This repository hosts a terraform template for all the google cloud projects. Every project should follow some or all of the structure in order for Terraform COE review. This structure/template follows most of the terraform best practices recommened by Google. You can find the terraform COE review checklist here.
This repository is built for all the teams that are involved in google cloud development. All the TPM's for any google cloud project needs this repository to be shared across the development team. The TPM's/Tech Lead should fork this repository and start using this as their base template for all their infrastructure development.
The following sections will describe the usage of this repository. As explained above, one needs to fork this repository and start using it as a base for their own projects.
The structure of the repo and their usage are described below -
|- bootstrap
|- modules
|- environments
|- project
|- dev
|- prod
|- uat
|- modules
|- resources
|- dev
|- prod
|- uat
|- modules
|- organization
|- groups
|- dev
|- prod
|- uat
|- modules
|- modules
|- alerting
|- app_engine_firewall
|- bigquery
|- cloud_build
|- cloud_iam
|- cloud_storage
|- composer
|- compute_engine
|- custom_role
|- data_catalog
|- dataflow
|- dns
|- folder_factory
|- groups
|- logging
|- nat
|- org_policy
|- project
|- pubsub
|- router
|- service_account
|- vpc-network
The repo is divided into 4 important folders - bootstrap, environments, modules, and organization.
The purpose of this step is to bootstrap a Google Cloud organization, creating all the required resources and permissions to start using the Cloud Foundation Toolkit (CFT). This step also configures a CI/CD Pipeline for foundations code in subsequent stages.
Note: Make sure that you use version 1.3.0 of Terraform throughout this series. Otherwise, you might experience Terraform state snapshot lock errors.
Also make sure that you've done the following:
- Set up a Google Cloud organization.
- Set up a Google Cloud billing account.
- Create Cloud Identity or Google Workspace groups for organization and billing admins.
- For the user who will run the procedures in this document, grant the following roles:
- The
roles/resourcemanager.organizationAdminrole on the Google Cloud organization. - The
roles/orgpolicy.policyAdminrole on the Google Cloud organization. - The
roles/billing.adminrole on the billing account. - The
roles/resourcemanager.folderCreatorrole.
- The
The bootstrap example specified in the examples directory does the following:-
-
Sets up organization policies
- Skip default network creation.
- Enable cross project SA.
- Disable Automatic IAM Grants for Default Service AccountsDefaul.
-
Creates root folders bootstrap, springml-sample, and shared.
-
Creates project environment folders (dev, non-prod, and prod) under springml-sample.
-
Creates a terraform-project-common project under bootstrap folder using project factory module.
- Enables required APIs
-
Create cloud-build-common project under common folder using project factory module.
- Enables required APIs
-
Creates cloud build triggers for creation of new cloud build triggers that will be used for developing new projects and resources.
-
Creates service accounts -
- Bootstrap SA
- Organization SA
- Environment SA
- Network SA
- Project SA
- CI-CD SA
Details of the permissions are explained here.
-
Assigns service account impersonation role on the Service accounts created.
Once the bootstrap is set one can move to the next steps and utilize cloud build to create the environment resources.
For more details on bootstrap one can refer to this projects documentation on bootstrap setup.
The environments folder should contain the projects and resources that you want to build. In this template the assumption is we want to create one project for different environments i.e. dev, prod, and uat. The idea of this structure is to separate the creation of projects with the creation of it's resources.
Therefore, you can find the respective environment specific folders inside environments/project and environments/resources. In addition to that, there is a modules folder inside project and resources sub-directory. The purpose of this modules folder is to maintain consistency of resources across different environments. All the resources that needs to be created should be created inside modules folder by calling the root modules. For ex. if I want to create a gcs bucket resource, I will create the following module block inside environments/resources/modules
module "buckets" {
source = "../../../modules/cloud_storage"
...
}
Similarly, if I want to create a project, I will use the following module block inside environments/project/modules
module "project" {
source = "../../../modules/project"
...
}
The reason behind separating projects and resources into two different folders is to create segregation between creation of projects and it's resources. This reduces the blast radius if something goes wrong in the creation of resources doesn't affect the project resources. In addition to that, the state of project creation should be stored in a different bucket in a bootstrap project. Similarly, while creation of resources for a project the project's bucket should be used as state bucket.
In the module section, we will see what modules are currently present to use and how one can use these models.
There is an organization folder that contains a groups folder. This is created as a template to create google groups using terraform. As groups are not part of any project and are resources that are linked to organization. You can find the environment related terraform scripts for the groups creation in different folders under groups like dev, prod, etc.
This organization folder should contain all the resources that are created on an organization level.
The modules folder contains different modules prepared as part of the template. The project and resources per environment should use these modules to create google cloud infra.
The list of modules -
| Module | Description |
|---|---|
| Alerting | This module is for creating user metrics, notification channel, and alerting policy |
| Bigquery | To create bigquery dataset, tables, views, and external tables |
| Cloud Build | This module creates pull request trigger and push trigger. In addition to that, it has a submodule to create a cloud build private pool. |
| Cloud IAM | This is cloud IAM module that provides specific permission on the following cloud resource objects - -folder_iam -project_iam -service_account_iam -storage_iam |
| Cloud Storage | This module create a google cloud storage bucket in a project |
| Composer | This module is responsible for create a composer environment v2 |
| Compute Engine | This module has two submodules - instance_template module creates a compute instance template, compute_instance module create the compute instance using the instance template |
| Custom Role | It creates a custom role on either organization level or project level as per the parameters specified. |
| Data Catalog | This module has two submodules i.e. tag_template and taxonomy_policy_tags. tag_template module can be used to create data catalog tag template, and taxonomy_policy_tags module can be used to create policy tags. |
| Dataflow | This module is meant for only enabling dataflow api in the project. Ideally, dataflow jobs should be created by any other pipeline rather than using terraform like, cloud build. |
| DNS | It creates DNS private zones in a given project. |
| Folder Factory | The folder factory module does three things - It creates a working folder inside a root folder, secondly it creates environment folders under the working folder. |
| Groups | This module creates google identity groups. |
| Logging | This module is used for creating logging project with logging sinks. More details can be find in the module's own readme. |
| NAT | It is used to create cloud NAT resource in a given project. |
| Org Policy | This module can be used to create organization policy rules for an organization. |
| Project Factory | This module can be used to create every part of a new google project. It creates a project, deactivates the default service account, create TF state bucket, creates a new TF service acount, and adds permission to the new service account. |
| Pubsub | It can be used to create pubsub topics and subscriptions. |
| Router | This is a google cloud router module. |
| Service Account | It creates service account inside a project with defined permission and roles. |
| VPC Network | This module creates a new VPC network, reserves private IP ranges (if required), and creates VPC peering (if needed) |