terraform-google-modules/terraform-google-bootstrap terraform-google-modules/terraform-google-bootstrap

  • Stars
    star
    210
  • Rank 187,585 (Top 4 %)
  • Language HCL
  • License
    Apache License 2.0
  • Created about 5 years ago
  • Updated 2 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
terraform-google-modules/terraform-google-bootstrap
github

terraform-google-modules

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Bootstraps Terraform usage and related CI/CD in a new Google Cloud organization

terraform-google-bootstrap

The purpose of this module is to help bootstrap a GCP organization, creating all the required GCP resources & permissions to start using the Cloud Foundation Toolkit (CFT). For users who want to use Cloud Build & Cloud Source Repos for foundations code, there is also a submodule to help bootstrap all the required resources to do this.

Usage

Basic usage of this module is as follows:

module "bootstrap" {
  source  = "terraform-google-modules/bootstrap/google"
  version = "~> 6.4"

  org_id               = "<ORGANIZATION_ID>"
  billing_account      = "<BILLING_ACCOUNT_ID>"
  group_org_admins     = "[email protected]"
  group_billing_admins = "[email protected]"
  default_region       = "australia-southeast1"
}

Functional examples are included in the examples directory.

Features

The Organization Bootstrap module will take the following actions:

  1. Create a new GCP seed project using project_prefix. Use project_id if you need to use custom project ID.
  2. Enable APIs in the seed project using activate_apis
  3. Create a new service account for terraform in seed project
  4. Create GCS bucket for Terraform state and grant access to service account
  5. Grant IAM permissions required for CFT modules & Organization setup
    1. Overwrite organization wide project creator and billing account creator roles
    2. Grant Organization permissions to service account using sa_org_iam_permissions
    3. Grant access to billing account for service account
    4. Grant Organization permissions to group_org_admins using org_admins_org_iam_permissions
    5. Grant billing permissions to group_billing_admins
    6. (optional) Permissions required for service account impersonation using sa_enable_impersonation

For the cloudbuild submodule, see the README cloudbuild.

Inputs

Name Description Type Default Required
activate_apis List of APIs to enable in the seed project. list(string) 
[
  "serviceusage.googleapis.com",
  "servicenetworking.googleapis.com",
  "compute.googleapis.com",
  "logging.googleapis.com",
  "bigquery.googleapis.com",
  "cloudresourcemanager.googleapis.com",
  "cloudbilling.googleapis.com",
  "iam.googleapis.com",
  "admin.googleapis.com",
  "appengine.googleapis.com",
  "storage-api.googleapis.com",
  "monitoring.googleapis.com"
]
 no
billing_account The ID of the billing account to associate projects with. string n/a yes
create_terraform_sa If the Terraform service account should be created. bool true no
default_region Default region to create resources where applicable. string "us-central1" no
encrypt_gcs_bucket_tfstate Encrypt bucket used for storing terraform state files in seed project. bool false no
folder_id The ID of a folder to host this project string "" no
force_destroy If supplied, the state bucket will be deleted even while containing objects. bool false no
grant_billing_user Grant roles/billing.user role to CFT service account bool true no
group_billing_admins Google Group for GCP Billing Administrators string n/a yes
group_org_admins Google Group for GCP Organization Administrators string n/a yes
key_protection_level The protection level to use when creating a version based on this template. Default value: "SOFTWARE" Possible values: ["SOFTWARE", "HSM"] string "SOFTWARE" no
key_rotation_period The rotation period of the key. string null no
kms_prevent_destroy Set the prevent_destroy lifecycle attribute on keys. bool true no
org_admins_org_iam_permissions List of permissions granted to the group supplied in group_org_admins variable across the GCP organization. list(string) 
[
  "roles/billing.user",
  "roles/resourcemanager.organizationAdmin"
]
 no
org_id GCP Organization ID string n/a yes
org_project_creators Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. list(string) [] no
parent_folder GCP parent folder ID in the form folders/{id} string "" no
project_id Custom project ID to use for project created. If not supplied, the default id is {project_prefix}-seed-{random suffix}. string "" no
project_labels Labels to apply to the project. map(string) {} no
project_prefix Name prefix to use for projects created. string "cft" no
random_suffix Appends a 4 character random suffix to project ID and GCS bucket name. bool true no
sa_enable_impersonation Allow org_admins group to impersonate service account & enable APIs required. bool false no
sa_org_iam_permissions List of permissions granted to Terraform service account across the GCP organization. list(string) 
[
  "roles/billing.user",
  "roles/compute.networkAdmin",
  "roles/compute.xpnAdmin",
  "roles/iam.securityAdmin",
  "roles/iam.serviceAccountAdmin",
  "roles/logging.configWriter",
  "roles/orgpolicy.policyAdmin",
  "roles/resourcemanager.folderAdmin",
  "roles/resourcemanager.organizationViewer"
]
 no
state_bucket_name Custom state bucket name. If not supplied, the default name is {project_prefix}-tfstate-{random suffix}. string "" no
storage_bucket_labels Labels to apply to the storage bucket. map(string) {} no
tf_service_account_id ID of service account for terraform in seed project string "org-terraform" no
tf_service_account_name Display name of service account for terraform in seed project string "CFT Organization Terraform Account" no

Outputs

Name Description
gcs_bucket_tfstate Bucket used for storing terraform state for foundations pipelines in seed project.
seed_project_id Project where service accounts and core APIs will be enabled.
terraform_sa_email Email for privileged service account for Terraform.
terraform_sa_name Fully qualified name for privileged service account for Terraform.

Requirements

Software

Permissions

  • roles/resourcemanager.organizationAdmin on GCP Organization
  • roles/orgpolicy.policyAdmin on GCP Organization
  • roles/billing.admin on supplied billing account
  • Account running terraform should be a member of group provided in group_org_admins variable, otherwise they will loose roles/resourcemanager.projectCreator access. Additional members can be added by using the org_project_creators variable.

Credentials

For users interested in using service account impersonation which this module helps enable with sa_enable_impersonation, please see this blog post which explains how it works.

APIs

A project with the following APIs enabled must be used to host the resources of this module:

  • Google Cloud Resource Manager API: cloudresourcemanager.googleapis.com
  • Google Cloud Billing API: cloudbilling.googleapis.com
  • Google Cloud IAM API: iam.googleapis.com
  • Google Cloud Storage API storage-api.googleapis.com
  • Google Cloud Service Usage API: serviceusage.googleapis.com

This API can be enabled in the default project created during establishing an organization.

Contributing

Refer to the contribution guidelines for information on contributing to this module.

More Repositories

1

terraform-example-foundation

Shows how the CFT modules can be composed to build a secure cloud foundation
HCL
1,211
star
2

terraform-google-kubernetes-engine

Configures opinionated GKE clusters
HCL
1,131
star
3

terraform-google-project-factory

Creates an opinionated Google Cloud project by using Shared VPC, IAM, and Google Cloud APIs
HCL
826
star
4

terraform-google-network

Sets up a new VPC network on Google Cloud
HCL
411
star
5

terraform-google-lb-http

Creates a global HTTP load balancer for Compute Engine by using forwarding rules
HCL
315
star
6

terraform-docs-samples

Terraform samples intended for inclusion in cloud.google.com
HCL
290
star
7

terraform-google-sql-db

Creates a Cloud SQL database instance
HCL
263
star
8

terraform-google-vm

Provisions VMs in Google Cloud
HCL
220
star
9

terraform-google-vault

Deploys Vault on Compute Engine
HCL
192
star
10

terraform-google-bigquery

Creates opinionated BigQuery datasets and tables
HCL
190
star
11

terraform-google-iam

Manages multiple IAM roles for resources on Google Cloud
HCL
189
star
12

terraform-google-github-actions-runners

Creates self-hosted GitHub Actions Runners on Google Cloud
HCL
181
star
13

terraform-google-cloud-storage

Creates one or more Cloud Storage buckets and assigns basic permissions on them to arbitrary users
HCL
168
star
14

terraform-google-container-vm

Deploys containers on Compute Engine instances
HCL
155
star
15

terraform-google-gcloud

Executes Google Cloud CLI commands within Terraform
HCL
138
star
16

terraform-google-bastion-host

Generates a bastion host VM compatible with OS Login and IAP Tunneling that can be used to access internal VMs
HCL
126
star
17

terraform-google-service-accounts

Creates one or more service accounts and grants them basic roles
HCL
115
star
18

docs-examples

Open in Cloud Shell Examples for the Google provider docs
HCL
110
star
19

cloud-foundation-training

HCL
96
star
20

terraform-google-lb

Creates a regional TCP proxy load balancer for Compute Engine by using target pools and forwarding rules
HCL
92
star
21

terraform-google-gke-gitlab

Installs GitLab on Kubernetes Engine
HCL
90
star
22

terraform-google-vpn

Sets up a Cloud VPN gateway
HCL
88
star
23

terraform-google-log-export

Creates log exports at the project, folder, or organization level
HCL
88
star
24

terraform-google-pubsub

Creates Pub/Sub topic and subscriptions associated with the topic
HCL
85
star
25

terraform-google-lb-internal

Creates an internal load balancer for Compute Engine by using forwarding rules
HCL
81
star
26

terraform-google-org-policy

Manages Google Cloud organization policies
HCL
80
star
27

terraform-google-cloud-nat

Creates and configures Cloud NAT
HCL
80
star
28

terraform-google-startup-scripts

Provides a library of useful startup scripts to embed in VMs
Shell
73
star
29

terraform-google-k8s-gce

Modular Kubernetes Cluster for GCE using Terraform
HCL
71
star
30

terraform-google-scheduled-function

Sets up a scheduled job to trigger events and run functions
Go
71
star
31

terraform-google-slo

Creates SLOs on Google Cloud from custom Stackdriver metrics capability to export SLOs to Google Cloud services and other systems
HCL
63
star
32

terraform-google-address

Manages Google Cloud IP addresses
Shell
60
star
33

terraform-google-vpc-service-controls

Handles opinionated VPC Service Controls and Access Context Manager configuration and deployments
HCL
60
star
34

terraform-google-cloud-dns

Creates and manages Cloud DNS public or private zones and their records
HCL
57
star
35

terraform-google-event-function

Responds to logging events with a Cloud Function
HCL
52
star
36

terraform-google-composer

Manages Cloud Composer v1 and v2 along with option to manage networking
HCL
52
star
37

terraform-google-module-template

Provides a template for creating a Cloud Foundation Toolkit Terraform module
HCL
52
star
38

terraform-google-cloud-router

Manages a Cloud Router on Google Cloud
HCL
48
star
39

terraform-google-folders

Creates several Google Cloud folders under the same parent
HCL
47
star
40

terraform-google-cloud-operations

Manages Cloud Logging and Cloud Monitoring
HCL
47
star
41

terraform-google-kms

Allows managing a keyring, zero or more keys in the keyring, and IAM role bindings on individual keys
HCL
44
star
42

terraform-google-memorystore

Creates a fully functional Google Memorystore (redis) instance
HCL
43
star
43

terraform-google-group

Manages Google Groups
HCL
40
star
44

terraform-google-dataflow

Handles opinionated Dataflow job configuration and deployments
HCL
34
star
45

terraform-google-jenkins

Creates a Compute Engine instance running Jenkins
HCL
31
star
46

terraform-google-sap

Deploys SAP products
HCL
31
star
47

terraform-google-cloud-datastore

Manages Datastore
HCL
22
star
48

terraform-google-gsuite-export

Creates a Compute Engine VM instance and sets up a cronjob to export GSuite Admin SDK data to Cloud Logging on a schedule
HCL
18
star
49

terraform-google-utils

Gets the short names for a given Google Cloud region
HCL
14
star
50

terraform-google-data-fusion

Manages Cloud Data Fusion
HCL
14
star
51

terraform-google-endpoints-dns

This module creates a DNS record on the .cloud.goog domain using Cloud Endpoints.
HCL
11
star
52

terraform-google-healthcare

Handles opinionated Google Cloud Healthcare datasets and stores
HCL
11
star
53

terraform-google-migrate

Terraform module to help with migrating VMs to GCP.
HCL
10
star
54

terraform-example-shared-services

Example of using CFT to build a Shared Services architecture on GCP
HCL
6
star
55

terraform-google-datalab

Creates DataLab instances with support for GPU instances
HCL
6
star
56

terraform-google-secret

This Terraform module makes it easier to manage to manage secrets for your Google Cloud environment, such as api keys, tokens, etc.
Python
6
star
57

terraform-google-redis

HCL
5
star
58

terraform-google-airflow

HCL
4
star
59

terraform-google-api-police

HCL
3
star
60

.allstar

1
star
61

terraform-google-mariadb

HCL
1
star