Helper tool to deploy the Terraform example foundation using Cloud Build and Cloud Source repositories.
- Go 1.22 or later
- Google Cloud SDK version 393.0.0 or later
- Git version 2.28.0 or later
- Terraform version 1.5.7 or later
- See
0-bootstrapREADME for additional IAM requirements on the user deploying the Foundation. - To enable Security Command Center, choose a Security Command Center tier and create and grant permissions for the Security Command Center service account as described in Setting up Security Command Center.
Your environment need to use the same Terraform version used on the build pipeline. Otherwise, you might experience Terraform state snapshot lock errors.
Version 1.5.7 is the last version before the license model change. To use a later version of Terraform, ensure that the Terraform version used in the Operational System to manually execute part of the steps in 3-networks and 4-projects is the same version configured in the following code
-
0-bootstrap/modules/jenkins-agent/variables.tf
default = "1.5.7" -
0-bootstrap/cb.tf
terraform_version = "1.5.7" -
scripts/validate-requirements.sh
TF_VERSION="1.5.7" -
build/github-tf-apply.yaml
terraform_version: '1.5.7' -
github-tf-pull-request.yaml
terraform_version: "1.5.7" -
0-bootstrap/Dockerfile
ARG TERRAFORM_VERSION=1.5.7
-
Check if required tools, Go 1.22.0+, Terraform 1.5.7+, gcloud 393.0.0+, and Git 2.28.0+, are installed:
go version terraform -version gcloud --version git --version
-
check if required components of
gcloudare installed:gcloud components list --filter="id=beta OR id=terraform-tools" -
Follow the instructions in the output of the command if components
betaandterraform-toolsare not installed to install them.
-
Create a directory in the file system to host the Cloud Source repositories the will be created and a copy of the terraform example foundation.
-
Clone the
terraform-example-foundationrepository on this directory.deploy-directory/ └── terraform-example-foundation -
Copy the file global.tfvars.example as
global.tfvarsto the same directory.deploy-directory/ └── global.tfvars └── terraform-example-foundation -
Update
global.tfvarswith values from your environment. -
The
0-bootstrapREADME prerequisites section has additional prerequisites needed to run this helper. -
Variable
code_checkout_pathis the full path todeploy-directorydirectory. -
Variable
foundation_code_pathis the full path toterraform-example-foundationdirectory. -
See the READMEs for the stages for additional information:
By default the foundation regional resources are deployed in us-west1 and us-central1 regions and multi-regional resources are deployed in the US multi-region.
In addition to the variables declared in the file global.tfvars for configuring location, there are two locals, default_region1 and default_region2, in each one of the environments (production, nonproduction, and development) in the network steps (3-networks-dual-svpc and 3-networks-hub-and-spoke).
They are located in the main.tf files for each environments.
Change the two locals before starting the deployment to deploy in other regions.
Note: the region used for the variable default_region in the file global.tfvars MUST be one of the regions used for the default_region1 and default_region2 locals.
-
Set the billing quota project in the
gcloudconfigurationgcloud config set billing/quota_project <QUOTA-PROJECT> gcloud services enable \ "cloudresourcemanager.googleapis.com" \ "iamcredentials.googleapis.com" \ "cloudbuild.googleapis.com" \ "securitycenter.googleapis.com" \ "accesscontextmanager.googleapis.com" \ --project <QUOTA-PROJECT> -
Configure Application Default Credentials
gcloud auth application-default login
-
Install the helper:
go install
-
Validate the tfvars file. If you configured a
validator_project_idin theglobal.tfvarsfile thevalidateflag will do additional checks for the Secure Command Center notification name and for the Tag Key name. For these extra check you need at least the roles Security Center Notification Configurations Viewer (roles/securitycenter.notificationConfigViewer) and Tag Viewer (roles/resourcemanager.tagViewer):$HOME/go/bin/foundation-deployer -tfvars_file <PATH TO 'global.tfvars' FILE> -validate
-
Run the helper:
$HOME/go/bin/foundation-deployer -tfvars_file <PATH TO 'global.tfvars' FILE>
-
To Suppress additional output use:
$HOME/go/bin/foundation-deployer -tfvars_file <PATH TO 'global.tfvars' FILE> -quiet
-
To destroy the deployment run:
$HOME/go/bin/foundation-deployer -tfvars_file <PATH TO 'global.tfvars' FILE> -destroy
-
After deployment:
deploy-directory/ └── bu1-example-app └── gcp-bootstrap └── gcp-environments └── gcp-networks └── gcp-org └── gcp-policies └── gcp-policies-app-infra └── gcp-projects └── global.tfvars └── terraform-example-foundation
-tfvars_file file
Full path to the Terraform .tfvars file with the configuration to be used.
-steps_file file
Path to the steps file to be used to save progress. (default ".steps.json")
-list_steps
List the existing steps.
-reset_step step
Name of a step to be reset. The step will be marked as pending.
-validate
Validate tfvars file inputs
-quiet
If true, additional output is suppressed.
-disable_prompt
Disable interactive prompt.
-destroy
Destroy the deployment.
-help
Prints this help text and exits.See troubleshooting if you run into issues during this deploy.