fmichaelobrien commented 8 months ago

20240402 TEF work not in https://github.com/terraform-google-modules/terraform-example-foundation/issues/1133 20240206 #345 superceeds this one Historical Follow previous cloud-setup investigation runs at

TOC alignment July 2023 - all the way to the end including policies https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/251 and from May 2023 https://github.com/CloudLandingZone/google-cloud-enterprise-setup-checklist/issues/1

Artifacts

org (olapp)
branch (https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/tree/351-landing-zone-fortigate-cloud-setup)
wiki https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/wiki/Architecture
repo folder: 2024_fortigate-on-cloud-setup

Requirements: We have a a required for a light landing zone

The enterprise setup is a Google supported LZ The fortigate TF overlay is a Fortinet supported example

1 - use the foundations setup https://github.com/CloudLandingZone/google-cloud-enterprise-setup-checklist Describing https://cloud.google.com/docs/enterprise/setup-checklist 2 - overlay the working unmodified fortigate cluster (reattach peering to the setup above…) https://github.com/fortinet/fortigate-tutorial-gcp/tree/main/terraform

Architecture

Base Landing Zone

Merged with Fortigate LB sandwich cluster - re-peer with above

This superseeds #345 20240206 #345 superceeds this one

obriensystems commented 8 months ago

Start foundation setup on a relatively new org - one where no terraform or kcc config controller lz has been deployed yet

Output Artifacts

manual console procedures + terraform scripts from cloud-setup + terraform from Fortinet (adjusted)
Try to get a gcloud script done for the manual procedures

Prepare Before

billing_project_quota increase from the default 5 - if you prepay $50 and ask for paid services only - quota is usually granted within 3 min by the bot.

1 - Create an Organization

Cloud Setup | Overview

hit the Google Cloud icon on the top left of http://console.cloud.google.com
https://console.cloud.google.com/welcome/new

hit "Set Up Foundation"

https://console.cloud.google.com/cloud-setup

start 1125

2 - Configure Users and Groups

IAM state before

super-admin has
Folder Admin
Organization Administrator

domain has
Billing Account Creator
Project Creator

check errors

Check groups https://admin.google.com/ac/groups https://console.cloud.google.com/iam-admin/groups?organizationId=630259462753&supportedpurview=project

Output: 8 of 10 IAM groups

missing gcp-logging-viewers@obrienlabs.app gcp-billing-admins@obrienlabs.app

3 - Assign Administrative access

Triage gcp-logging-viewers@obrienlabs.app gcp-billing-admins@obrienlabs.app

BAA or BAU must be applied to SA in IAM (not just the billing page) or the following 2 groups will fail to create
before

add Billing Admin and Project Billing Manager

to

retry

ignore warning - buganizer sent Still getting a warning - checking groups

create admin users

skip - just add yourself

Add admin users to group

i am already in the groups - continuing

Grant administrative access already ok - I have Organization Administrator by default

missing groups - even though they exist

Groups exist (see left and right) - but are not getting picked up in the wizard in the middle screen

Fix: looks like IAM roles were not added to the groups - hence at least one role is required for them to show up in IAM

except that we have not done that step yet of adding roles attempting to add a role will work

I cannot discard though and continue

Discard IAM policies for missing groups
If you continue, access recommendations for the following missing groups will be discarded:

gcp-organization-admins@obrienlabs.app
gcp-vpc-network-admins@obrienlabs.app
gcp-logging-admins@obrienlabs.app
gcp-security-admins@obrienlabs.app
gcp-devops@obrienlabs.app
By discarding these IAM policies, you need to manually configure similar access we recommended for comparable groups in order to complete your foundation setup.

4 - setup billing

done