fmichaelobrien commented 8 months ago

Purpose: Run a clean org install and minimal lz running the enterprise checklist from below and do a subset coverage analysis with this current full LZ V2

see previous run 10 month ago https://github.com/CloudLandingZone/google-cloud-enterprise-setup-checklist/blob/main/onboarding.md

Questions

TF delete
TF adjust
upstream source for bug/fix tracking pulls and/or PRs
full LZ delete including non-TF console orchestrated artifacts (click-ops in console - as well as solicited user (admin) actions (adding users to groups for example)
fully automated (no click ops) parameterized json/sh input of per/org params for multi-org setups
option for full gcloud install - for everything including groups - where the client does not need IaaC, drift or change tracking

obriensystems commented 8 months ago

Get a new domain and org first

optionally use an existing empty org

start checklist

obriensystems commented 8 months ago

Start the checklist by navigating to IAM | Identity & Organization

step 2 - test non-admin account blocked

Your current account, dev@nuage-cloud.org, doesn’t have the permissions to perform this task. Log into the Cloud Console using either your Workspace or Cloud Identity super administrator account. You can also copy a link to this Users and Groups task and request that your super administrator complete this step.

step 2 - with super admin account (adm*r)

Overview In this task, you create managed user accounts in Google Cloud Identity or Workspace to allow your organization administrators and users to interact with your Google Cloud resources. You also create administrative user groups to manage access to your organization resources and projects. Learn more

In this task you will use Google Admin console to add users and Google Cloud console to create groups and continue with the rest of the checklist. Who performs this task? An identity administrator responsible for managing access to individuals or groups in your organization.

What you do in this task? Create user accounts in Cloud Identity or Workspace for the first cohort of users who will help set up your Google Cloud foundations following this checklist Create a set of recommended administrative groups to administer and govern the core functions of your cloud organization Add administrative users who will participate in the checklist tasks to the groups Why we recommend this task? Creating user accounts and groups is a prerequisite for assigning Cloud Identity and Access Management (IAM) roles. Cloud IAM enables you to adopt the security principle of least privilege to govern user access to your cloud resources. Google Groups are a convenient way to apply IAM to a collection of users. You can grant and change access controls for a whole group at once instead of one at a time for individual users. You will assign IAM roles to the administrative groups in Task 3: Administrative access.

Start Users and Groups

In this step, you create the user groups that will be administering core functions of your organization. The groups created in this task are essential to granting role-based IAM permissions in a later task.

Once created, a group cannot be modified from this page. Replacing a group will create a new one but the original group will not be deleted.

Instructions:

Review the recommended administrative groups listed in the table below. As a best practice, we recommend separation of the administrators' duties, however your organization needs may vary and not require all groups.
Use the Create buttons in the table to create and customize groups one at a time. If you choose to create all groups in a single bulk action, use the Create all groups button.

Google Cloud administrative groups

In this step, you create the user groups that will be administering core functions of your organization. The groups created in this task are essential to granting role-based IAM permissions in a later task.

Once created, a group cannot be modified from this page. Replacing a group will create a new one but the original group will not be deleted.

Instructions:

Review the recommended administrative groups listed in the table below. As a best practice, we recommend separation of the administrators' duties, however your organization needs may vary and not require all groups.
Use the Create buttons in the table to create and customize groups one at a time. If you choose to create all groups in a single bulk action, use the Create all groups button.

Google Cloud administrative groups

Group

Description

gcp-organization-admins

Organization administrators have access to administer all resources belonging to the organization

gcp-billing-admins

Billing administrators are responsible for setting up billing accounts and monitoring their usage

gcp-network-admins

Network administrators are responsible for creating networks, subnets, firewall rules, and network devices such as cloud routers, Cloud VPN instances, and load balancers

gcp-logging-admins

Logging administrators have access to all features of Logging

gcp-logging-viewers

Logging viewers have read-only access to a specific subset of logs ingested into Logging

gcp-monitoring-admins

Monitoring administrators have access to use and configure all features of Cloud Monitoring

gcp-security-admins

Security administrators are responsible for establishing and managing security policies for the entire organization, including access management and organization constraint policies

gcp-developers

Developers are responsible for designing, coding, and testing applications

gcp-devops

DevOps practitioners create or manage end-to-end pipelines that support continuous integration and delivery, monitoring, and system provisioning

obriensystems commented 8 months ago

Create all groups

Create admin users in the admin console

For the purpose of this onboarding checklist, we recommend that you initially add users who will participate in the checklist tasks, such as administrators (organization, network, billing, etc) and decision makers involved with your cloud setup practices. You can continue the rest of the checklist without adding all of your cloud users. At a later time, once you've set up your foundation using this checklist, we recommend adding all users. Follow these instructions to learn about federating and provisioning users into Google Cloud.

Google Admin console is a central place for admins to manage user identities and accounts across Google services, such as Workspace, Google Cloud, Maps, etc.

Instructions: You will need to sign into the Google Admin console with the Super Administrator account that you created in Task 1: Organization. Once you have added your admin users, return to this tab and click Continue to complete the users and groups setup.

obriensystems commented 8 months ago

Manual procedure

not required in my case - as single admin already in

obriensystems commented 8 months ago

2: Add your administrative users to groups

no action required

There appears to be only one member in some of these groups. Do you wish to proceed anyway?

In this step, you add members to the admin groups you created earlier.

The group creator will always be added as a group member at creation time. We recommend that you have more than one member per group.

Instructions:

Add members to your groups by clicking Add members in the table below.
Repeat this for each group listed.

You can also manage group members from the Groups page in the Cloud Console.

In this step, you add members to the admin groups you created earlier.

The group creator will always be added as a group member at creation time. We recommend that you have more than one member per group.

Instructions:

Add members to your groups by clicking Add members in the table below.
Repeat this for each group listed.

You can also manage group members from the Groups page in the Cloud Console.

Group	Members
gcp-organization-admins@nuage-cloud.org	1
gcp-billing-admins@nuage-cloud.org	1
gcp-network-admins@nuage-cloud.org	1
gcp-logging-admins@nuage-cloud.org	1
gcp-logging-viewers@nuage-cloud.org	1
gcp-monitoring-admins@nuage-cloud.org	1
gcp-security-admins@nuage-cloud.org	1
gcp-developers@nuage-cloud.org	1
gcp-devops@nuage-cloud.org	1	In this step, you add members to the admin groups you created earlier. The group creator will always be added as a group member at creation time. We recommend that you have more than one member per group. Instructions: Add members to your groups by clicking Add members in the table below. Repeat this for each group listed. You can also manage group members from the [Groups](https://console.cloud.google.com/iam-admin/groups?organizationId=471924274947) page in the Cloud Console. Group Members [gcp-organization-admins@nuage-cloud.org](https://console.cloud.google.com/iam-admin/groups/01y810tw3y6l2m4?organizationId=471924274947) 1 [gcp-billing-admins@nuage-cloud.org](https://console.cloud.google.com/iam-admin/groups/00pkwqa123a3ubx?organizationId=471924274947) 1 [gcp-network-admins@nuage-cloud.org](https://console.cloud.google.com/iam-admin/groups/01mrcu093ft2l2w?organizationId=471924274947) 1 [gcp-logging-admins@nuage-cloud.org](https://console.cloud.google.com/iam-admin/groups/03hv69ve2ixz78v?organizationId=471924274947) 1 [gcp-logging-viewers@nuage-cloud.org](https://console.cloud.google.com/iam-admin/groups/01302m921p3mtkm?organizationId=471924274947) 1 [gcp-monitoring-admins@nuage-cloud.org](https://console.cloud.google.com/iam-admin/groups/00gjdgxs1seyz17?organizationId=471924274947) 1 [gcp-security-admins@nuage-cloud.org](https://console.cloud.google.com/iam-admin/groups/03q5sasy0onlj9c?organizationId=471924274947) 1 [gcp-developers@nuage-cloud.org](https://console.cloud.google.com/iam-admin/groups/01t3h5sf46jva3h?organizationId=471924274947) 1 [gcp-devops@nuage-cloud.org](https://console.cloud.google.com/iam-admin/groups/02fk6b3p35k9f06?organizationId=471924274947) 1 obriensystems commented 8 months ago 3 - grant administrative access In this task you'll set access at the organizational level. In Task 5: Hierarchy & Access, you'll set it at the folder and project level. The following roles are recommended and based on the principle of least privilege. Note: This step won't remove existing access if your organization has already given access to others. Review IAM policies at the organizational level To accept the IAM policies in the following table, click Save and grant access below. You can also customize the policies for any of the groups. Group (Principal) \| IAM roles \| -- \| -- \| -- gcp-organization-admins@nuage-cloud.org \| Organization Administrator Folder Admin Project Creator Billing Account User Organization Role Administrator Organization Policy Administrator Security Center Admin Support Account Administrator EDIT \| gcp-billing-admins@nuage-cloud.org \| Billing Account Administrator Billing Account Creator Organization Viewer EDIT \| gcp-network-admins@nuage-cloud.org \| Compute Network Admin Compute Shared VPC Admin Compute Security Admin Folder Viewer EDIT \| gcp-logging-admins@nuage-cloud.org \| Logging Admin EDIT \| gcp-monitoring-admins@nuage-cloud.org \| Monitoring Admin EDIT \| gcp-security-admins@nuage-cloud.org \| Organization Policy Administrator Security Reviewer Organization Role Viewer Security Center Admin Folder IAM Admin Private Logs Viewer Logs Configuration Writer Kubernetes Engine Viewer Compute Viewer EDIT \| gcp-devops@nuage-cloud.org \| Folder Viewer EDIT \| In this task you'll set access at the organizational level. In Task 5: Hierarchy & Access, you'll set it at the folder and project level. The following roles are recommended and based on the principle of least privilege. Note: This step won't remove [existing access ](https://console.cloud.google.com/iam-admin/iam?organizationId=471924274947)if your organization has already given access to others. Review IAM policies at the organizational level To accept the IAM policies in the following table, click Save and grant access below. You can also customize the policies for any of the groups. Group (Principal) IAM roles gcp-organization-admins@nuage-cloud.org Organization Administrator Folder Admin Project Creator Billing Account User Organization Role Administrator Organization Policy Administrator Security Center Admin Support Account Administrator gcp-billing-admins@nuage-cloud.org Billing Account Administrator Billing Account Creator Organization Viewer gcp-network-admins@nuage-cloud.org Compute Network Admin Compute Shared VPC Admin Compute Security Admin Folder Viewer gcp-logging-admins@nuage-cloud.org Logging Admin gcp-monitoring-admins@nuage-cloud.org Monitoring Admin gcp-security-admins@nuage-cloud.org Organization Policy Administrator Security Reviewer Organization Role Viewer Security Center Admin Folder IAM Admin Private Logs Viewer Logs Configuration Writer Kubernetes Engine Viewer Compute Viewer gcp-devops@nuage-cloud.org Folder Viewer obriensystems commented 8 months ago 4 Billing however billing is already enabled with extra quota granted previously - in anticipation of more than 5 projects gui issue obriensystems commented 8 months ago 5 - Hierarchy & access What to expect in these next few steps Use our best-practice defaults or choose to customize The next three steps take you through Resource Hierarchy, IAM, Networking, and Centralized Logging setup. You can accept our defaults or choose to customize further to meet your needs. Processing requirements Google Cloud will create a project and enable the Cloud Storage API and Cloud Infrastructure Manager API . Google Cloud will also assign the following roles to the Organization Admin group. You can always remove them after deployment. Cloud Storage Admin on the project Cloud Infrastructure Manager Admin on the project Project Billing Manager at the project level Service Account Admin at the project level Service Usage Admin on the project Groups Admin of the Google Workspace Learn more about the roles assigned to the Organization Admin group. © Githubissues. Githubissues is a development platform for aggregating issues.