search

canada-ca / accelerators_accelerateurs-gcp

[GCP] Tools and templates to accelerate GC service delivery. Outils et modèles pour accélérer la prestation de services du GC.
MIT License
10 stars 8 forks source link

Redeployment example 20220228 #20

Open obriensystems opened 2 years ago

obriensystems commented 2 years ago

example redeployment from scratch - new account

20220228 - ongoing doc - pre PR

prerequisites

new account
organization onboarding

add roles to super admin user Folder Admin Organization Policy Admin Project Billing Manager Project Creator optional Security Center Admin and Support Account Administrator

git clone https://github.com/canada-ca/accelerators_accelerateurs-gcp
cd ac<tab>
gcloud auth list
gcloud organizations list
export ORG_ID=$(gcloud projects get-ancestors accelerator-dev-cn --format='get(id)' | tail -1)
gcloud organizations add-iam-policy-binding ${ORG_ID} --member="user:<email>" --role="roles/resourcemanager.organizationAdmin"
fmichaelobrien commented 2 years ago

provider "google" { alias = "impersonate" scopes = [ "https://www.googleapis.com/auth/cloud-platform", "https://www.googleapis.com/auth/userinfo.email", ] } provider "google-beta" { alias = "impersonate" scopes = [ "https://www.googleapis.com/auth/cloud-platform", "https://www.googleapis.com/auth/userinfo.email", ] } provider "google" { access_token = data.google_service_account_access_token.default.access_token } provider "google-beta" { access_token = data.google_service_account_access_token.default.access_token

} provider "null" {

}

data "google_service_account_access_token" "default" { provider = google.impersonate target_service_account = "tfadmin2-dev@dev-seed-project.iam.gserviceaccount.com" scopes = ["userinfo-email", "cloud-platform"] lifetime = "3600s" }

fmichaelobrien commented 2 years ago

provider.tf.zip

obriensystems commented 2 years ago

new jira see https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/69

see CM‑2, CM‑3, CM‑4, CM‑5, CM‑8, SA‑22 https://github.com/canada-ca/cloud-guardrails/blob/master/EN/12_Cloud-Marketplace-Config.md

https://github.com/canada-ca/cloud-guardrails/blob/master/EN/00_Applicable-Scope.md

see Service Catalog https://cloud.google.com/service-catalog

permissions at the project level cloudprivatecatalogproducer.settings.get cloudprivatecatalogproducer.settings.update or IAM policy for purchasing products https://cloud.google.com/marketplace/docs/access-control

purchase via https://cloud.google.com/iam/docs/understanding-roles#billing-roles roles/billing.admin which is in the billing admin group

For usage - add the project viewer https://cloud.google.com/iam/docs/understanding-roles#basic

Issue is though that we seem to need marketplace for certain essential native GCP services like CSR

for example - creating a new repo - contains /marketplace in the url

https://console.cloud.google.com/marketplace/product/google-cloud-platform/cloud-source-repositories?q=search&referrer=search&project=magellan-01

gets us to the source.cloud page

https://source.cloud.google.com/

we need to verifying turning off marketplace will not affect GCP operation