Skip to content

terraform-google-modules/terraform-google-bootstrap

Folders and files

NameName
Last commit message
Last commit date

Latest commit

e56d2e5 · Jul 7, 2020

History

68 Commits
Apr 15, 2020
Jul 6, 2020
Jul 6, 2020
Jul 6, 2020
Jul 6, 2020
Aug 28, 2019
Nov 14, 2019
Nov 18, 2019
Aug 28, 2019
Jul 7, 2020
Nov 20, 2019
Aug 28, 2019
Aug 28, 2019
Jun 30, 2020
Jul 7, 2020
Jul 6, 2020
Jul 6, 2020
Nov 20, 2019
Apr 15, 2020
Jul 6, 2020
Jan 23, 2020

Repository files navigation

terraform-google-bootstrap

The purpose of this module is to help bootstrap a GCP organization, creating all the required GCP resources & permissions to start using the Cloud Foundation Toolkit (CFT). For users who want to use Cloud Build & Cloud Source Repos for foundations code, there is also a submodule to help bootstrap all the required resources to do this.

Usage

Basic usage of this module is as follows:

module "bootstrap" {
  source  = "terraform-google-modules/bootstrap/google"
  version = "~> 1.2"

  org_id               = "<ORGANIZATION_ID>"
  billing_account      = "<BILLING_ACCOUNT_ID>"
  group_org_admins     = "[email protected]"
  group_billing_admins = "[email protected]"
  default_region       = "australia-southeast1"
}

Functional examples are included in the examples directory.

Features

The Organization Bootstrap module will take the following actions:

  1. Create a new GCP seed project using project_prefix.
  2. Enable APIs in the seed project using activate_apis
  3. Create a new service account for terraform in seed project
  4. Create GCS bucket for Terraform state and grant access to service account
  5. Grant IAM permissions required for CFT modules & Organization setup
    1. Overwrite organization wide project creator and billing account creator roles
    2. Grant Organization permissions to service account using sa_org_iam_permissions
    3. Grant access to billing account for service account
    4. Grant Organization permissions to group_org_admins using org_admins_org_iam_permissions
    5. Grant billing permissions to group_billing_admins
    6. (optional) Permissions required for service account impersonation using sa_enable_impersonation

For the cloudbuild submodule, see the README cloudbuild.

Inputs

Name Description Type Default Required
activate_apis List of APIs to enable in the seed project. list(string) <list> no
billing_account The ID of the billing account to associate projects with. string n/a yes
default_region Default region to create resources where applicable. string "us-central1" no
folder_id The ID of a folder to host this project string "" no
grant_billing_user Grant roles/billing.user role to CFT service account bool "true" no
group_billing_admins Google Group for GCP Billing Administrators string n/a yes
group_org_admins Google Group for GCP Organization Administrators string n/a yes
org_admins_org_iam_permissions List of permissions granted to the group supplied in group_org_admins variable across the GCP organization. list(string) <list> no
org_id GCP Organization ID string n/a yes
org_project_creators Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. list(string) <list> no
parent_folder GCP parent folder ID in the form folders/{id} string "" no
project_labels Labels to apply to the project. map(string) <map> no
project_prefix Name prefix to use for projects created. string "cft" no
sa_enable_impersonation Allow org_admins group to impersonate service account & enable APIs required. bool "false" no
sa_org_iam_permissions List of permissions granted to Terraform service account across the GCP organization. list(string) <list> no
skip_gcloud_download Whether to skip downloading gcloud (assumes gcloud is already available outside the module) bool "true" no
storage_bucket_labels Labels to apply to the storage bucket. map(string) <map> no

Outputs

Name Description
gcs_bucket_tfstate Bucket used for storing terraform state for foundations pipelines in seed project.
seed_project_id Project where service accounts and core APIs will be enabled.
terraform_sa_email Email for privileged service account for Terraform.
terraform_sa_name Fully qualified name for privileged service account for Terraform.

Requirements

Software

  • gcloud sdk >= 206.0.0
  • Terraform >= 0.12.6
  • [terraform-provider-google] plugin 2.1.x
  • [terraform-provider-google-beta] plugin 2.1.x

Permissions

  • roles/resourcemanager.organizationAdmin on GCP Organization
  • roles/billing.admin on supplied billing account
  • Account running terraform should be a member of group provided in group_org_admins variable, otherwise they will loose roles/resourcemanager.projectCreator access. Additional members can be added by using the org_project_creators variable.

Credentials

For users interested in using service account impersonation which this module helps enable with sa_enable_impersonation, please see this blog post which explains how it works.

APIs

A project with the following APIs enabled must be used to host the resources of this module:

  • Google Cloud Resource Manager API: cloudresourcemanager.googleapis.com
  • Google Cloud Billing API: cloudbilling.googleapis.com
  • Google Cloud IAM API: iam.googleapis.com
  • Google Cloud Storage API storage-api.googleapis.com
  • Google Cloud Service Usage API: serviceusage.googleapis.com

This API can be enabled in the default project created during establishing an organization.

Contributing

Refer to the contribution guidelines for information on contributing to this module.