thedevelopment
environment. -
Review the GitLab pipelines output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-ENVIRONMENTS-REPO/-/pipelines.
-
If the GitLab pipelines is successful, merge the merge request in to the
development
branch. -
The merge will trigger a GitLab pipelines that will apply the terraform configuration for the
development
environment. -
Review merge output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-ENVIRONMENTS-REPO/-/pipelines under
tf-apply
. -
If the GitLab pipelines is successful, apply the next environment.
-
Open a merge request in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-ENVIRONMENTS-REPO/-/merge_requests?scope=all&state=opened from the
development
branch to thenonproduction
branch and review the output. -
The merge request will trigger a GitLab pipelines that will run Terraform
init
/plan
/validate
in thenonproduction
environment. -
Review the GitLab pipelines output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-ENVIRONMENTS-REPO/-/pipelines.
-
If the GitLab pipelines is successful, merge the merge request in to the
nonproduction
branch. -
The merge will trigger a GitLab pipelines that will apply the terraform configuration for the
nonproduction
environment. -
Review merge output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-ENVIRONMENTS-REPO/-/pipelines under
tf-apply
. -
If the GitLab pipelines is successful, apply the next environment.
-
Open a merge request in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-ENVIRONMENTS-REPO/-/merge_requests?scope=all&state=opened from the
nonproduction
branch to theproduction
branch and review the output. -
The merge request will trigger a GitLab pipelines that will run Terraform
init
/plan
/validate
in theproduction
environment. -
Review the GitLab pipelines output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-ENVIRONMENTS-REPO/-/pipelines.
-
If the GitLab pipelines is successful, merge the merge request in to the
production
branch. -
The merge will trigger a GitLab pipelines that will apply the terraform configuration for the
production
environment. -
Review merge output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-ENVIRONMENTS-REPO/-/pipelines under
tf-apply
. -
Before moving to the next step, go back to the parent directory.
cd ..
-
You can now move to the instructions in the network stage. To use the Dual Shared VPC network mode go to Deploying step 3-networks-dual-svpc, or go to Deploying step 3-networks-hub-and-spoke to use the Hub and Spoke network mode.
-
Navigate into the repo. All subsequent steps assume you are running them from the
gcp-networks
directory. If you run them from another directory, adjust your copy paths accordingly.cd gcp-networks
-
change to a nonproduction branch.
git checkout plan
-
Copy contents of foundation to new repo.
cp -RT ../terraform-example-foundation/3-networks-dual-svpc/ . cp -RT ../terraform-example-foundation/policy-library/ ./policy-library cp ../terraform-example-foundation/build/gitlab-ci.yml ./.gitlab-ci.yml cp ../terraform-example-foundation/build/run_gcp_auth.sh . cp ../terraform-example-foundation/build/tf-wrapper.sh . chmod 755 ./*.sh
-
Rename
common.auto.example.tfvars
tocommon.auto.tfvars
, renameshared.auto.example.tfvars
toshared.auto.tfvars
and renameaccess_context.auto.example.tfvars
toaccess_context.auto.tfvars
.mv common.auto.example.tfvars common.auto.tfvars mv shared.auto.example.tfvars shared.auto.tfvars mv access_context.auto.example.tfvars access_context.auto.tfvars
-
Update the file
shared.auto.tfvars
with the values for thetarget_name_server_addresses
. -
Update the file
access_context.auto.tfvars
with the organization'saccess_context_manager_policy_id
.export ORGANIZATION_ID=$(terraform -chdir="../gcp-bootstrap/envs/shared/" output -json common_config | jq '.org_id' --raw-output) export ACCESS_CONTEXT_MANAGER_ID=$(gcloud access-context-manager policies list --organization ${ORGANIZATION_ID} --format="value(name)") echo "access_context_manager_policy_id = ${ACCESS_CONTEXT_MANAGER_ID}" sed -i'' -e "s/ACCESS_CONTEXT_MANAGER_ID/${ACCESS_CONTEXT_MANAGER_ID}/" ./access_context.auto.tfvars
-
Update
common.auto.tfvars
file with values from your GCP environment. See any of the envs folder README.md files for additional information on the values in thecommon.auto.tfvars
file. -
You must add your user email in the variable
perimeter_additional_members
to be able to see the resources created in the restricted project. -
Update the
remote_state_bucket
variable with the backend bucket from step Bootstrap in thecommon.auto.tfvars
file.export backend_bucket=$(terraform -chdir="../gcp-bootstrap/envs/shared/" output -raw gcs_bucket_tfstate) echo "remote_state_bucket = ${backend_bucket}" sed -i'' -e "s/REMOTE_STATE_BUCKET/${backend_bucket}/" ./common.auto.tfvars
-
Commit changes
git add . git commit -m 'Initialize networks repo'
-
You must manually plan and apply the
shared
environment (only once) since thedevelopment
,nonproduction
andproduction
environments depend on it. -
Use
terraform output
to get the CI/CD project ID and the networks step Terraform Service Account from gcp-bootstrap output. -
The CI/CD project ID will be used in the validation of the Terraform configuration
export CICD_PROJECT_ID=$(terraform -chdir="../gcp-bootstrap/envs/shared/" output -raw cicd_project_id) echo ${CICD_PROJECT_ID}
-
The networks step Terraform Service Account will be used for Service Account impersonation in the following steps. An environment variable
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT
will be set with the Terraform Service Account to enable impersonation.export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../gcp-bootstrap/envs/shared/" output -raw networks_step_terraform_service_account_email) echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT}
-
Run
init
andplan
and review output for environment shared../tf-wrapper.sh init shared ./tf-wrapper.sh plan shared
-
To use the
validate
option of thetf-wrapper.sh
script, please follow the instructions to install the terraform-tools component. -
Run
validate
and check for violations../tf-wrapper.sh validate shared $(pwd)/policy-library ${CICD_PROJECT_ID}
-
Run
apply
shared../tf-wrapper.sh apply shared
-
Push your plan branch.
git push
-
Open a merge request in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/merge_requests?scope=all&state=opened from the
plan
branch to thedevelopment
branch and review the output. -
The merge request will trigger a GitLab pipelines that will run Terraform
init
/plan
/validate
in thedevelopment
environment. -
Review the GitLab pipelines output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/pipelines.
-
If the GitLab pipelines is successful, merge the merge request in to the
development
branch. -
The merge will trigger a GitLab pipelines that will apply the terraform configuration for the
development
environment. -
Review merge output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/pipelines under
tf-apply
. -
If the GitLab pipelines is successful, apply the next environment.
-
Open a merge request in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/merge_requests?scope=all&state=opened from the
development
branch to thenonproduction
branch and review the output. -
The merge request will trigger a GitLab pipelines that will run Terraform
init
/plan
/validate
in thenonproduction
environment. -
Review the GitLab pipelines output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/pipelines.
-
If the GitLab pipelines is successful, merge the merge request in to the
nonproduction
branch. -
The merge will trigger a GitLab pipelines that will apply the terraform configuration for the
nonproduction
environment. -
Review merge output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/pipelines under
tf-apply
. -
If the GitLab pipelines is successful, apply the next environment.
-
Open a merge request in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/merge_requests?scope=all&state=opened from the
nonproduction
branch to theproduction
branch and review the output. -
The merge request will trigger a GitLab pipelines that will run Terraform
init
/plan
/validate
in theproduction
environment. -
Review the GitLab pipelines output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/pipelines.
-
If the GitLab pipelines is successful, merge the merge request in to the
production
branch. -
The merge will trigger a GitLab pipelines that will apply the terraform configuration for the
production
environment. -
Review merge output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/pipelines under
tf-apply
. -
Before executing the next steps, unset the
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT
environment variable.unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT
-
Before moving to the next step, go back to the parent directory.
cd ..
-
You can now move to the instructions in the 4-projects stage.
-
Navigate into the repo. All subsequent steps assume you are running them from the
gcp-networks
directory. If you run them from another directory, adjust your copy paths accordingly.cd gcp-networks
-
change to a nonproduction branch.
git checkout plan
-
Copy contents of foundation to new repo.
cp -RT ../terraform-example-foundation/3-networks-hub-and-spoke/ . cp -RT ../terraform-example-foundation/policy-library/ ./policy-library cp ../terraform-example-foundation/build/gitlab-ci.yml ./.gitlab-ci.yml cp ../terraform-example-foundation/build/run_gcp_auth.sh . cp ../terraform-example-foundation/build/tf-wrapper.sh . chmod 755 ./*.sh
-
Rename
common.auto.example.tfvars
tocommon.auto.tfvars
, renameshared.auto.example.tfvars
toshared.auto.tfvars
and renameaccess_context.auto.example.tfvars
toaccess_context.auto.tfvars
.mv common.auto.example.tfvars common.auto.tfvars mv shared.auto.example.tfvars shared.auto.tfvars mv access_context.auto.example.tfvars access_context.auto.tfvars
-
Update
common.auto.tfvars
file with values from your GCP environment. See any of the envs folder README.md files for additional information on the values in thecommon.auto.tfvars
file. -
You must add your user email in the variable
perimeter_additional_members
to be able to see the resources created in the restricted project. -
Update the
remote_state_bucket
variable with the backend bucket from step Bootstrap in thecommon.auto.tfvars
file.export backend_bucket=$(terraform -chdir="../gcp-bootstrap/envs/shared/" output -raw gcs_bucket_tfstate) echo "remote_state_bucket = ${backend_bucket}" sed -i'' -e "s/REMOTE_STATE_BUCKET/${backend_bucket}/" ./common.auto.tfvars
-
Commit changes
git add . git commit -m 'Initialize networks repo'
-
You must manually plan and apply the
shared
environment (only once) since thedevelopment
,nonproduction
andproduction
environments depend on it. -
Use
terraform output
to get the CI/CD project ID and the networks step Terraform Service Account from gcp-bootstrap output. -
The CI/CD project ID will be used in the validation of the Terraform configuration
export CICD_PROJECT_ID=$(terraform -chdir="../gcp-bootstrap/envs/shared/" output -raw cicd_project_id) echo ${CICD_PROJECT_ID}
-
The networks step Terraform Service Account will be used for Service Account impersonation in the following steps. An environment variable
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT
will be set with the Terraform Service Account to enable impersonation.export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../gcp-bootstrap/envs/shared/" output -raw networks_step_terraform_service_account_email) echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT}
-
Run
init
andplan
and review output for environment shared../tf-wrapper.sh init shared ./tf-wrapper.sh plan shared
-
To use the
validate
option of thetf-wrapper.sh
script, please follow the instructions to install the terraform-tools component. -
Run
validate
and check for violations../tf-wrapper.sh validate shared $(pwd)/policy-library ${CICD_PROJECT_ID}
-
Run
apply
shared../tf-wrapper.sh apply shared
-
Push your plan branch.
git push
-
Open a merge request in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/merge_requests?scope=all&state=opened from the
plan
branch to thedevelopment
branch and review the output. -
The merge request will trigger a GitLab pipelines that will run Terraform
init
/plan
/validate
in thedevelopment
environment. -
Review the GitLab pipelines output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/pipelines.
-
If the GitLab pipelines is successful, merge the merge request in to the
development
branch. -
The merge will trigger a GitLab pipelines that will apply the terraform configuration for the
development
environment. -
Review merge output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/pipelines under
tf-apply
. -
If the GitLab pipelines is successful, apply the next environment.
-
Open a merge request in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/merge_requests?scope=all&state=opened from the
development
branch to thenonproduction
branch and review the output. -
The merge request will trigger a GitLab pipelines that will run Terraform
init
/plan
/validate
in thenonproduction
environment. -
Review the GitLab pipelines output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/pipelines.
-
If the GitLab pipelines is successful, merge the merge request in to the
nonproduction
branch. -
The merge will trigger a GitLab pipelines that will apply the terraform configuration for the
nonproduction
environment. -
Review merge output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/pipelines under
tf-apply
. -
If the GitLab pipelines is successful, apply the next environment.
-
Open a merge request in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/merge_requests?scope=all&state=opened from the
nonproduction
branch to theproduction
branch and review the output. -
The merge request will trigger a GitLab pipelines that will run Terraform
init
/plan
/validate
in theproduction
environment. -
Review the GitLab pipelines output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/pipelines.
-
If the GitLab pipelines is successful, merge the merge request in to the
production
branch. -
The merge will trigger a GitLab pipelines that will apply the terraform configuration for the
production
environment. -
Review merge output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-NETWORKS-REPO/-/pipelines under
tf-apply
. -
Before executing the next steps, unset the
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT
environment variable.unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT
-
Before moving to the next step, go back to the parent directory.
cd ..
-
You can now move to the instructions in the 4-projects stage.
-
Navigate into the repo. All subsequent steps assume you are running them from the
gcp-projects
directory. If you run them from another directory, adjust your copy paths accordingly.cd gcp-projects
-
change to a nonproduction branch.
git checkout plan
-
Copy contents of foundation to new repo.
cp -RT ../terraform-example-foundation/4-projects/ . cp -RT ../terraform-example-foundation/policy-library/ ./policy-library cp ../terraform-example-foundation/build/gitlab-ci.yml ./.gitlab-ci.yml cp ../terraform-example-foundation/build/run_gcp_auth.sh . cp ../terraform-example-foundation/build/tf-wrapper.sh . chmod 755 ./*.sh
-
Rename
auto.example.tfvars
files toauto.tfvars
.mv common.auto.example.tfvars common.auto.tfvars mv shared.auto.example.tfvars shared.auto.tfvars mv development.auto.example.tfvars development.auto.tfvars mv nonproduction.auto.example.tfvars nonproduction.auto.tfvars mv production.auto.example.tfvars production.auto.tfvars
-
See any of the envs folder README.md files for additional information on the values in the
common.auto.tfvars
,development.auto.tfvars
,nonproduction.auto.tfvars
, andproduction.auto.tfvars
files. -
See any of the shared folder README.md files for additional information on the values in the
shared.auto.tfvars
file. -
Use
terraform output
to get the backend bucket value from bootstrap output.export remote_state_bucket=$(terraform -chdir="../gcp-bootstrap/envs/shared/" output -raw gcs_bucket_tfstate) echo "remote_state_bucket = ${remote_state_bucket}" sed -i'' -e "s/REMOTE_STATE_BUCKET/${remote_state_bucket}/" ./common.auto.tfvars
-
(Optional) If you want additional subfolders for separate business units or entities, make additional copies of the folder
business_unit_1
and modify any values that vary across business unit likebusiness_code
,business_unit
, orsubnet_ip_range
.
For example, to create a new business unit similar to business_unit_1, run the following:
#copy the business_unit_1 folder and it's contents to a new folder business_unit_2
cp -r business_unit_1 business_unit_2
# search all files under the folder `business_unit_2` and replace strings for business_unit_1 with strings for business_unit_2
grep -rl bu1 business_unit_2/ | xargs sed -i 's/bu1/bu2/g'
grep -rl business_unit_1 business_unit_2/ | xargs sed -i 's/business_unit_1/business_unit_2/g'
-
Commit changes.
git add . git commit -m 'Initialize projects repo'
-
You need to manually plan and apply only once the
business_unit_1/shared
andbusiness_unit_2/shared
environments sincedevelopment
,nonproduction
, andproduction
depend on them. -
Use
terraform output
to get the CI/CD project ID and the projects step Terraform Service Account from gcp-bootstrap output. -
The CI/CD project ID will be used in the validation of the Terraform configuration
export CICD_PROJECT_ID=$(terraform -chdir="../gcp-bootstrap/envs/shared/" output -raw cicd_project_id) echo ${CICD_PROJECT_ID}
-
The projects step Terraform Service Account will be used for Service Account impersonation in the following steps. An environment variable
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT
will be set with the Terraform Service Account to enable impersonation.export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../gcp-bootstrap/envs/shared/" output -raw projects_step_terraform_service_account_email) echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT}
-
Run
init
andplan
and review output for environment shared../tf-wrapper.sh init shared ./tf-wrapper.sh plan shared
-
To use the
validate
option of thetf-wrapper.sh
script, please follow the instructions to install the terraform-tools component. -
Run
validate
and check for violations../tf-wrapper.sh validate shared $(pwd)/policy-library ${CICD_PROJECT_ID}
-
Run
apply
shared../tf-wrapper.sh apply shared
-
Push your plan branch.
git push
-
Open a merge request in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-PROJECTS-REPO/-/merge_requests?scope=all&state=opened from the
plan
branch to thedevelopment
branch and review the output. -
The merge request will trigger a GitLab pipelines that will run Terraform
init
/plan
/validate
in thedevelopment
environment. -
Review the GitLab pipelines output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-PROJECTS-REPO/-/pipelines.
-
If the GitLab pipelines is successful, merge the merge request in to the
development
branch. -
The merge will trigger a GitLab pipelines that will apply the terraform configuration for the
development
environment. -
Review merge output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-PROJECTS-REPO/-/pipelines under
tf-apply
. -
If the GitLab pipelines is successful, apply the next environment.
-
Open a merge request in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-PROJECTS-REPO/-/merge_requests?scope=all&state=opened from the
development
branch to thenonproduction
branch and review the output. -
The merge request will trigger a GitLab pipelines that will run Terraform
init
/plan
/validate
in thenonproduction
environment. -
Review the GitLab pipelines output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-PROJECTS-REPO/-/pipelines.
-
If the GitLab pipelines is successful, merge the merge request in to the
nonproduction
branch. -
The merge will trigger a GitLab pipelines that will apply the terraform configuration for the
nonproduction
environment. -
Review merge output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-PROJECTS-REPO/-/pipelines under
tf-apply
. -
If the GitLab pipelines is successful, apply the next environment.
-
Open a merge request in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-PROJECTS-REPO/-/merge_requests?scope=all&state=opened from the
nonproduction
branch to theproduction
branch and review the output. -
The merge request will trigger a GitLab pipelines that will run Terraform
init
/plan
/validate
in theproduction
environment. -
Review the GitLab pipelines output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-PROJECTS-REPO/-/pipelines.
-
If the GitLab pipelines is successful, merge the merge request in to the
production
branch. -
The merge will trigger a GitLab pipelines that will apply the terraform configuration for the
production
environment. -
Review merge output in GitLab https://gitlab.com/GITLAB-OWNER/GITLAB-PROJECTS-REPO/-/pipelines under
tf-apply
. -
Unset the
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT
environment variable.unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT