[!WARNING]
This blueprint is now deprecated. Please refer to the enterprise application blueprint for an updated implementation of GKE as an internal developer platform.
This module contains additional Terraform configurations that are meant to extend and modify the framework defined by terraform-example-foundation.
These additional configurations can be used to securely deploy the Bank of Anthos example application.
This is not a complete configuration - this configuration is expected to be used in conjunction with terraform-example-foundation.
Within this supplemental configuration, hub-and-spoke mode is enabled be default. If you wish to use this configuration without modifications, please ensure that hub-and-spoke mode was enabled on step 1-org from terraform-example-foundation or go back and enable it so the necessary hub-and-spoke infrastructure is built.
After steps 0-bootstrap, 1-org and 2-environments from terraform-example-foundation are configured completely, this module can be used to supplement the remaining steps. Each folder contains its own directory that must be applied separately, and in the following order, to correctly deploy the application:
| 0-bootstrap | Bootstraps a Google Cloud organization, creating all the required resources and permissions to start using the Cloud Foundation Toolkit (CFT). This step also configures a CI/CD pipeline for foundations code in subsequent stages. |
| 1-org | Sets up top level shared folders, monitoring and networking projects, and organization-level logging, and sets baseline security settings through organizational policy. |
| 2-environments | Sets up development, non-production, and production environments within the Google Cloud organization that you've created. |
| 3-networks-extension | Sets up base shared VPCs with BOA Subnets and Firewall Rules, need only run the bash script to complete this step. |
| 3-networks | Sets up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC service controls, on-premises Dedicated Interconnect, and baseline firewall rules for each environment. Also sets up the global DNS hub. |
| 4-projects | Set up a folder structure, projects, and application infrastructure pipeline for applications, which are connected as service projects to the shared VPC created in the previous stage. |
| 5-infrastructure | Set up resources needed to deploy bank of anthos, GKE Clusters, CloudSQL Instances, Logging Buckets, Bastion Host, KMS, Artifact Repository, Binary Auth etc. |
| 6-anthos | Set up ACM, ASM and other pre-requistes for Bank of Anthos Application. |
| 7-app-build-deploy | Set up Bank of Anthos Application. |
This step - a network extension - adds on top of the 3-networks layer that is part of terraform-example-foundation/3-networks.
This step focuses on creating a shared VPC per environment (development, non-production & production) that is configured with subnets, secondary ranges, additional firewall rules, and a network_prepare.sh script included in the configuration that can be used to automatically populate or replace configurations in terraform-example-foundation/3-networks with the configurations in the Bank of Anthos example.
Currently, this configuration includes:
development, non-production & production environmentsA Bash Script to automatically prepare the 3-networks layer by auto-merging 3-networks-extension with the 3-networks from terraform-example-foundation/3-networks
This step focuses on creating service projects, including an application CI/CD pipeline project and an infrastructure pipeline project that are necessary for the Bank of Anthos configuration to work. Currently, this includes:
Once all steps above have been executed your GCP organization should represent the structure shown below, with projects being the lowest nodes in the tree.
example-organization/
└── fldr-bootstrap
├── prj-cloudbuild
└── prj-seed
└── fldr-common
├── prj-bu1-c-app-cicd
├── prj-bu1-c-infra-pipeline
├── prj-c-billing-logs
├── prj-c-dns-hub
├── prj-c-interconnect
├── prj-c-logging
├── prj-c-scc
└── prj-c-secrets
└── fldr-development
├── prj-bu1-d-boa-anthoshub
├── prj-bu1-d-boa-gke
├── prj-bu1-d-boa-ops
├── prj-bu1-d-boa-sec
├── prj-bu1-d-boa-sql
├── prj-d-monitoring
├── prj-d-secrets
├── prj-d-shared-base
└── prj-d-shared-restricted
└── fldr-non-production
├── prj-bu1-n-boa-anthoshub
├── prj-bu1-n-boa-gke
├── prj-bu1-n-boa-ops
├── prj-bu1-n-boa-sec
├── prj-bu1-n-boa-sql
├── prj-n-monitoring
├── prj-n-secrets
├── prj-n-shared-base
└── prj-n-shared-restricted
└── fldr-production
├── prj-bu1-p-boa-anthoshub
├── prj-bu1-p-boa-gke
├── prj-bu1-p-boa-ops
├── prj-bu1-p-boa-sec
├── prj-bu1-p-boa-sql
├── prj-p-monitoring
├── prj-p-secrets
├── prj-p-shared-base
└── prj-p-shared-restrictedThe purpose of this step is to deploy the infrastructure for the Bank of Anthos example application using the infra pipeline setup in 4-projects. There is also a Source Repository to push the code to be deployed. All infrastructure components will be created using the base network created during step 3-networks-extension. Curretnly, this includes:
The purpose of this step is to install the Anthos components required for the Bank of Anthos example application - Anthos Config Management and Anthos Service Mesh. This step in the process is currently manual. Anthos Config Management can help you create a common configuration across all your infrastructure, including custom policies, and apply it both on-premises and across clouds. Anthos Service Mesh lets you easily manage the security and telemetry of complex environments. Currently, this includes:
The purpose of this step is to utilize an opinionated repository to demonstrate Cloud Build based builds of Bank of Anthos with secure CI/CD principles applied. The example herein simulates a company building and deploying the Bank of Anthos example application to a multi-tier kubernetes cluster using asynchronous GitOps. Currently, this includes:
Source Code
Artifact Verification
Security Attestation
This is not an officially supported Google product