terraform-google-modules/terraform-example-foundation terraform-google-modules/terraform-example-foundation

  • Stars
    star
    1,211
  • Rank 38,689 (Top 0.8 %)
  • Language HCL
  • License
    Apache License 2.0
  • Created almost 5 years ago
  • Updated 2 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
terraform-google-modules/terraform-example-foundation
github

terraform-google-modules

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Shows how the CFT modules can be composed to build a secure cloud foundation

terraform-example-foundation

This example repository shows how the CFT Terraform modules can build a secure Google Cloud foundation, following the Google Cloud security foundations guide. The supplied structure and code is intended to form a starting point for building your own foundation with pragmatic defaults that you can customize to meet your own requirements. Currently, the step 0 is manually executed. From step 1 onwards, the Terraform code is deployed by using either Google Cloud Build (default) or Jenkins. Cloud Build has been chosen by default to allow you to quickly get started without having to deploy a CI/CD tool, although it is worth noting the code can easily be executed by your preferred tool.

Overview

This repo contains several distinct Terraform projects, each within their own directory that must be applied separately, but in sequence. Each of these Terraform projects are to be layered on top of each other, and run in the following order.

0. bootstrap

This stage executes the CFT Bootstrap module which bootstraps an existing Google Cloud organization, creating all the required Google Cloud resources and permissions to start using the Cloud Foundation Toolkit (CFT). For CI/CD Pipelines, you can use either Cloud Build (by default) or Jenkins. If you want to use Jenkins instead of Cloud Build, see README-Jenkins on how to use the Jenkins sub-module.

The bootstrap step includes:

  • The prj-b-seed project that contains the following:
    • Terraform state bucket
    • Custom service accounts used by Terraform to create new resources in Google Cloud
  • The prj-b-cicd project that contains the following:
    • A CI/CD Pipeline implemented with either Cloud Build or Jenkins
    • If using Cloud Build, the following items:
      • Cloud Source Repository
      • Artifact Registry
    • If using Jenkins, the following items:
      • A Compute Engine instance configured as a Jenkins Agent
      • Custom service account to run Compute Engine instances for Jenkins Agents
      • VPN connection with on-prem (or wherever your Jenkins Controller is located)

It is a best practice to separate concerns by having two projects here: one for the Terraform state and one for the CI/CD tool.

  • The prj-b-seed project stores Terraform state and has the service accounts that can create or modify infrastructure.
  • The prj-b-cicd project holds the CI/CD tool (either Cloud Build or Jenkins) that coordinates the infrastructure deployment.

To further separate the concerns at the IAM level as well, a distinct service account is created for each stage. The Terraform custom service accounts are granted the IAM permissions required to build the foundation. If using Cloud Build as the CI/CD tool, these service accounts are used directly in the pipeline to execute the pipeline steps (plan or apply). In this configuration, the baseline permissions of the CI/CD tool are unchanged.

If using Jenkins as the CI/CD tool, the service account of the Jenkins Agent ([email protected]) is granted impersonation access so it can generate tokens over the Terraform custom Service Accounts. In this configuration, the baseline permissions of the CI/CD tool are limited.

After executing this step, you will have the following structure:

example-organization/
└── fldr-bootstrap
    β”œβ”€β”€ prj-b-cicd
    └── prj-b-seed

When this step uses the Cloud Build submodule, it sets up the cicd project (prj-b-cicd) with Cloud Build and Cloud Source Repositories for each of the stages below. Triggers are configured to run a terraform plan for any non-environment branch and terraform apply when changes are merged to an environment branch (development, non-production or production). Usage instructions are available in the 0-bootstrap README.

1. org

The purpose of this stage is to set up the common folder used to house projects that contain shared resources such as DNS Hub, Interconnect, Security Command Center notification, org level secrets, network hub and org level logging. This will create the following folder and project structure:

example-organization
└── fldr-common
    β”œβ”€β”€ prj-c-logging
    β”œβ”€β”€ prj-c-base-net-hub
    β”œβ”€β”€ prj-c-billing-logs
    β”œβ”€β”€ prj-c-dns-hub
    β”œβ”€β”€ prj-c-interconnect
    β”œβ”€β”€ prj-c-restricted-net-hub
    β”œβ”€β”€ prj-c-scc
    └── prj-c-secrets

Logs

Among the eight projects created under the common folder, two projects (prj-c-logging, prj-c-billing-logs) are used for logging. The first one is for organization-wide audit logs, and the second one is for billing logs. In both cases, the logs are collected into BigQuery datasets which you can then use for general querying, dashboarding, and reporting. Logs are also exported to Pub/Sub, a Cloud Storage bucket, and a log bucket.

Notes:

  • Log export to Cloud Storage bucket has optional object versioning support via log_export_storage_versioning.
  • The various audit log types being captured in BigQuery are retained for 30 days.
  • For billing data, a BigQuery dataset is created with permissions attached, however you will need to configure a billing export manually, as there is no easy way to automate this at the moment.

DNS hub

Another project created under the common folder. This project will host the DNS hub for the organization.

Interconnect

Another project created under the common folder. This project will host the Dedicated Interconnect Interconnect connection for the organization. In case of Partner Interconnect, this project is unused and the VLAN attachments will be placed directly into the corresponding hub projects.

Security Command Center notification

Another project created under the common folder. This project will host the Security Command Center notification resources at the organization level. This project will contain a Pub/Sub topic, a Pub/Sub subscription, and a Security Command Center notification configured to send all new findings to the created topic. You can adjust the filter when deploying this step.

Secrets

Another project created under the common folder. This project is allocated for Secret Manager for secrets shared by the organization.

Usage instructions are available for the org step in the README.

2. environments

The purpose of this stage is to set up the environments folders used for projects that contain monitoring, secrets, and networking projects. This will create the following folder and project structure:

example-organization
└── fldr-development
    β”œβ”€β”€ prj-d-monitoring
    β”œβ”€β”€ prj-d-secrets
    β”œβ”€β”€ prj-d-shared-base
    └── prj-d-shared-restricted
└── fldr-non-production
    β”œβ”€β”€ prj-n-monitoring
    β”œβ”€β”€ prj-n-secrets
    β”œβ”€β”€ prj-n-shared-base
    └── prj-n-shared-restricted
└── fldr-production
    β”œβ”€β”€ prj-p-monitoring
    β”œβ”€β”€ prj-p-secrets
    β”œβ”€β”€ prj-p-shared-base
    └── prj-p-shared-restricted

Monitoring

Under the environment folder, a project is created per environment (development, non-production, and production), which is intended to be used as a Cloud Monitoring workspace for all projects in that environment. Please note that creating the workspace and linking projects can currently only be completed through the Cloud Console. If you have strong IAM requirements for these monitoring workspaces, it is worth considering creating these at a more granular level, such as per business unit or per application.

Networking

Under the environment folder, two projects, one for base and another for restricted network, are created per environment (development, non-production, and production) which is intended to be used as a Shared VPC host project for all projects in that environment. This stage only creates the projects and enables the correct APIs, the following networks stages, 3-networks-dual-svpc and 3-networks-hub-and-spoke, create the actual Shared VPC networks.

Secrets

Under the environment folder, a project is created per environment (development, non-production, and production), which is intended to be used by Secret Manager for secrets shared by the environment.

Usage instructions are available for the environments step in the README.

3. networks-dual-svpc

This step focuses on creating a Shared VPC per environment (development, non-production, and production) in a standard configuration with a reasonable security baseline. Currently, this includes:

  • (Optional) Example subnets for development, non-production, and production inclusive of secondary ranges for those that want to use Google Kubernetes Engine.
  • Hierarchical firewall policy created to allow remote access to VMs through IAP, without needing public IPs.
  • Hierarchical firewall policy created to allow for load balancing health checks.
  • Hierarchical firewall policy created to allow Windows KMS activation.
  • Private service networking configured to enable workload dependant resources like Cloud SQL.
  • Base Shared VPC with private.googleapis.com configured for base access to googleapis.com and gcr.io. Route added for VIP so no internet access is required to access APIs.
  • Restricted Shared VPC with restricted.googleapis.com configured for restricted access to googleapis.com and gcr.io. Route added for VIP so no internet access is required to access APIs.
  • Default routes to internet removed, with tag based route egress-internet required on VMs in order to reach the internet.
  • (Optional) Cloud NAT configured for all subnets with logging and static outbound IPs.
  • Default Cloud DNS policy applied, with DNS logging and inbound query forwarding turned on.

Usage instructions are available for the networks step in the README.

3. networks-hub-and-spoke

This step configures the same network resources that the step 3-networks-dual-svpc does, but this time it makes use of the architecture based on the hub-and-spoke reference network model.

Usage instructions are available for the networks step in the README.

4. projects

This step is focused on creating service projects with a standard configuration that are attached to the Shared VPC created in the previous step and application infrastructure pipelines. Running this code as-is should generate a structure as shown below:

example-organization/
└── fldr-development
    β”œβ”€β”€ prj-bu1-d-env-secrets
    β”œβ”€β”€ prj-bu1-d-sample-floating
    β”œβ”€β”€ prj-bu1-d-sample-base
    β”œβ”€β”€ prj-bu1-d-sample-restrict
    β”œβ”€β”€ prj-bu1-d-sample-peering
    β”œβ”€β”€ prj-bu2-d-env-secrets
    β”œβ”€β”€ prj-bu2-d-sample-floating
    β”œβ”€β”€ prj-bu2-d-sample-base
    β”œβ”€β”€ prj-bu2-d-sample-restrict
    └── prj-bu2-d-sample-peering
└── fldr-non-production
    β”œβ”€β”€ prj-bu1-n-env-secrets
    β”œβ”€β”€ prj-bu1-n-sample-floating
    β”œβ”€β”€ prj-bu1-n-sample-base
    β”œβ”€β”€ prj-bu1-n-sample-restrict
    β”œβ”€β”€ prj-bu1-n-sample-peering
    β”œβ”€β”€ prj-bu2-n-env-secrets
    β”œβ”€β”€ prj-bu2-n-sample-floating
    β”œβ”€β”€ prj-bu2-n-sample-base
    β”œβ”€β”€ prj-bu2-n-sample-restrict
    └── prj-bu2-n-sample-peering
└── fldr-production
    β”œβ”€β”€ prj-bu1-p-env-secrets
    β”œβ”€β”€ prj-bu1-p-sample-floating
    β”œβ”€β”€ prj-bu1-p-sample-base
    β”œβ”€β”€ prj-bu1-p-sample-restrict
    β”œβ”€β”€ prj-bu1-p-sample-peering
    β”œβ”€β”€ prj-bu2-p-env-secrets
    β”œβ”€β”€ prj-bu2-p-sample-floating
    β”œβ”€β”€ prj-bu2-p-sample-base
    β”œβ”€β”€ prj-bu2-p-sample-restrict
    └── prj-bu2-p-sample-peering
└── fldr-common
    β”œβ”€β”€ prj-bu1-c-infra-pipeline
    └── prj-bu2-c-infra-pipeline

The code in this step includes two options for creating projects. The first is the standard projects module which creates a project per environment, and the second creates a standalone project for one environment. If relevant for your use case, there are also two optional submodules which can be used to create a subnet per project, and a dedicated private DNS zone per project.

Usage instructions are available for the projects step in the README.

5. app-infra

The purpose of this step is to deploy a simple Compute Engine instance in one of the business unit projects using the infra pipeline set up in 4-projects.

Usage instructions are available for the app-infra step in the README.

Final view

After all steps above have been executed, your Google Cloud organization should represent the structure shown below, with projects being the lowest nodes in the tree.

example-organization
└── fldr-common
    β”œβ”€β”€ prj-c-logging
    β”œβ”€β”€ prj-c-base-net-hub
    β”œβ”€β”€ prj-c-billing-logs
    β”œβ”€β”€ prj-c-dns-hub
    β”œβ”€β”€ prj-c-interconnect
    β”œβ”€β”€ prj-c-restricted-net-hub
    β”œβ”€β”€ prj-c-scc
    β”œβ”€β”€ prj-c-secrets
    β”œβ”€β”€ prj-bu1-c-infra-pipeline
    └── prj-bu2-c-infra-pipeline
└── fldr-development
    β”œβ”€β”€ prj-bu1-d-env-secrets
    β”œβ”€β”€ prj-bu1-d-sample-floating
    β”œβ”€β”€ prj-bu1-d-sample-base
    β”œβ”€β”€ prj-bu1-d-sample-restrict
    β”œβ”€β”€ prj-bu1-d-sample-peering
    β”œβ”€β”€ prj-bu2-d-env-secrets
    β”œβ”€β”€ prj-bu2-d-sample-floating
    β”œβ”€β”€ prj-bu2-d-sample-base
    β”œβ”€β”€ prj-bu2-d-sample-restrict
    β”œβ”€β”€ prj-bu2-d-sample-peering
    β”œβ”€β”€ prj-d-monitoring
    β”œβ”€β”€ prj-d-secrets
    β”œβ”€β”€ prj-d-shared-base
    └── prj-d-shared-restricted
└── fldr-non-production
    β”œβ”€β”€ prj-bu1-n-env-secrets
    β”œβ”€β”€ prj-bu1-n-sample-floating
    β”œβ”€β”€ prj-bu1-n-sample-base
    β”œβ”€β”€ prj-bu1-n-sample-restrict
    β”œβ”€β”€ prj-bu1-n-sample-peering
    β”œβ”€β”€ prj-bu2-n-env-secrets
    β”œβ”€β”€ prj-bu2-n-sample-floating
    β”œβ”€β”€ prj-bu2-n-sample-base
    β”œβ”€β”€ prj-bu2-n-sample-restrict
    β”œβ”€β”€ prj-bu2-n-sample-peering
    β”œβ”€β”€ prj-n-monitoring
    β”œβ”€β”€ prj-n-secrets
    β”œβ”€β”€ prj-n-shared-base
    └── prj-n-shared-restricted
└── fldr-production
    β”œβ”€β”€ prj-bu1-p-env-secrets
    β”œβ”€β”€ prj-bu1-p-sample-floating
    β”œβ”€β”€ prj-bu1-p-sample-base
    β”œβ”€β”€ prj-bu1-p-sample-restrict
    β”œβ”€β”€ prj-bu1-p-sample-peering
    β”œβ”€β”€ prj-bu2-p-env-secrets
    β”œβ”€β”€ prj-bu2-p-sample-floating
    β”œβ”€β”€ prj-bu2-p-sample-base
    β”œβ”€β”€ prj-bu2-p-sample-restrict
    β”œβ”€β”€ prj-bu2-p-sample-peering
    β”œβ”€β”€ prj-p-monitoring
    β”œβ”€β”€ prj-p-secrets
    β”œβ”€β”€ prj-p-shared-base
    └── prj-p-shared-restricted
└── fldr-bootstrap
    β”œβ”€β”€ prj-b-cicd
    └── prj-b-seed

Branching strategy

There are three main named branches: development, non-production, and production that reflect the corresponding environments. These branches should be protected. When the CI/CD Pipeline (Jenkins or Cloud Build) runs on a particular named branch (say for instance development), only the corresponding environment (development) is applied. An exception is the shared environment, which is only applied when triggered on the production branch. This is because any changes in the shared environment may affect resources in other environments and can have adverse effects if not validated correctly.

Development happens on feature and bug fix branches (which can be named feature/new-foo, bugfix/fix-bar, etc.) and when complete, a pull request (PR) or merge request (MR) can be opened targeting the development branch. This will trigger the CI/CD Pipeline to perform a plan and validate against all environments (development, non-production, shared, and production). After the code review is complete and changes are validated, this branch can be merged into development. This will trigger a CI/CD Pipeline that applies the latest changes in the development branch on the development environment.

After validated in development, changes can be promoted to non-production by opening a PR or MR targeting the non-production branch and merging them. Similarly, changes can be promoted from non-production to production.

Terraform-validator

This repo uses the terraform-tools component of the gcloud CLI to validate the Terraform plans against a library of Google Cloud policies.

The Scorecard bundle was used to create the policy-library folder with one extra constraint added.

See the policy-library documentation if you need to add more constraints from the samples folder in your configuration based in your type of workload.

Step 1-org has instructions on the creation of the shared repository to host these policies.

Optional Variables

Some variables used to deploy the steps have default values, check those before deployment to ensure they match your requirements. For more information, there are tables of inputs and outputs for the Terraform modules, each with a detailed description of their variables. Look for variables marked as not required in the section Inputs of these READMEs:

Errata summary

Refer to the errata summary for an overview of the delta between the example foundation repository and the Google Cloud security foundations guide.

Contributing

Refer to the contribution guidelines for information on contributing to this module.

More Repositories

1

terraform-google-kubernetes-engine

Configures opinionated GKE clusters
HCL
1,131
star
2

terraform-google-project-factory

Creates an opinionated Google Cloud project by using Shared VPC, IAM, and Google Cloud APIs
HCL
826
star
3

terraform-google-network

Sets up a new VPC network on Google Cloud
HCL
411
star
4

terraform-google-lb-http

Creates a global HTTP load balancer for Compute Engine by using forwarding rules
HCL
315
star
5

terraform-docs-samples

Terraform samples intended for inclusion in cloud.google.com
HCL
290
star
6

terraform-google-sql-db

Creates a Cloud SQL database instance
HCL
263
star
7

terraform-google-vm

Provisions VMs in Google Cloud
HCL
220
star
8

terraform-google-bootstrap

Bootstraps Terraform usage and related CI/CD in a new Google Cloud organization
HCL
210
star
9

terraform-google-vault

Deploys Vault on Compute Engine
HCL
192
star
10

terraform-google-bigquery

Creates opinionated BigQuery datasets and tables
HCL
190
star
11

terraform-google-iam

Manages multiple IAM roles for resources on Google Cloud
HCL
189
star
12

terraform-google-github-actions-runners

Creates self-hosted GitHub Actions Runners on Google Cloud
HCL
181
star
13

terraform-google-cloud-storage

Creates one or more Cloud Storage buckets and assigns basic permissions on them to arbitrary users
HCL
168
star
14

terraform-google-container-vm

Deploys containers on Compute Engine instances
HCL
155
star
15

terraform-google-gcloud

Executes Google Cloud CLI commands within Terraform
HCL
138
star
16

terraform-google-bastion-host

Generates a bastion host VM compatible with OS Login and IAP Tunneling that can be used to access internal VMs
HCL
126
star
17

terraform-google-service-accounts

Creates one or more service accounts and grants them basic roles
HCL
115
star
18

docs-examples

Open in Cloud Shell Examples for the Google provider docs
HCL
110
star
19

cloud-foundation-training

HCL
96
star
20

terraform-google-lb

Creates a regional TCP proxy load balancer for Compute Engine by using target pools and forwarding rules
HCL
92
star
21

terraform-google-gke-gitlab

Installs GitLab on Kubernetes Engine
HCL
90
star
22

terraform-google-vpn

Sets up a Cloud VPN gateway
HCL
88
star
23

terraform-google-log-export

Creates log exports at the project, folder, or organization level
HCL
88
star
24

terraform-google-pubsub

Creates Pub/Sub topic and subscriptions associated with the topic
HCL
85
star
25

terraform-google-lb-internal

Creates an internal load balancer for Compute Engine by using forwarding rules
HCL
81
star
26

terraform-google-org-policy

Manages Google Cloud organization policies
HCL
80
star
27

terraform-google-cloud-nat

Creates and configures Cloud NAT
HCL
80
star
28

terraform-google-startup-scripts

Provides a library of useful startup scripts to embed in VMs
Shell
73
star
29

terraform-google-k8s-gce

Modular Kubernetes Cluster for GCE using Terraform
HCL
71
star
30

terraform-google-scheduled-function

Sets up a scheduled job to trigger events and run functions
Go
71
star
31

terraform-google-slo

Creates SLOs on Google Cloud from custom Stackdriver metrics capability to export SLOs to Google Cloud services and other systems
HCL
63
star
32

terraform-google-address

Manages Google Cloud IP addresses
Shell
60
star
33

terraform-google-vpc-service-controls

Handles opinionated VPC Service Controls and Access Context Manager configuration and deployments
HCL
60
star
34

terraform-google-cloud-dns

Creates and manages Cloud DNS public or private zones and their records
HCL
57
star
35

terraform-google-event-function

Responds to logging events with a Cloud Function
HCL
52
star
36

terraform-google-composer

Manages Cloud Composer v1 and v2 along with option to manage networking
HCL
52
star
37

terraform-google-module-template

Provides a template for creating a Cloud Foundation Toolkit Terraform module
HCL
52
star
38

terraform-google-cloud-router

Manages a Cloud Router on Google Cloud
HCL
48
star
39

terraform-google-folders

Creates several Google Cloud folders under the same parent
HCL
47
star
40

terraform-google-cloud-operations

Manages Cloud Logging and Cloud Monitoring
HCL
47
star
41

terraform-google-kms

Allows managing a keyring, zero or more keys in the keyring, and IAM role bindings on individual keys
HCL
44
star
42

terraform-google-memorystore

Creates a fully functional Google Memorystore (redis) instance
HCL
43
star
43

terraform-google-group

Manages Google Groups
HCL
40
star
44

terraform-google-dataflow

Handles opinionated Dataflow job configuration and deployments
HCL
34
star
45

terraform-google-jenkins

Creates a Compute Engine instance running Jenkins
HCL
31
star
46

terraform-google-sap

Deploys SAP products
HCL
31
star
47

terraform-google-cloud-datastore

Manages Datastore
HCL
22
star
48

terraform-google-gsuite-export

Creates a Compute Engine VM instance and sets up a cronjob to export GSuite Admin SDK data to Cloud Logging on a schedule
HCL
18
star
49

terraform-google-utils

Gets the short names for a given Google Cloud region
HCL
14
star
50

terraform-google-data-fusion

Manages Cloud Data Fusion
HCL
14
star
51

terraform-google-endpoints-dns

This module creates a DNS record on the .cloud.goog domain using Cloud Endpoints.
HCL
11
star
52

terraform-google-healthcare

Handles opinionated Google Cloud Healthcare datasets and stores
HCL
11
star
53

terraform-google-migrate

Terraform module to help with migrating VMs to GCP.
HCL
10
star
54

terraform-example-shared-services

Example of using CFT to build a Shared Services architecture on GCP
HCL
6
star
55

terraform-google-datalab

Creates DataLab instances with support for GPU instances
HCL
6
star
56

terraform-google-secret

This Terraform module makes it easier to manage to manage secrets for your Google Cloud environment, such as api keys, tokens, etc.
Python
6
star
57

terraform-google-redis

HCL
5
star
58

terraform-google-airflow

HCL
4
star
59

terraform-google-api-police

HCL
3
star
60

.allstar

1
star
61

terraform-google-mariadb

HCL
1
star