Installation run prerequisites around organization/cloud-identity onboarding - capture in prep of readme.md update

[fmichaelobrien]

capturing additions to the doc prior to a patch

https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding#readme

Use case: non-GCP domain for identity federation

• new super admin role account (non-workspace) cloud identity
• external to GCP domain that will be used for cloud identity users to validate against - domain must be a subdomain like sub.domain.com - to avoid TXT zone collision with existing records at the root domain
• in IAM run the checklist - as the super admin users - the first step organization creation will auto create here
• https://console.cloud.google.com/cloud-setup/users-groups
• step 2 : group creation - for example "gcp-organization-admins@gcp.packet.global"
• step 3 : admin and billing group role assignments

20220317 update https://cloud.google.com/blog/topics/developers-practitioners/using-google-cloud-service-account-impersonation-your-terraform-code

[obriensystems]

clone/download repo goto

https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding

prereq

• verify the organization policy on location constraint is not set - there is some "us" regional assets required during the build https://console.cloud.google.com/iam-admin/orgpolicies/gcp-resourceLocations?organizationId=84
• super admin identity or workspace account
• has billing admin, folder admin, organizational admin

create folder for use instead of org

https://console.cloud.google.com/foldercreate?previousPage=%2Fcloud-resource-manager refresh page https://console.cloud.google.com/cloud-resource-manager get folder id https://console.cloud.google.com/iam-admin/settings?folder=45293448627

gcloud auth list mkdir github cd github https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/archive/refs/heads/main.zip cp ../pbmm-on-gcp-onboarding-main.zip . unzip pbmm-on-gcp-onboarding-main.zip

michael@cloudshell:~/github (landingzone-stg)$ cd pbmm-on-gcp-onboarding-main/environments/bootstrap/ michael@cloudshell:~/github/pbmm-on-gcp-onboarding-main/environments/bootstrap (landingzone-stg)$ chmod +x bootstrap.sh michael@cloudshell:~/github/pbmm-on-gcp-onboarding-main/environments/bootstrap (landingzone-stg)$ cd ../../modules/cloudbuild/cloudbuild_builder/ michael@cloudshell:~/github/pbmm-on-gcp-onboarding-main/modules/cloudbuild/cloudbuild_builder (landingzone-stg)$ chmod +x entrypoint.bash michael@cloudshell:~/github/pbmm-on-gcp-onboarding-main/modules/cloudbuild/cloudbuild_builder (landingzone-stg)$ cd ../../../environments/bootstrap/

create folder

vi bootstrap.auto.tfvars

bootstrap = { userDefinedString = "codev" # REQUIRED EDIT Appended to project name/id additionalUserDefinedString = "sbx" # OPTIONAL EDIT Additional appended string billingAccount = "01..B" # REQUIRED EDIT Billing Account in the format of ######-######-###### parent = "folders/45..7" # REQUIRED EDIT Organization Node in format "organizations/#############" or "folders/#############" terraformDeploymentAccount = "terraform0309" # REQUIRED EDIT Name of the service account to created to deploy the terraform code bootstrapEmail = "user:michael@co..d.org" # REQUIRED EDIT In the form of 'user:user@email.com region = "northamerica-northeast1" # REQUIRED EDIT Region name. northamerica-northeast1 cloud_source_repo_name = "co...zedlz" # REQUIRED EDIT CSR used as a mirror for code tfstate_buckets = { common = { name = "conta...dlzco" # REQUIRED EDIT Must be globally unique name = "con..zedlznp" # REQUIRED EDIT Must be globally unique name = "con..edlzpr" # REQUIRED EDIT Must be globally unique

cloud_build_admins = [ "user:michael@con..ed.org", REQUIRED EDIT user:user@google.com, group:users@google.com,serviceAccount:robot@PROJECT.iam.gserviceaccount.com ] group_build_viewers = [ "user:michael@containerized.org", REQUIRED EDIT user:user@google.com, group:users@google.com,serviceAccount:robot@PROJECT.iam.gserviceaccount.com ]

organization-config.auto.tfvars

organization_config = { org_id = "843157297140" # REQUIRED EDIT Numeric portion only '#############'" default_region = "northamerica-northeast1" # REQUIRED EDIT Cloudbuild Region department_code = "Co" # REQUIRED EDIT Two Characters. Capitol and then lowercase owner = "cod" # REQUIRED EDIT Used in naming standard environment = "P" # REQUIRED EDIT S-Sandbox P-Production Q-Quality D-development location = "northamerica-northeast1" # REQUIRED EDIT Location used for resources. Currently northamerica-northeast1 is available labels = {} # REQUIRED EDIT Object used for resource labels root_node = "folders/45...7" # REQUIRED EDIT Organization Node in format "organizations/#############" or "folders/###" contacts = { "michael@co...d.org" = ["ALL"] # REQUIRED EDIT Essential Contacts for notifications. Must be in the form EMAIL -> [NOTIFICATION_TYPES] } billing_account = "01...3B" # REQUIRED EDIT Format of ######-######-###### }

common/common.auto.tfvars

folders = { parent = "folders/4..7" user_defined_string = "acm" # REQUIRED EDIT. sink_name = "coprodsink1" # REQUIRED EDIT. Must be unique across organization bucket_viewer = "user:michael@co..ed.org" # REQUIRED EDIT.

run

michael@cloudshell:~/github/pbmm-on-gcp-onboarding-main/environments/bootstrap (landingzone-stg)$ ./bootstrap.sh run

Plan: 96 to add, 0 to change, 0 to destroy.

Changes to Outputs:

• csr_name = "containerizedlz"
• organization_config = {
  • billing_account = "01..B"
  • contacts = {}
  • default_region = "northamerica-northeast1"
  • department_code = "Co"
  • environment = "P"
  • labels = {}
  • location = "northamerica-northeast1"
  • org_id = "8..0"
  • owner = "cod"
  • root_node = "folders/45..7" }
• project_id = "cope-cod-codev-sbx"
• service_account_email = (known after apply)
• terraform_deployment_account = (known after apply)
• tfstate_bucket_names = {
  • common = "copeco..edlzco"
  • nonprod = "copeco...edlznp"
  • prod = "copeco..dlzpr" }

1133 4 min to get past module.landing_zone_bootstrap.module.project.google_project.project: Still creating... [30s elapsed] module.landing_zone_bootstrap.module.project.google_project.project: Still creating... [3m0s elapsed] module.landing_zone_bootstrap.module.project.google_project.project: Creation complete after 3m3s [id=projects/cope-cod-codev-sbx] 1137

1140 module.cloudbuild_bootstrap.null_resource.cloudbuild_terraform_builder: Creating... module.cloudbuild_bootstrap.null_resource.cloudbuild_terraform_builder: Provisioning with 'local-exec'... module.cloudbuild_bootstrap.null_resource.cloudbuild_terraform_builder (local-exec): Executing: ["/bin/sh" "-c" " gcloud builds submit ../../modules/cloudbuild/cloudbuild_builder/ \\n --project=cope-cod-codev-sbx \\n --config=../../modules/cloudbuild/cloudbuild_builder/cloudbuild.yaml \\n --gcs-source-staging-dir \\n --substitutions=_TERRAFORM_VERSION=1.0.10,_TERRAFORM_VERSION_SHA256SUM=a221682fcc9cbd7fde22f305ead99b3ad49d8303f152e118edda086a2807716d,_TERRAFORM_VALIDATOR_RELEASE=2021-03-22,_REGION=northamerica-northeast1,_REPOSITORY=codev-tf-runners \\n --async\n"] google_artifact_registry_repository_iam_member.terraform-image-iam: Creation complete after 10s [id=projects/cope-cod-codev-sbx/locations/northamerica-northeast1/repositories/codev-tf-runners/roles/artifactregistry.admin/serviceAccount:terraform0309@cope-cod-codev-sbx.iam.gserviceaccount.com] module.cloudbuild_bootstrap.null_resource.cloudbuild_terraform_builder (local-exec): ERROR: (gcloud.builds.submit) argument --gcs-source-staging-dir: expected one argument module.cloudbuild_bootstrap.null_resource.cloudbuild_terraform_builder (local-exec): Usage: gcloud builds submit [[SOURCE] --no-source] [optional flags] module.cloudbuild_bootstrap.null_resource.cloudbuild_terraform_builder (local-exec): optional flags may be --async | --no-cache | --config | --disk-size | module.cloudbuild_bootstrap.null_resource.cloudbuild_terraform_builder (local-exec): --gcs-log-dir | --gcs-source-staging-dir | --help | module.cloudbuild_bootstrap.null_resource.cloudbuild_terraform_builder (local-exec): --ignore-file | --machine-type | --pack | --region | module.cloudbuild_bootstrap.null_resource.cloudbuild_terraform_builder (local-exec): --no-source | --substitutions | --suppress-logs | module.cloudbuild_bootstrap.null_resource.cloudbuild_terraform_builder (local-exec): --tag | --timeout | --worker-pool

module.cloudbuild_bootstrap.null_resource.cloudbuild_terraform_builder (local-exec): For detailed information on this command and its flags, run: module.cloudbuild_bootstrap.null_resource.cloudbuild_terraform_builder (local-exec): gcloud builds submit --help ╷ │ Warning: Experimental feature "module_variable_optional_attrs" is active │ │ on terraform.tf line 7, in terraform: │ 7: experiments = [module_variable_optional_attrs] │ │ Experimental features are subject to breaking changes in future minor or patch releases, based on feedback. │ │ If you have feedback on the design of this feature, please open a GitHub issue to discuss it. │ │ (and 2 more similar warnings elsewhere) ╵ ╷ │ Error: local-exec provisioner error │ │ with module.cloudbuild_bootstrap.null_resource.cloudbuild_terraform_builder, │ on ../../modules/cloudbuild/main.tf line 121, in resource "null_resource" "cloudbuild_terraform_builder": │ 121: provisioner "local-exec" { │ │ Error running command ' gcloud builds submit ../../modules/cloudbuild/cloudbuild_builder/ \ │ --project=cope-cod-codev-sbx \ │ --config=../../modules/cloudbuild/cloudbuild_builder/cloudbuild.yaml \ │ --gcs-source-staging-dir \ │ --substitutions=_TERRAFORM_VERSION=1.0.10,_TERRAFORM_VERSION_SHA256SUM=a221682fcc9cbd7fde22f305ead99b3ad49d8303f152e118edda086a2807716d,_TERRAFORM_VALIDATOR_RELEASE=2021-03-22,_REGION=northamerica-northeast1,_REPOSITORY=codev-tf-runners \ │ --async │ ': exit status 2. Output: ERROR: (gcloud.builds.submit) argument --gcs-source-staging-dir: expected one argument │ Usage: gcloud builds submit [[SOURCE] --no-source] [optional flags] │ optional flags may be --async | --no-cache | --config | --disk-size | │ --gcs-log-dir | --gcs-source-staging-dir | --help | │ --ignore-file | --machine-type | --pack | --region | │ --no-source | --substitutions | --suppress-logs | │ --tag | --timeout | --worker-pool │ │ For detailed information on this command and its flags, run: │ gcloud builds submit --help

remember to take out flag until the PR is merged

https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/pull/11/files remove line 126 of modules/cloudbuild/main.tf --gcs-source-staging-dir \

1144

rerun

Apply complete! Resources: 9 added, 0 changed, 9 destroyed.

Outputs:

csr_name = "containerizedlz" organization_config = { "billing_account" = "01...B" "contacts" = {} "default_region" = "northamerica-northeast1" "department_code" = "Co" "environment" = "P" "labels" = {} "location" = "northamerica-northeast1" "org_id" = "8..0" "owner" = "cod" "root_node" = "folders/4..7" } project_id = "cope-cod-codev-sbx" service_account_email = "terraform0309@cope-cod-codev-sbx.iam.gserviceaccount.com" terraform_deployment_account = "terraform0309@cope-cod-codev-sbx.iam.gserviceaccount.com" tfstate_bucket_names = { "common" = "copeco...edlzco" "nonprod" = "copeco..edlznp" "prod" = "copeco..edlzpr" } INFO - Uploading ./default.tfstate to cop..rizedlzco/environments/bootstrap/default.tfstate cope-cod-codev-sbx Copying file://./default.tfstate [Content-Type=application/octet-stream]... / [1 files][225.9 KiB/225.9 KiB] Operation completed over 1 objects/225.9 KiB. Terraform default.tfstate exists. INFO - Create bootstrap backend INFO - Create common backend INFO - Create bootstrap provider INFO - Create common provider INFO - Create nonprod backend and provider INFO - Create prod backend and provider INFO - Committing code to CSR rm: cannot remove '.git': No such file or directory

check cloud build https://console.cloud.google.com/cloud-build/builds

[obriensystems]

jiras

organization-config.auto.tfvars

root_node = "" # REQUIRED EDIT Organization Node in format "organizations/#############" or "folders/########"

us requirements during the build - clear the org policy https://console.cloud.google.com/iam-admin/orgpolicies/gcp-resourceLocations?organizationId=

failed rm at end of bootstrap.sh script rm: cannot remove '.git': No such file or directory

3) make script reentrant

12

[fmichaelobrien]

reconcile cb readme with root readme https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/tree/main/modules/cloudbuild

Verify Service enablement prior to the CB run

• Google Cloud Resource Manager API: cloudresourcemanager.googleapis.com

• Google Cloud Billing API: cloudbilling.googleapis.com

• Google Cloud IAM API: iam.googleapis.com

• Google Cloud Storage API storage-api.googleapis.com

• Google Cloud Service Usage API: serviceusage.googleapis.com

• Google Cloud Build API: cloudbuild.googleapis.com

• Google Cloud Source Repo API: sourcerepo.googleapis.com

• Google Cloud KMS API: cloudkms.googleapis.com

• roles/billing.user on supplied billing account

• roles/resourcemanager.organizationAdmin on GCP Organization

• roles/resourcemanager.projectCreator on GCP Organization or folder

gcloud services enable \
  cloudbilling.googleapis.com \
  cloudresourcemanager.googleapis.com \
  storage-api.googleapis.com \
  sourcerepo.googleapis.com \
  cloudkms.googleapis.com \
  compute.googleapis.com \
  iam.googleapis.com \
  iamcredentials.googleapis.com \
  monitoring.googleapis.com \
  logging.googleapis.com \
  bigquery.googleapis.com \
  artifactregistry.googleapis.com \
  cloudbuild.googleapis.com \
  container.googleapis.com

[fmichaelobrien]

20220317 - restart and check permissions above

not relevant until I check but I added some service enablement to bootstrap.auto.tfvars

adding

storage-api.googleapis.com

cloudkms.googleapis.com

cloudbuild.googleapis.com

projectServices = [ "cloudbilling.googleapis.com", "serviceusage.googleapis.com", "cloudresourcemanager.googleapis.com", "iam.googleapis.com", "logging.googleapis.com", "accesscontextmanager.googleapis.com", "sourcerepo.googleapis.com", "appengine.googleapis.com", "storage-api.googleapis.com", "cloudkms.googleapis.com", "cloudbuild.googleapis.com"

michael@cloudshell:~$ gcloud config set project landingzone-stg Updated property [core/project]. michael@cloudshell:~ (landingzone-stg)$

checked artifact registry not enabled on landingzone-stg before - enabled after michael@cloudshell:~/github/pbmm-on-gcp-onboarding-main/environments/bootstrap (landingzone-stg)$ gcloud services enable \ cloudbilling.googleapis.com \ cloudresourcemanager.googleapis.com \ storage-api.googleapis.com \ sourcerepo.googleapis.com \ cloudkms.googleapis.com \ compute.googleapis.com \ iam.googleapis.com \ iamcredentials.googleapis.com \ monitoring.googleapis.com \ logging.googleapis.com \ bigquery.googleapis.com \ artifactregistry.googleapis.com \ cloudbuild.googleapis.com \ container.googleapis.com Operation "operations/acat.p2-403373923652-f1144ac7-5e2e-4f9f-afc1-d1a7fc354798" finished successfully.

enablement takes time for some regions Failed to list repositories for the following locations: europe, asia-northeast1, asia-south1. If you recently enabled the Artifact Registry API, the enablement status might not have propagated to these locations. Please try again later.

rerunning to check state on SA

change the cb dockerfile first (even though we have a 777 on it) https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/9#issuecomment-1068465128

COPY entrypoint.bash /builder/entrypoint.bash +RUN chmod +x /builder/entrypoint.bash ENTRYPOINT ["/builder/entrypoint.bash"]

michael@cloudshell:~/github/pbmm-on-gcp-onboarding-main/environments/bootstrap (landingzone-stg)$ ./bootstrap.sh run │ Error: googleapi: Error 403: The caller does not have permission, forbidden │ │ with data.google_service_account_access_token.default, │ on provider.tf line 25, in data "google_service_account_access_token" "default": │ 25: data "google_service_account_access_token" "default" {

modify bootstrap.auto.tfvars with new TF SA name terraformDeploymentAccount = "terraform0317a" # REQUIRED EDIT Name of the service account to created to deploy the terraform code

increase the timeout to 7200s from 1800s in bootstrap.auto.fvars target_service_account = "${TF_SVC_ACCT}" scopes = ["userinfo-email", "cloud-platform"] lifetime = "7200s"

delete provider.tf in bootstrap and common and prod - but not nonprod - replace with the git checkout template

provider "google" {

}

provider "google-beta" {

}

provider "null" {

}

rerun michael@cloudshell:~/github/pbmm-on-gcp-onboarding-main/environments/bootstrap (landingzone-stg)$ ./bootstrap.sh run Apply complete! Resources: 38 added, 1 changed, 36 destroyed. INFO - Uploading ./default.tfstate to copecontainerizedlzco/environments/bootstrap/default.tfstate cope-cod-codev-sbx INFO - Committing code to CSR rm: cannot remove '.git': No such file or directory

[fmichaelobrien]

Thanks Chris for the template - will adapt https://github.com/kubernetes/kubernetes/blob/master/.github/PULL_REQUEST_TEMPLATE.md

[fmichaelobrien]

Add from Saadia the SA token creator role on the lz module https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/commit/7a2cb8eed2a0dd9263a6b041243d45ab89aa3e20

landing-zone-bootstrap/locals.tf "roles/iam.serviceAccountTokenCreator"

use target project and cloud build sa gcloud projects add-iam-policy-binding "project" --member=serviceAccount:proj@cloudbuild.gserviceaccount.com --role=roles/iam.serviceAccountTokenCreator

[fmichaelobrien]

│ Error: googleapi: Error 404: Requested entity was not found., notFound │ │ with data.google_service_account_access_token.default, │ on provider.tf line 25, in data "google_service_account_access_token" "default": │ 25: data "google_service_account_access_token" "default" {

fixed by deleting the provider.tf's as above cycle the bucket name Error: Error when reading or editing Storage Bucket "copecontainerizedlznp": Get "https://storage.googleapis.com/storage/v1/b/copecontainerizedlznp?alt=json&prettyPrint=false": dial tcp [2607:f8b0:400c:c12::80]:443: connect: cannot assign requested address │ │ with module.landing_zone_bootstrap.google_storage_bucket.org_terraform_state["nonprod"], │ on ../../modules/landing-zone-bootstrap/main.tf line 83, in resource "google_storage_bucket" "org_terraform_state": │ 83: resource "google_storage_bucket" "org_terraform_state" {

modified bucket names

rerun Plan: 50 to add, 9 to change, 20 to destroy.

module.cloudbuild_bootstrap.null_resource.cloudbuild_terraform_builder (local-exec): ID: a94f80e0-fae1-4d0c-a844-b50117dcc0c6 module.cloudbuild_bootstrap.null_resource.cloudbuild_terraform_builder (local-exec): CREATE_TIME: 2022-03-17T19:01:25+00:00 module.cloudbuild_bootstrap.null_resource.cloudbuild_terraform_builder (local-exec): DURATION: - module.cloudbuild_bootstrap.null_resource.cloudbuild_terraform_builder (local-exec): SOURCE: gs://cope-cod-codev-sbx_cloudbuild/source/1647543685.116032-ff109bf185f448ba847c6edf89183fa6.tgz module.cloudbuild_bootstrap.null_resource.cloudbuild_terraform_builder (local-exec): IMAGES: - module.cloudbuild_bootstrap.null_resource.cloudbuild_terraform_builder (local-exec): STATUS: QUEUED module.cloudbuild_bootstrap.null_resource.cloudbuild_terraform_builder: Creation complete after 4s [id=8629374506232579809] ╷ │ Warning: Experimental feature "module_variable_optional_attrs" is active │ │ on terraform.tf line 7, in terraform: │ 7: experiments = [module_variable_optional_attrs] │ │ Experimental features are subject to breaking changes in future minor or patch releases, based on feedback. │ │ If you have feedback on the design of this feature, please open a GitHub issue to discuss it. │ │ (and 2 more similar warnings elsewhere) ╵ ╷ │ Error: Failed to save state │ │ Error saving state: Failed to upload state to gs://copecontainerizedlzco/environments/bootstrap/default.tfstate: googleapi: Error 404: The specified bucket does not exist., │ notFound ╵ ╷ │ Error: Failed to persist state to backend │ │ The error shown above has prevented Terraform from writing the updated state to the configured backend. To allow for recovery, the state has been written to the file │ "errored.tfstate" in the current working directory. │ │ Running "terraform apply" again at this point will create a forked state, making it harder to recover. │ │ To retry writing this state, use the following command: │ terraform state push errored.tfstate │ ╵ ╷ │ Error: Error releasing the state lock │ │ Error message: 2 errors occurred: │ storage: object doesn't exist │ storage: object doesn't exist │ │ │ │ Terraform acquires a lock when accessing your state to prevent others │ running Terraform to potentially modify the state at the same time. An │ error occurred while releasing this lock. This could mean that the lock │ did or did not release properly. If the lock didn't release properly, │ Terraform may not be able to run future commands since it'll appear as if │ the lock is held. │ │ In this scenario, please call the "force-unlock" command to unlock the │ state manually. This is a very dangerous operation since if it is done │ erroneously it could result in two people modifying state at the same time. │ Only call this command if you're certain that the unlock above failed and │ that no one else is holding a lock. ╵

rebuild 1st cb job after token fixe landing-zone-bootstrap-push-trigger

note all required on bucket names are not actually required - just need a string as we auto append random chars

add to common tfvars bucket_name = "audit" # REQUIRED EDIT. Must be globally unique, used for the audit bucket - will append

{ # remove line 75 member = "group:group2@test.domain.net" roles = [ "roles/viewer", ] } ]

forgot 84/96/106

[fmichaelobrien]

rerun 2 - make sure we are in a repo - not a zip

[fmichaelobrien]

clone the repo - use an existing folder/project structure https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/14

Welcome to Cloud Shell! Type "help" to get started. Your Cloud Platform project in this session is set to cope-cod-codev-sbx. Use “gcloud config set project [PROJECT_ID]” to change to a different project. cloudshell_open --repo_url "https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding" --page "editor" --tutorial "README.md" --force_new_clone michael@cloudshell:~ (cope-cod-codev-sbx)$ cloudshell_open --repo_url "https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding" --page "editor" --tutorial "README.md" --force_new_clone 2022/03/17 20:43:09 Cloning https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding into /home/michael/cloudshell_open/pbmm-on-gcp-onboarding Cloning into '/home/michael/cloudshell_open/pbmm-on-gcp-onboarding'... remote: Enumerating objects: 797, done. remote: Counting objects: 100% (797/797), done. remote: Compressing objects: 100% (479/479), done. remote: Total 797 (delta 345), reused 712 (delta 285), pack-reused 0 Receiving objects: 100% (797/797), 609.60 KiB | 8.47 MiB/s, done. Resolving deltas: 100% (345/345), done. michael@cloudshell:~/cloudshell_open/pbmm-on-gcp-onboarding (cope-cod-codev-sbx)$ git status On branch main Your branch is up to date with 'origin/main'.

michael@cloudshell:~/cloudshell_open/pbmm-on-gcp-onboarding (landingzone-sbx)$ gcloud config set project landingzone-stg Updated property [core/project].

michael@cloudshell:~/cloudshell_open/pbmm-on-gcp-onboarding (landingzone-stg)$ chmod +x environments/bootstrap/bootstrap.sh michael@cloudshell:~/cloudshell_open/pbmm-on-gcp-onboarding (landingzone-stg)$ chmod +x modules/cloudbuild/cloudbuild_builder/entrypoint.bash

modify files

michael@cloudshell:~/cloudshell_open/pbmm-on-gcp-onboarding (landingzone-stg)$ git diff diff --git a/environments/bootstrap/bootstrap.auto.tfvars b/environments/bootstrap/bootstrap.auto.tfvars

bootstrap = {

• userDefinedString = "" # REQUIRED EDIT Appended to project name/id
• additionalUserDefinedString = "" # OPTIONAL EDIT Additional appended string
• billingAccount = "" # REQUIRED EDIT Billing Account in the format of ######-######-######
• parent = "" # REQUIRED EDIT Organization Node in format "organizations/#############" or "folders/#############"
• terraformDeploymentAccount = "" # REQUIRED EDIT Name of a service account to be created (alphanumeric before the at sign) used to deploy the terraform code
• bootstrapEmail = "" # REQUIRED EDIT In the form of 'user:user@email.com
• region = "" # REQUIRED EDIT Region name. northamerica-northeast1
• cloud_source_repo_name = "" # REQUIRED EDIT CSR used as a mirror for code
• userDefinedString = "dodev" # REQUIRED EDIT Appended to project name/id
• additionalUserDefinedString = "dbx" # OPTIONAL EDIT Additional appended string
• billingAccount = "01AD...93B" # REQUIRED EDIT Billing Account in the format of ######-######-######
• parent = "folders/452...627" # REQUIRED EDIT Organization Node in format "organizations/#############" or "folders/#############"
• terraformDeploymentAccount = "terraform0317d" # REQUIRED EDIT Name of a service account to be created (alphanumeric before the at sign) used to deploy the terraform code
• bootstrapEmail = "user:michael@co...ed.org" # REQUIRED EDIT In the form of 'user:user@email.com
• region = "northamerica-northeast1" # REQUIRED EDIT Region name. northamerica-northeast1
• cloud_source_repo_name = "containerizedlzd" # REQUIRED EDIT CSR used as a mirror for code

• adding

• storage-api.googleapis.com

• cloudkms.googleapis.com

• cloudbuild.googleapis.com

  projectServices = [ "cloudbilling.googleapis.com", "serviceusage.googleapis.com", @@ -32,21 +36,21 @@ bootstrap = { ] tfstate_buckets = { common = {

• name = "" # REQUIRED EDIT Must be globally unique
• name = "containerizedlzcod" # REQUIRED EDIT Must be globally unique labels = { } storage_class = "STANDARD" force_destroy = true }, nonprod = {
• name = "" # REQUIRED EDIT Must be globally unique
• name = "containerizedlznpd" # REQUIRED EDIT Must be globally unique labels = { } force_destroy = true storage_class = "STANDARD" }, prod = {
• name = "" # REQUIRED EDIT Must be globally unique
• name = "containerizedlzprd" # REQUIRED EDIT Must be globally unique labels = { } force_destroy = true @@ -56,10 +60,10 @@ bootstrap = { }

  Cloud Build

  cloud_build_admins = [

• "user:user@google.com", # REQUIRED EDIT user:user@google.com, group:users@google.com,serviceAccount:robot@PROJECT.iam.gserviceaccount.com
• "user:michael@co....ized.org", # REQUIRED EDIT user:user@google.com, group:users@google.com,serviceAccount:robot@PROJECT.iam.gserviceaccount.com ] group_build_viewers = [
• "user:user@google.com", # REQUIRED EDIT user:user@google.com, group:users@google.com,serviceAccount:robot@PROJECT.iam.gserviceaccount.com

• "user:michael@con...org", # REQUIRED EDIT user:user@google.com, group:users@google.com,serviceAccount:robot@PROJECT.iam.gserviceaccount.com ]

  cloud_build_user_defined_string = ""

  diff --git a/environments/bootstrap/bootstrap.sh b/environments/bootstrap/bootstrap.sh old mode 100644 new mode 100755 diff --git a/environments/bootstrap/organization-config.auto.tfvars b/environments/bootstrap/organization-config.auto.tfvars

  organization_config = {

• org_id = "" # REQUIRED EDIT Numeric portion only '#############'"
• default_region = "" # REQUIRED EDIT Cloudbuild Region
• department_code = "" # REQUIRED EDIT Two Characters. Capitol and then lowercase
• owner = "" # REQUIRED EDIT Used in naming standard
• environment = "" # REQUIRED EDIT S-Sandbox P-Production Q-Quality D-development
• location = "" # REQUIRED EDIT Location used for resources. Currently northamerica-northeast1 is available
• org_id = "8....40" # REQUIRED EDIT Numeric portion only '#############'"
• default_region = "northamerica-northeast1" # REQUIRED EDIT Cloudbuild Region
• department_code = "Do" # REQUIRED EDIT Two Characters. Capitol and then lowercase
• owner = "dod" # REQUIRED EDIT Used in naming standard
• environment = "P" # REQUIRED EDIT S-Sandbox P-Production Q-Quality D-development
• location = "northamerica-northeast1" # REQUIRED EDIT Location used for resources. Currently northamerica-northeast1 is available labels = {} # REQUIRED EDIT Object used for resource labels root_node = "" # REQUIRED EDIT Organization Node in format "organizations/#############" contacts = { "user@email.com" = ["ALL"] # REQUIRED EDIT Essential Contacts for notifications. Must be in the form EMAIL -> [NOTIFICATION_TYPES] }
• billing_account = "" # REQUIRED EDIT Format of ######-######-######
• billing_account = "michael@cont...ed.org" # REQUIRED EDIT Format of ######-######-###### }

diff --git a/environments/common/common.auto.tfvars b/environments/common/common.auto.tfvars index dcda237..1ac427c 100644 --- a/environments/common/common.auto.tfvars +++ b/environments/common/common.auto.tfvars @@ -17,7 +17,7 @@ org_policies = { ] } folders = {

• parent = "organizations/1234567891000"
• parent = "folders/452...627" names = ["Infrastructure", "Sandbox", "Workloads", "Audit and Security", "Automation", "Shared Services"] # Production, NonProduction and Platform are included in the module subfolders_1 = { SharedInfrastructure = "Infrastructure" @@ -45,10 +45,10 @@ access_context_manager = { # REQUIRED OBJECT. VPC Service Controls object. audit = { # REQUIRED OBJECT. Must include an audit object. user_defined_string = "audit" # REQUIRED EDIT. Must be globally unique, used for the audit project additional_user_defined_string = "" # OPTIONAL EDIT. Optionally append a value to the end of the user defined string.
• billing_account = "" # REQUIRED EDIT. Define the audit billing account
• billing_account = "01AD....393B" # REQUIRED EDIT. Define the audit billing account audit_streams = { prod = {
• bucket_name = "" # REQUIRED EDIT. Must be globally unique, used for the audit bucket
• bucket_name = "auditco" # REQUIRED EDIT. Must be globally unique, used for the audit bucket is_locked = false # OPTIONAL EDIT. Required value as it cannot be left null. bucket_force_destroy = true # OPTIONAL EDIT. Required value as it cannot be left null. bucket_storage_class = "STANDARD" # OPTIONAL EDIT. Required value as it cannot be left null. @@ -57,7 +57,7 @@ audit = { # REQUIRED OBJECT. Must include an au description = "Org Sink" # OPTIONAL EDIT. Required value as it cannot be left null. filter = "severity >= WARNING" # OPTIONAL EDIT. Required value as it cannot be left null. retention_period = 1 # OPTIONAL EDIT. Required value as it cannot be left null.
• bucket_viewer = "user:user@google.com" # REQUIRED EDIT.

• bucket_viewer = "user:michael@co...ed.org" # REQUIRED EDIT. } } audit_lables = {} @@ -65,25 +65,25 @@ audit = { # REQUIRED OBJECT. Must include an au

  audit_project_iam = [ #REQUIRED EDIT. At leave one object is required. The member cannot be the same for multiple objects. {

• member = "group:group@test.domain.net"
• member = "user:michael@con...ed.org"

  project = module.project.project_id #(will be added during deployment using local var)

  roles = [ "roles/viewer", "roles/editor", ] },

• {
• member = "group:group2@test.domain.net"
• roles = [
• "roles/viewer",
• ]

• {

• member = "group:group2@test.domain.net"

• roles = [

• "roles/viewer",

• ]

  } ]

  folder_iam = [ {

• member = "group:group@test.domain.net" # REQUIRED EDIT.

• member = "user:michael@co...zed.org" # REQUIRED EDIT.

  folder = module.core-folders.folders_map_1_level["Audit"].id #(will be added during deployment using local var)

  audit_folder_name = "Audit" # REQUIRED EDIT. Name of the Audit folder previously defined. roles = [ @@ -95,8 +95,8 @@ folder_iam = [

  organization_iam = [ {

• member = "group:group@test.domain.net"
• organization = "1234567891000" ###########
• member = "user:michael@co..ed.org"

• organization = "84....40" ########### roles = [ "roles/viewer", ] @@ -104,8 +104,8 @@ organization_iam = [ ]

  guardrails = {

• user_defined_string = "" # REQUIRED EDIT. Must be globally unique. Defines the guardrails projcet
• billing_account = "" # REQUIRED EDIT. Billing Account in the format of ######-######-######
• user_defined_string = "guardrailco3" # REQUIRED EDIT. Must be globally unique. Defines the guardrails projcet
• billing_account = "01A...393B" # REQUIRED EDIT. Billing Account in the format of ######-######-###### org_id_scan_list = [ # OPTIONAL EDIT. Organization Id list for service account to have cloud asset viewer permission ] org_client = false #Set to true if deploying remote client landing zone. Otherwise set to false if deploying for core organization landing zone. diff --git a/modules/cloudbuild/cloudbuild_builder/entrypoint.bash b/modules/cloudbuild/cloudbuild_builder/entrypoint.bash old mode 100644

post 1820 edit forgot common change (see common cloud build job failure)

  sink_name            = ""                 
 sink_name            = "corcommsink1" 

delete older project

Project "CoPe-cod-codev-sbx" is now shut down and scheduled to be deleted after Apr 16, 2022.

rerun

ichael@cloudshell:~/cloudshell_open/pbmm-on-gcp-onboarding/environments/bootstrap (landingzone-stg)$ ./bootstrap.sh run

Plan: 97 to add, 0 to change, 0 to destroy. 17:42 aved the plan to: launchpad.2022-03-17.2103.plan

To perform exactly these actions, run the following command to apply: terraform apply "launchpad.2022-03-17.2103.plan" Please confirm that you have reviewed the plan and wish to apply it. Type 'yes' to proceed yes

INFO - Applying Terraform plan module.landing_zone_bootstrap.module.project.google_project.project: Creating... module.landing_zone_bootstrap.module.project.google_project.project: Still creating... [10s elapsed]

DoPe-dod-dodev-dbx

forgot to update the SA 1800s

1752 - checking jobs

after the cloud build triggers are up - wait for the failure as all jobs have the same priority or now hierarchy rerun the cloud storage build to generate the docker image

then kick in the bootstrap push (pull does not have push)

1758

https://console.cloud.google.com/cloud-build/builds;region=global/792b9d95-6a05-4965-9791-4d9661144431;step=2?project=dope-dod-dodev-dbx

Already have image (with digest): northamerica-northeast1-docker.pkg.dev/dope-dod-dodev-dbx/dodev-tf-runners/terraform

***** TERRAFORM PLAN ** * At environment: environments/common *****

---

╷ │ Error: Invalid expression │ │ on common.auto.tfvars line 80: │ 80: } │ │ Expected the start of an expression, but found an invalid expression token. forgot to comment the bracket michael@cloudshell:~/cloudshell_open/pbmm-on-gcp-onboarding/environments/bootstrap (landingzone-stg)$ git status On branch main Changes not staged for commit: (use "git add ..." to update what will be committed) (use "git restore ..." to discard changes in working directory) modified: ../common/common.auto.tfvars

michael@cloudshell:~/cloudshell_open/pbmm-on-gcp-onboarding/environments/bootstrap (landingzone-stg)$ git push csr main Enumerating objects: 9, done. Counting objects: 100% (9/9), done. Delta compression using up to 4 threads Compressing objects: 100% (5/5), done. Writing objects: 100% (5/5), 493 bytes | 493.00 KiB/s, done. Total 5 (delta 3), reused 0 (delta 0), pack-reused 0 remote: Resolving deltas: 100% (3/3) To https://source.developers.google.com/p/dope-dod-dodev-dbx/r/containerizedlzd ccb0660..d110e42 main -> main

https://source.cloud.google.com/dope-dod-dodev-dbx/containerizedlzd/+/main:

retry https://console.cloud.google.com/cloud-build/builds;region=global/bc2cb922-b92b-41b9-8aaa-eeac4a19d7c4;step=2?project=dope-dod-dodev-dbx fail rebuild docker image build

rerun bootstra-pull-request-trigger

build ok

then common - first fix typo in common.auto.tfvars missing sink_name = ""

michael@cloudshell:~/cloudshell_open/pbmm-on-gcp-onboarding/environments/bootstrap (landingzone-stg)$ git diff diff --git a/environments/common/common.auto.tfvars b/environments/common/common.auto.tfvars index 4de19cf..de339a9 100644 --- a/environments/common/common.auto.tfvars +++ b/environments/common/common.auto.tfvars @@ -53,7 +53,7 @@ audit = { # REQUIRED OBJECT. Must include an au bucket_force_destroy = true # OPTIONAL EDIT. Required value as it cannot be left null. bucket_storage_class = "STANDARD" # OPTIONAL EDIT. Required value as it cannot be left null. labels = {} # OPTIONAL EDIT.

• sink_name = "" # REQUIRED EDIT. Must be unique across organization
• sink_name = "corcommsink1" # REQUIRED EDIT. Must be unique across organization description = "Org Sink" # OPTIONAL EDIT. Required value as it cannot be left null.

michael@cloudshell:~/cloudshell_open/pbmm-on-gcp-onboarding/environments/bootstrap (landingzone-stg)$ git add ../common/common.auto.tfvars michael@cloudshell:~/cloudshell_open/pbmm-on-gcp-onboarding/environments/bootstrap (landingzone-stg)$ git commit -m "fix common auto tfvars - sink" [main 535a46f] fix common auto tfvars - sink 1 file changed, 1 insertion(+), 1 deletion(-) michael@cloudshell:~/cloudshell_open/pbmm-on-gcp-onboarding/environments/bootstrap (landingzone-stg)$ git push csr main

auto trigger cloud build common jobs

1830

failed further in the same we saw during the deploy meet in common-push-trigger - rerunning

Step #3 - "tf apply": │ Error: failed pre-requisites: failed to check permissions on billing account "billingAccounts/michael@containerized.org": googleapi: Error 400: Request contains an invalid argument., badRequest Step #3 - "tf apply": │ Step #3 - "tf apply": │ with module.core-guardrails.module.guardrails_project.google_project.project, Step #3 - "tf apply": │ on ../../modules/project/main.tf line 9, in resource "google_project" "project": Step #3 - "tf apply": │ 9: resource "google_project" "project" {

common-pull-request-trigger is ok

Step #3 - "tf apply": │ Error: failed pre-requisites: failed to check permissions on billing account "billingAccounts/michael@containerized.org": googleapi: Error 400: Request contains an invalid argument., badRequest Step #3 - "tf apply": │ Step #3 - "tf apply": │ with module.core-guardrails.module.guardrails_project.google_project.project, Step #3 - "tf apply": │ on ../../modules/project/main.tf line 9, in resource "google_project" "project": Step #3 - "tf apply": │ 9: resource "google_project" "project" {

forgot root_node in org config and contacts root_node = "" # REQUIRED EDIT Organization Node in format "organizations/#############" folders/452...27

michael@cloudshell:~/cloudshell_open/pbmm-on-gcp-onboarding/environments/bootstrap (landingzone-stg)$ git diff
diff --git a/environments/bootstrap/organization-config.auto.tfvars b/environments/bootstrap/organization-config.auto.tfvars
index d49de3a..53f1d23 100644
--- a/environments/bootstrap/organization-config.auto.tfvars
+++ b/environments/bootstrap/organization-config.auto.tfvars
@@ -12,9 +12,9 @@ organization_config = {
   environment     = "P" # REQUIRED EDIT S-Sandbox P-Production Q-Quality D-development
   location        = "northamerica-northeast1" # REQUIRED EDIT Location used for resources. Currently northamerica-northeast1 is available
   labels          = {} # REQUIRED EDIT Object used for resource labels
-  root_node       = "" # REQUIRED EDIT Organization Node in format "organizations/#############"
+  root_node       = "folders/4...27" # REQUIRED EDIT Organization Node in format "organizations/#############"
   contacts = {
-    "user@email.com" = ["ALL"] # REQUIRED EDIT Essential Contacts for notifications. Must be in the form EMAIL -> [NOTIFICATION_TYPES]
+    "michael@con...d.org" = ["ALL"] # REQUIRED EDIT Essential Contacts for notifications. Must be in the form EMAIL -> [NOTIFICATION_TYPES]
   }

michael@cloudshell:~/cloudshell_open/pbmm-on-gcp-onboarding/environments/bootstrap (landingzone-stg)$ git add ../bootstrap/organization-config.auto.tfvars
michael@cloudshell:~/cloudshell_open/pbmm-on-gcp-onboarding/environments/bootstrap (landingzone-stg)$ git commit -m "fix org root node"
[main 6e12ab1] fix org root node
 1 file changed, 2 insertions(+), 2 deletions(-)
michael@cloudshell:~/cloudshell_open/pbmm-on-gcp-onboarding/environments/bootstrap (landingzone-stg)$ git push csr main

bootstrap auto run

ok

queue common-push-trigger still getting a billing issue Step #3 - "tf apply": │ Error: failed pre-requisites: failed to check permissions on billing account "billingAccounts/michael@containerized.org": googleapi: Error 400: Request contains an invalid argument., badRequest Step #3 - "tf apply": │ Step #3 - "tf apply": │ with module.core-guardrails.module.guardrails_project.google_project.project, Step #3 - "tf apply": │ on ../../modules/project/main.tf line 9, in resource "google_project" "project": Step #3 - "tf apply": │ 9: resource "google_project" "project" {

Testing nonprod-pull-request-trigger 1853 1854 Step #2 - "tf plan": ***** TERRAFORM PLAN ** Step #2 - "tf plan": * At environment: environments/nonprod * Step #2 - "tf plan": *****

Step #2 - "tf plan": │ (and 6 more similar warnings elsewhere) Step #2 - "tf plan": ╵ Step #2 - "tf plan": ╷ Step #2 - "tf plan": │ Error: Variables not allowed Step #2 - "tf plan": │ Step #2 - "tf plan": │ on nonp-vpc-svc-ctl.auto.tfvars line 21: Step #2 - "tf plan": │ 21: enable_restriction = bool, Step #2 - "tf plan": │ Step #2 - "tf plan": │ Variables may not be used here. Step #2 - "tf plan": ╵ Step #2 - "tf plan": ╷ Step #2 - "tf plan": │ Error: Variables not allowed Step #2 - "tf plan": │ Step #2 - "tf plan": │ on nonp-vpc-svc-ctl.auto.tfvars line 24: Step #2 - "tf plan": │ 24: dry_run = bool Step #2 - "tf plan": │ Step #2 - "tf plan": │ Variables may not be used here. Step #2 - "tf plan": ╵ Step #2 - "tf plan": ╷ Step #2 - "tf plan": │ Error: Variables not allowed Step #2 - "tf plan": │ Step #2 - "tf plan": │ on nonp-vpc-svc-ctl.auto.tfvars line 25: Step #2 - "tf plan": │ 25: live_run = bool Step #2 - "tf plan": │ Step #2 - "tf plan": │ Variables may not be used here. Step #2 - "tf plan": ╵ Finished Step #2 - "tf plan" ERROR ERROR: build step 2 "northamerica-northeast1-docker.pkg.dev/dope-dod-dodev-dbx/dodev-tf-runners/terraform" failed: step exited with non-zero status: 1

I forgot to edit the tfvars - edit later

The fix from yoppworks for the true/true/false flags was required (pull works, push - working out the firewall RE https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/pull/21/files#diff-1b72faf166129b516a1a01d084d70ec88f510e5bada1570075294713285a769b

michael@cloudshell:~/cloudshell_open/pbmm-on-gcp-onboarding/environments/bootstrap$ git diff diff --git a/environments/nonprod/nonp-vpc-svc-ctl.auto.tfvars b/environments/nonprod/nonp-vpc-svc-ctl.auto.tfvars index 1bae0e2..b2b5f1a 100644 --- a/environments/nonprod/nonp-vpc-svc-ctl.auto.tfvars +++ b/environments/nonprod/nonp-vpc-svc-ctl.auto.tfvars @@ -18,11 +18,11 @@ nonprod_vpc_svc_ctl = { resources_dry_run_by_numbers = [""] access_levels_dry_run = [""] vpc_accessible_services = {

• enable_restriction = bool,
• allowed_services = [""],
• enable_restriction = true,
• allowed_services = [ "logging.googleapis.com"], }
• dry_run = bool
• live_run = bool
• dry_run = true
• live_run = false # bool

OK https://console.cloud.google.com/cloud-build/builds;region=global/5dc54c6c-e93d-469b-bb0f-0b6bf784679f?project=dope-dod-dodev-dbx * At environment: environments/nonprod ***

https://console.cloud.google.com/cloud-build/builds;region=global/e08b5a3e-a20a-4863-81f9-d7db0ddec729;step=3?project=dope-dod-dodev-dbx nonprod-push-trigger takes longer than pull-trigger

│ Error: Error creating Firewall: googleapi: Error 400: Invalid value for field 'resource.sourceTags[0]': ''. Must be a match of regex '(?:a-z?)', invalid │ │ with module.firewall.google_compute_firewall.custom["allow-ssh-ingress"], │ on ../../modules/firewall/main.tf line 9, in resource "google_compute_firewall" "custom":

nonprod config up config changes to the csr repo below

[obriensystems]

terraform show output attached

error

in org tfvars - billing account is email billing_account = "mic...erized.org" # REQUIRED EDIT Format of ######-######-######

nonprod config

edit all three auto.tfvars variables in https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/tree/main/environments/nonprod

Before running check pre-PR changes

755's in both scripts

viewer to owner role 2 in common/common.auto.tfvars https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/pull/21/files#diff-cdfb3286ca9a1536d1a76793bb08135732f6fa216a1032f0d96e5a78c4a181e2R118

michael@cloudshell:~/cloudshell_open/pbmm-on-gcp-onboarding/environments/bootstrap$ git add organization-config.auto.tfvars michael@cloudshell:~/cloudshell_open/pbmm-on-gcp-onboarding/environments/bootstrap$ git add ../nonprod/nonp-network.auto.tfvars michael@cloudshell:~/cloudshell_open/pbmm-on-gcp-onboarding/environments/bootstrap$ git commit -m "fix billing account in org tfvars"

michael@cloudshell:~/cloudshell_open/pbmm-on-gcp-onboarding/environments/bootstrap$ git push csr main

bootstrap trigger - check permissions

Step #3 - "tf apply": │ Error: Error updating project "DoPe-dod-dodev-dbx": googleapi: Error 403: The caller does not have permission, forbidden Step #3 - "tf apply": │ Step #3 - "tf apply": │ with module.landing_zone_bootstrap.module.project.google_project.project, Step #3 - "tf apply": │ on ../../modules/project/main.tf line 9, in resource "google_project" "project": Step #3 - "tf apply": │ 9: resource "google_project" "project" {

not on common push trigger - as expected until the billing account fix https://console.cloud.google.com/cloud-build/builds;region=global/bc299022-9fef-4d53-98be-867abbd3b716?project=dope-dod-dodev-dbx "tf apply": │ Error: failed pre-requisites: failed to check permissions on billing account "billingAccounts/mic..ed.org": googleapi: Error 400: Request contains an invalid argument., badRequest Step #3 -

however it worked before with the older config Step #3 - "tf apply": Apply complete! Resources: 8 added, 0 changed, 8 destroyed. Step #3 - "tf apply": Step #3 - "tf apply": Outputs: Step #3 - "tf apply": Step #3 - "tf apply": csr_name = "conta..dlzd" Step #3 - "tf apply": organization_config = { Step #3 - "tf apply": "billing_account" = "mich...rized.org" Step #3 - "tf apply": "contacts" = {} Step #3 - "tf apply": "default_region" = "northamerica-northeast1" Step #3 - "tf apply": "department_code" = "Do" Step #3 - "tf apply": "environment" = "P" Step #3 - "tf apply": "labels" = {} Step #3 - "tf apply": "location" = "northamerica-northeast1" Step #3 - "tf apply": "org_id" = "843...0" Step #3 - "tf apply": "owner" = "dod" Step #3 - "tf apply": "root_node" = "" Step #3 - "tf apply": } Step #3 - "tf apply": project_id = "dope-dod-dodev-dbx" Step #3 - "tf apply": service_account_email = "terr..7d@dope-dod-dodev-dbx.iam.gserviceaccount.com" Step #3 - "tf apply": terraform_deployment_account = "terr..7d@dope-dod-dodev-dbx.iam.gserviceaccount.com" Step #3 - "tf apply": tfstate_bucket_names = { Step #3 - "tf apply": "common" = "dopecontainerizedlzcod" Step #3 - "tf apply": "nonprod" = "dopecontainerizedlznpd" Step #3 - "tf apply": "prod" = "dopecontainerizedlzprd" Step #3 - "tf apply": } Finished Step #3 - "tf apply" PUSH Artifacts will be uploaded to gs://dodev-cloudbuild_artifacts using gsutil cp

[obriensystems]

Continuing non-prod/prod based on example branch Note: non-prod needs prod up - to create vpc peering peer_project = "dcde-team-prod-perim" peer_network = "dcdecnr-privperimvpc-vpc"

Step #3 - "tf apply": │ Error: Error adding network peering: googleapi: Error 400: Invalid value for field 'networkPeering.network': 'projects/dcde-team-prod-perim/global/networks/dcdecnr-privperimvpc-vpc'. The project 'dcde-team-prod-perim' was not found., invalid

https://console.cloud.google.com/cloud-build/builds;region=global/7675a46b-1c2b-40ba-bd41-2b378d3301e1?project=dope-cod-codev-dbx

non-prod up peer_project = "" #"dcde-team-prod-perim" peer_network = "" #"dcdecnr-privperimvpc-vpc"

nonprod_vpc_svc_ctl = { 
  regular_service_perimeter = {
    regular_service_perimeter_1 = {
      perimeter_name               = "regular_service_perimeter_nonp_1"
      description                  = "Regular Service Perimeter nonp 1"
 #     restricted_services          = [""]
      resources                    = [] #"dcde-team-nonp-hostproject"] #leave empty if using net host project. no empty strings.
 #     resources_by_numbers         = ["dcde-team-nonp-hostproject"]
      access_level                 = ["dcdevsc_access_level_1_vsc"]
 #     restricted_services_dry_run  = [""]
 #     resources_dry_run            = [""]
 #     resources_dry_run_by_numbers = [""]
 #     access_levels_dry_run        = [""]
 #     vpc_accessible_services = {
 #       enable_restriction = true,
 #       allowed_services   = [ "logging.googleapis.com"],
 #     }
 #     dry_run  = true
      live_run = true #false # bool
    }
  }
  bridge_service_perimeter = { #Remove inner object if not used
    /*bridge_service_perimeter_1 = {
      description          = ""
      perimeter_name       = ""
      resources            = [""]
      resources_by_numbers = [""]
    }*/ 
  }
}

[obriensystems]

20240406: Closing issue during retrofit/rebase of this TEF V1 based/modified repo to TEF V4 standards This issue may participate in the LZ refactor after rebase Query on all issues related to the older V1 version via the tag https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/labels/2024-pre-tef-v4