Claudia and Michael triage

fixes (will get past permissions issues running terraform)

reentrant bootstrap script has switched to seed project from boostrap - return back to bootstrap
reentrant bootstrap.sh script fails to find terraform services account - as filter does not target seed project missing --project
roles not set properly on super admin (terraform impersonation) account - need service account token creator , folder admin
add verify on super admin account - resourcemanager.folderAdmin, roles/resourcemanager.organizationAdmin, am.serviceAccountTokenCreator
add automation deriving billing and organization ids - gcloud projects get-ancestors and gcloud alpha billing projects describe
multiple roles on terraform service account need separate cli commands - one command only applies the last role
roles missing from terraform service account - pubsub.admin, iam.serviceAccountAdmin
API service enablements missing from seed project - cloudresourcemanager, identitytoolkit, pubsub, cloudbilling.googleapis.com, iam
sed source targets are hardcoded to the HOME directory - converted to relative paths
Terraform service account missing impersonation sections in provider.tf
northamerica-northeast has 2 regions now

New org will require at least one project created (under "no organization") in order for organization to show up in billing under the org. admin groups can be team or public visibility

If not running from home folder (in cloudshell_open) - rename and change the HOME var in the bootstrap.sh script

Instead of relying on "owner" on account being impersonated

add following role to impersonating account (at the org level)
service account token creator = iam.serviceAccountTokenCreator
add following roles to SA tfadmin account (in addition)

roles/pubsub.admin and roles/iam.serviceAccountAdmin ![Uploading Screen Shot 2022-03-25 at 4.59.02 PM.png…]()

gcloud organizations add-iam-policy-binding ${org_id}  --member=serviceAccount:${act} --role=roles/billing.admin
gcloud organizations add-iam-policy-binding ${org_id}  --member=serviceAccount:${act} --role=roles/accesscontextmanager.policyAdmin
gcloud organizations add-iam-policy-binding ${org_id}  --member=serviceAccount:${act} --role=roles/billing.user
gcloud organizations add-iam-policy-binding ${org_id}  --member=serviceAccount:${act} --role=roles/compute.networkAdmin
gcloud organizations add-iam-policy-binding ${org_id}  --member=serviceAccount:${act} --role=roles/compute.xpnAdmin
gcloud organizations add-iam-policy-binding ${org_id}  --member=serviceAccount:${act} --role=roles/iam.organizationRoleAdmin
gcloud organizations add-iam-policy-binding ${org_id}  --member=serviceAccount:${act} --role=roles/resourcemanager.folderAdmin
gcloud organizations add-iam-policy-binding ${org_id}  --member=serviceAccount:${act} --role=roles/resourcemanager.organizationAdmin
gcloud organizations add-iam-policy-binding ${org_id}  --member=serviceAccount:${act} --role=roles/resourcemanager.projectCreator
gcloud organizations add-iam-policy-binding ${org_id}  --member=serviceAccount:${act} --role=roles/resourcemanager.projectDeleter
#gcloud organizations add-iam-policy-binding ${org_id}  --member=serviceAccount:${act} --role=roles/resourcemanager.projectIamAdmin
gcloud organizations add-iam-policy-binding ${org_id}  --member=serviceAccount:${act} --role=roles/resourcemanager.projectMover
gcloud organizations add-iam-policy-binding ${org_id}  --member=serviceAccount:${act} --role=roles/orgpolicy.policyAdmin
gcloud organizations add-iam-policy-binding ${org_id}  --member=serviceAccount:${act} --role=roles/logging.configWriter
gcloud organizations add-iam-policy-binding ${org_id}  --member=serviceAccount:${act} --role=roles/resourcemanager.projectIamAdmin
gcloud organizations add-iam-policy-binding ${org_id}  --member=serviceAccount:${act} --role=roles/serviceusage.serviceUsageAdmin 
gcloud organizations add-iam-policy-binding ${org_id}  --member=serviceAccount:${act} --role=roles/bigquery.dataEditor 
gcloud organizations add-iam-policy-binding ${org_id}  --member=serviceAccount:${act} --role=roles/storage.admin
# 20220322
# only on the super admin account (the one being impersonated)
#gcloud organizations add-iam-policy-binding ${org_id}  --member=serviceAccount:${act} --role=roles/iam.serviceAccountTokenCreator
gcloud organizations add-iam-policy-binding ${org_id}  --member=serviceAccount:${act} --role=roles/iam.serviceAccountAdmin
gcloud organizations add-iam-policy-binding ${org_id}  --member=serviceAccount:${act} --role=roles/pubsub.admin

Enable APIs on both guardrails and seed projects see https://console.cloud.google.com/apis/dashboard?referrer=search&project=accelerator-pg-dev

cloud resource manager
identity and access management
https://console.cloud.google.com/apis/library/iam.googleapis.com?project=accelerator-pg-dev
pubsub via gcloud services enable pubsub.googleapis.com cloudresourcemanager.googleapis.com identitytoolkit.googleapis.com

check services

admin_super@cloudshell:~ (pg-vpc-host-prod)$ gcloud services list --enabled --project accelerator-pg-dev | grep manager
NAME: cloudresourcemanager.googleapis.com
admin_super@cloudshell:~ (pg-vpc-host-prod)$ gcloud services list --enabled --project accelerator-pg-dev | grep identity
NAME: identitytoolkit.googleapis.com
admin_super@cloudshell:~ (pg-vpc-host-prod)$ gcloud services list --enabled --project accelerator-pg-dev | grep pub
NAME: pubsub.googleapis.com

When roles are added - rerun terraform init

Which project to use for load (seed or gr) - seed

replace provider.tf

/*provider "google" {
  alias   = "gcp-provider"
  region  = var.default_region
}*/
provider "google" {
  alias = "impersonate"
  scopes = [
    "https://www.googleapis.com/auth/cloud-platform",
    "https://www.googleapis.com/auth/userinfo.email",
  ]
}
provider "google-beta" {
  alias = "impersonate"
  scopes = [
    "https://www.googleapis.com/auth/cloud-platform",
    "https://www.googleapis.com/auth/userinfo.email",
  ]
}
provider "google" {
  access_token = data.google_service_account_access_token.default.access_token
}
provider "google-beta" {
  access_token = data.google_service_account_access_token.default.access_token
}
provider "null" {
}
data "google_service_account_access_token" "default" {
  provider               = google.impersonate
  target_service_account = "tfadmin2-dev@dev-seed-project.iam.gserviceaccount.com"
  scopes                 = ["userinfo-email", "cloud-platform"]
  lifetime               = "3600s"
}

Testing 20220326

test positive/negative role tests admin_super@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-pg-dev)$ ./bootstrap.sh -d dev -p accelerator-pg-dev checking roles of current account: ad...bal ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account all roles set OK on super admin account: ad...al - proceeding admin_super@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-pg-dev)$ ./bootstrap.sh -d dev -p accelerator-pg-dev checking roles of current account: adm...bal roles/iam.serviceAccountTokenCreator role missing ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account missing roles listed above on the super admin account: ad..bal admin_super@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-pg-dev)$ ./bootstrap.sh -d dev -p accelerator-pg-dev checking roles of current account: ad...bal ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account roles/resourcemanager.folderAdmin role missing ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account missing roles listed above on the super admin account: ad...bal admin_super@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-pg-dev)$ ./bootstrap.sh -d dev -p accelerator-pg-dev checking roles of current account: admi...bal ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account roles/resourcemanager.organizationAdmin role missing missing roles listed above on the super admin account: ad...bal admin_super@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-pg-dev)$

run

admin_super@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-pg-dev)$ ./bootstrap.sh -d pgdev -p accelerator-pg-dev seed project id: pgdev-seed-project boostrap project id: accelerator-pg-dev org id: 9...6 billing id: 0...B checking roles of current account: adm...bal ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account all roles set OK on super admin account: ad..er@g..al - proceeding pgdev-seed-project project already exists and will be reused to provision resources billingAccountName: billingAccounts/01...B billingEnabled: true name: projects/pgdev-seed-project/billingInfo projectId: pgdev-seed-project TF SA Already exists as: tfadmin-pgdev@pgdev-seed-project.iam.gserviceaccount.com

gs://pgdev-seed-project-guardrails Creating gs://pgdev-seed-project-guardrails/... Replace backend.tf bucketname Your active configuration is: [cloudshell-10722] Updated property [core/project]. Status: 0 GCP seed project created project id: pgdev-seed-project \n Terraform Service account to be used for creating GCP landing zone = tfadmin-pgdev@pgdev-seed-project.iam.gserviceaccount.com \n Terraform Backend Storage Bucket: gs://pgdev-seed-project-guardrails

add 3 admin accounts

billing_data, ssc_broker, ssc_broker

verify/edit tfvar

run terraform

admin_super@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (pgdev-seed-project)$ terraform init
Initializing modules...
Downloading registry.terraform.io/terraform-google-modules/project-factory/google 10.3.2 for administration...
- administration in .terraform/modules/administration
- administration.budget in .terraform/modules/administration/modules/budget
- administration.gsuite_group in .terraform/modules/administration/modules/gsuite_group
- administration.project-factory in .terraform/modules/administration/modules/core_project_factory
- administration.project-factory.project_services in .terraform/modules/administration/modules/project_services
- administration.quotas in .terraform/modules/administration/modules/quota_manager
- administration.shared_vpc_access in .terraform/modules/administration/modules/shared_vpc_access
Downloading registry.terraform.io/terraform-google-modules/log-export/google 7.3.0 for bigquery_destination...
- bigquery_destination in .terraform/modules/bigquery_destination/modules/bigquery
Downloading registry.terraform.io/terraform-google-modules/log-export/google 7.3.0 for log_export_to_biqquery...
- log_export_to_biqquery in .terraform/modules/log_export_to_biqquery
Downloading registry.terraform.io/terraform-google-modules/log-export/google 7.3.0 for log_export_to_pubsub...
- log_export_to_pubsub in .terraform/modules/log_export_to_pubsub
Downloading registry.terraform.io/terraform-google-modules/log-export/google 7.3.0 for log_export_to_storage...
- log_export_to_storage in .terraform/modules/log_export_to_storage
Downloading registry.terraform.io/terraform-google-modules/org-policy/google 3.0.2 for org-policy...
- org-policy in .terraform/modules/org-policy
Downloading registry.terraform.io/terraform-google-modules/log-export/google 7.3.0 for pubsub_destination...
- pubsub_destination in .terraform/modules/pubsub_destination/modules/pubsub
Downloading registry.terraform.io/terraform-google-modules/log-export/google 7.3.0 for storage_destination...
- storage_destination in .terraform/modules/storage_destination/modules/storage
Initializing the backend...
Successfully configured the backend "gcs"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding hashicorp/google versions matching ">= 2.5.0, >= 3.43.0, >= 3.50.0, >= 3.53.0, < 4.0.0, < 5.0.0"...
- Finding hashicorp/random versions matching "~> 2.2"...
- Finding hashicorp/google-beta versions matching ">= 3.1.0, >= 3.43.0, >= 3.50.0, < 4.0.0"...
- Finding hashicorp/null versions matching "~> 2.1"...
- Installing hashicorp/random v2.3.1...
- Installed hashicorp/random v2.3.1 (signed by HashiCorp)
- Installing hashicorp/google-beta v3.90.1...
- Installed hashicorp/google-beta v3.90.1 (signed by HashiCorp)
- Installing hashicorp/null v2.1.2...
- Installed hashicorp/null v2.1.2 (signed by HashiCorp)
- Installing hashicorp/google v3.90.1...
- Installed hashicorp/google v3.90.1 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.
Terraform has been successfully initialized!

admin_super@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (pgdev-seed-project)$ terraform apply -var-file variables.tfvar

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

  # google_bigquery_dataset.billing_dataset will be created
  + resource "google_bigquery_dataset" "billing_dataset" {
      + creation_time              = (known after apply)
      + dataset_id                 = "billing_data"
      + delete_contents_on_destroy = false
      + etag                       = (known after apply)
      + friendly_name              = "GCP Billing Data"
      + id                         = (known after apply)
      + last_modified_time         = (known after apply)
      + location                   = "northamerica-northeast1"
      + project                    = (known after apply)
      + self_link                  = (known after apply)

      + access {
          + domain         = (known after apply)
          + group_by_email = (known after apply)
          + role           = (known after apply)
          + special_group  = (known after apply)
          + user_by_email  = (known after apply)

          + view {
              + dataset_id = (known after apply)
              + project_id = (known after apply)
              + table_id   = (known after apply)
            }
        }
    }

  # google_organization_iam_audit_config.org_config[0] will be created
  + resource "google_organization_iam_audit_config" "org_config" {
      + etag    = (known after apply)
      + id      = (known after apply)
      + org_id  = "931661755206"
      + service = "allServices"

      + audit_log_config {
          + exempted_members = []
          + log_type         = "ADMIN_READ"
        }
      + audit_log_config {
          + exempted_members = []
          + log_type         = "DATA_READ"
        }
      + audit_log_config {
          + exempted_members = []
          + log_type         = "DATA_WRITE"
        }
    }

  # google_organization_iam_member.asset_inventory_viewer will be created
  + resource "google_organization_iam_member" "asset_inventory_viewer" {
      + etag   = (known after apply)
      + id     = (known after apply)
      + member = "group:ssc_broker@gcp.packet.global"
      + org_id = "931661755206"
      + role   = "roles/cloudasset.viewer"
    }

  # google_organization_iam_member.billing_viewer will be created
  + resource "google_organization_iam_member" "billing_viewer" {
      + etag   = (known after apply)
      + id     = (known after apply)
      + member = "group:billing_data@gcp.packet.global"
      + org_id = "931661755206"
      + role   = "roles/billing.viewer"
    }

  # google_organization_iam_member.ssc-billing will be created
  + resource "google_organization_iam_member" "ssc-billing" {
      + etag   = (known after apply)
      + id     = (known after apply)
      + member = "group:ssc_broker@gcp.packet.global"
      + org_id = "931661755206"
      + role   = "roles/billing.viewer"
    }

  # google_project_iam_member.audit_log_bq_data_viewer will be created
  + resource "google_project_iam_member" "audit_log_bq_data_viewer" {
      + etag    = (known after apply)
      + id      = (known after apply)
      + member  = "group:audit_data@gcp.packet.global"
      + project = (known after apply)
      + role    = "roles/bigquery.dataViewer"
    }

  # google_project_iam_member.audit_log_bq_user will be created
  + resource "google_project_iam_member" "audit_log_bq_user" {
      + etag    = (known after apply)
      + id      = (known after apply)
      + member  = "group:audit_data@gcp.packet.global"
      + project = (known after apply)
      + role    = "roles/bigquery.user"
    }

  # google_project_iam_member.billing_bq_user will be created
  + resource "google_project_iam_member" "billing_bq_user" {
      + etag    = (known after apply)
      + id      = (known after apply)
      + member  = "group:billing_data@gcp.packet.global"
      + project = (known after apply)
      + role    = "roles/bigquery.user"
    }

  # google_project_iam_member.billing_bq_viewer will be created
  + resource "google_project_iam_member" "billing_bq_viewer" {
      + etag    = (known after apply)
      + id      = (known after apply)
      + member  = "group:billing_data@gcp.packet.global"
      + project = (known after apply)
      + role    = "roles/bigquery.dataViewer"
    }

  # google_storage_bucket.guardrails-bucket will be created
  + resource "google_storage_bucket" "guardrails-bucket" {
      + bucket_policy_only          = (known after apply)
      + force_destroy               = true
      + id                          = (known after apply)
      + location                    = "NORTHAMERICA-NORTHEAST1"
      + name                        = "pgdev-guardrails-assets"
      + project                     = (known after apply)
      + self_link                   = (known after apply)
      + storage_class               = "STANDARD"
      + uniform_bucket_level_access = true
      + url                         = (known after apply)
    }

  # random_string.suffix will be created
  + resource "random_string" "suffix" {
      + id          = (known after apply)
      + length      = 4
      + lower       = true
      + min_lower   = 0
      + min_numeric = 0
      + min_special = 0
      + min_upper   = 0
      + number      = true
      + result      = (known after apply)
      + special     = false
      + upper       = false
    }

  # module.bigquery_destination.google_bigquery_dataset.dataset will be created
  + resource "google_bigquery_dataset" "dataset" {
      + creation_time               = (known after apply)
      + dataset_id                  = "audit_logs"
      + default_table_expiration_ms = 2592000000
      + delete_contents_on_destroy  = true
      + description                 = "Log export dataset"
      + etag                        = (known after apply)
      + id                          = (known after apply)
      + last_modified_time          = (known after apply)
      + location                    = "northamerica-northeast1"
      + project                     = (known after apply)
      + self_link                   = (known after apply)

      + access {
          + domain         = (known after apply)
          + group_by_email = (known after apply)
          + role           = (known after apply)
          + special_group  = (known after apply)
          + user_by_email  = (known after apply)

          + view {
              + dataset_id = (known after apply)
              + project_id = (known after apply)
              + table_id   = (known after apply)
            }
        }
    }

  # module.bigquery_destination.google_project_iam_member.bigquery_sink_member will be created
  + resource "google_project_iam_member" "bigquery_sink_member" {
      + etag    = (known after apply)
      + id      = (known after apply)
      + member  = (known after apply)
      + project = (known after apply)
      + role    = "roles/bigquery.dataEditor"
    }

  # module.bigquery_destination.google_project_service.enable_destination_api will be created
  + resource "google_project_service" "enable_destination_api" {
      + disable_on_destroy = false
      + id                 = (known after apply)
      + project            = (known after apply)
      + service            = "bigquery.googleapis.com"
    }

  # module.log_export_to_biqquery.google_logging_organization_sink.sink[0] will be created
  + resource "google_logging_organization_sink" "sink" {
      + destination      = (known after apply)
      + filter           = <<-EOT
                logName: /logs/cloudaudit.googleapis.com%2Factivity OR
                logName: /logs/cloudaudit.googleapis.com%2Fsystem_event OR
                logName: /logs/cloudaudit.googleapis.com%2Fdata_access OR
                logName: /logs/compute.googleapis.com%2Fvpc_flows OR
                logName: /logs/compute.googleapis.com%2Ffirewall OR
                logName: /logs/cloudaudit.googleapis.com%2Faccess_transparency
        EOT
      + id               = (known after apply)
      + include_children = true
      + name             = "log_sink-bq"
      + org_id           = "931661755206"
      + writer_identity  = (known after apply)

      + bigquery_options {
          + use_partitioned_tables = (known after apply)
        }
    }

  # module.log_export_to_pubsub.google_logging_organization_sink.sink[0] will be created
  + resource "google_logging_organization_sink" "sink" {
      + destination      = (known after apply)
      + filter           = <<-EOT
                logName: /logs/cloudaudit.googleapis.com%2Factivity OR
                logName: /logs/cloudaudit.googleapis.com%2Fsystem_event OR
                logName: /logs/cloudaudit.googleapis.com%2Fdata_access OR
                logName: /logs/compute.googleapis.com%2Fvpc_flows OR
                logName: /logs/compute.googleapis.com%2Ffirewall OR
                logName: /logs/cloudaudit.googleapis.com%2Faccess_transparency
        EOT
      + id               = (known after apply)
      + include_children = true
      + name             = "sk-c-logging-pub"
      + org_id           = "931661755206"
      + writer_identity  = (known after apply)

      + bigquery_options {
          + use_partitioned_tables = (known after apply)
        }
    }

  # module.log_export_to_storage.google_logging_organization_sink.sink[0] will be created
  + resource "google_logging_organization_sink" "sink" {
      + destination      = (known after apply)
      + id               = (known after apply)
      + include_children = true
      + name             = "org_log_sink"
      + org_id           = "931661755206"
      + writer_identity  = (known after apply)

      + bigquery_options {
          + use_partitioned_tables = (known after apply)
        }
    }

  # module.org-policy.google_organization_policy.org_policy_list_allow_values[0] will be created
  + resource "google_organization_policy" "org_policy_list_allow_values" {
      + constraint  = "constraints/gcp.resourceLocations"
      + etag        = (known after apply)
      + id          = (known after apply)
      + org_id      = "931661755206"
      + update_time = (known after apply)
      + version     = (known after apply)

      + list_policy {
          + suggested_value = (known after apply)

          + allow {
              + all    = false
              + values = [
                  + "northamerica-northeast1",
                  + "northamerica-northeast2",
                ]
            }
        }
    }

  # module.pubsub_destination.google_project_service.enable_destination_api will be created
  + resource "google_project_service" "enable_destination_api" {
      + disable_on_destroy = false
      + id                 = (known after apply)
      + project            = (known after apply)
      + service            = "pubsub.googleapis.com"
    }

  # module.pubsub_destination.google_pubsub_subscription.pubsub_subscription[0] will be created
  + resource "google_pubsub_subscription" "pubsub_subscription" {
      + ack_deadline_seconds       = (known after apply)
      + id                         = (known after apply)
      + message_retention_duration = "604800s"
      + name                       = (known after apply)
      + path                       = (known after apply)
      + project                    = (known after apply)
      + topic                      = (known after apply)

      + expiration_policy {
          + ttl = (known after apply)
        }
    }

  # module.pubsub_destination.google_pubsub_subscription_iam_member.pubsub_subscriber_role[0] will be created
  + resource "google_pubsub_subscription_iam_member" "pubsub_subscriber_role" {
      + etag         = (known after apply)
      + id           = (known after apply)
      + member       = (known after apply)
      + project      = (known after apply)
      + role         = "roles/pubsub.subscriber"
      + subscription = (known after apply)
    }

  # module.pubsub_destination.google_pubsub_topic.topic will be created
  + resource "google_pubsub_topic" "topic" {
      + id      = (known after apply)
      + name    = (known after apply)
      + project = (known after apply)

      + message_storage_policy {
          + allowed_persistence_regions = (known after apply)
        }

      + schema_settings {
          + encoding = (known after apply)
          + schema   = (known after apply)
        }
    }

  # module.pubsub_destination.google_pubsub_topic_iam_member.pubsub_sink_member will be created
  + resource "google_pubsub_topic_iam_member" "pubsub_sink_member" {
      + etag    = (known after apply)
      + id      = (known after apply)
      + member  = (known after apply)
      + project = (known after apply)
      + role    = "roles/pubsub.publisher"
      + topic   = (known after apply)
    }

  # module.pubsub_destination.google_pubsub_topic_iam_member.pubsub_viewer_role[0] will be created
  + resource "google_pubsub_topic_iam_member" "pubsub_viewer_role" {
      + etag    = (known after apply)
      + id      = (known after apply)
      + member  = (known after apply)
      + project = (known after apply)
      + role    = "roles/pubsub.viewer"
      + topic   = (known after apply)
    }

  # module.pubsub_destination.google_service_account.pubsub_subscriber[0] will be created
  + resource "google_service_account" "pubsub_subscriber" {
      + account_id   = (known after apply)
      + disabled     = false
      + display_name = (known after apply)
      + email        = (known after apply)
      + id           = (known after apply)
      + name         = (known after apply)
      + project      = (known after apply)
      + unique_id    = (known after apply)
    }

  # module.storage_destination.google_project_service.enable_destination_api will be created
  + resource "google_project_service" "enable_destination_api" {
      + disable_on_destroy = false
      + id                 = (known after apply)
      + project            = (known after apply)
      + service            = "storage-component.googleapis.com"
    }

  # module.storage_destination.google_storage_bucket.bucket will be created
  + resource "google_storage_bucket" "bucket" {
      + bucket_policy_only          = (known after apply)
      + force_destroy               = true
      + id                          = (known after apply)
      + location                    = "NORTHAMERICA-NORTHEAST1"
      + name                        = (known after apply)
      + project                     = (known after apply)
      + self_link                   = (known after apply)
      + storage_class               = "STANDARD"
      + uniform_bucket_level_access = true
      + url                         = (known after apply)

      + versioning {
          + enabled = true
        }
    }

  # module.storage_destination.google_storage_bucket_iam_member.storage_sink_member will be created
  + resource "google_storage_bucket_iam_member" "storage_sink_member" {
      + bucket = (known after apply)
      + etag   = (known after apply)
      + id     = (known after apply)
      + member = (known after apply)
      + role   = "roles/storage.objectCreator"
    }

  # module.administration.module.budget.data.google_project.project[0] will be read during apply
  # (config refers to values not yet known)
 <= data "google_project" "project"  {
      + auto_create_network = (known after apply)
      + billing_account     = (known after apply)
      + folder_id           = (known after apply)
      + id                  = (known after apply)
      + labels              = (known after apply)
      + name                = (known after apply)
      + number              = (known after apply)
      + org_id              = (known after apply)
      + project_id          = (known after apply)
      + skip_delete         = (known after apply)
    }

  # module.administration.module.project-factory.google_project.main will be created
  + resource "google_project" "main" {
      + auto_create_network = false
      + billing_account     = "013514-6D07D1-C8D9DB"
      + folder_id           = (known after apply)
      + id                  = (known after apply)
      + labels              = {
          + "application_name"  = "org-logging"
          + "billing_code"      = "1234"
          + "business_code"     = "abcd"
          + "env_code"          = "p"
          + "environment"       = "production"
          + "primary_contact"   = "example1"
          + "secondary_contact" = "example2"
        }
      + name                = "guardrails"
      + number              = (known after apply)
      + org_id              = "931661755206"
      + project_id          = (known after apply)
      + skip_delete         = (known after apply)
    }

  # module.administration.module.project-factory.google_project_default_service_accounts.default_service_accounts[0] will be created
  + resource "google_project_default_service_accounts" "default_service_accounts" {
      + action           = "DEPRIVILEGE"
      + id               = (known after apply)
      + project          = (known after apply)
      + restore_policy   = "REVERT_AND_IGNORE_FAILURE"
      + service_accounts = (known after apply)
    }

  # module.administration.module.project-factory.google_service_account.default_service_account[0] will be created
  + resource "google_service_account" "default_service_account" {
      + account_id   = "project-service-account"
      + disabled     = false
      + display_name = "guardrails Project Service Account"
      + email        = (known after apply)
      + id           = (known after apply)
      + name         = (known after apply)
      + project      = (known after apply)
      + unique_id    = (known after apply)
    }

  # module.administration.module.project-factory.random_id.random_project_id_suffix will be created
  + resource "random_id" "random_project_id_suffix" {
      + b64         = (known after apply)
      + b64_std     = (known after apply)
      + b64_url     = (known after apply)
      + byte_length = 2
      + dec         = (known after apply)
      + hex         = (known after apply)
      + id          = (known after apply)
    }

  # module.administration.module.project-factory.module.project_services.google_project_service.project_services["bigquery.googleapis.com"] will be created
  + resource "google_project_service" "project_services" {
      + disable_dependent_services = true
      + disable_on_destroy         = true
      + id                         = (known after apply)
      + project                    = (known after apply)
      + service                    = "bigquery.googleapis.com"
    }

  # module.administration.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"] will be created
  + resource "google_project_service" "project_services" {
      + disable_dependent_services = true
      + disable_on_destroy         = true
      + id                         = (known after apply)
      + project                    = (known after apply)
      + service                    = "billingbudgets.googleapis.com"
    }

  # module.administration.module.project-factory.module.project_services.google_project_service.project_services["cloudasset.googleapis.com"] will be created
  + resource "google_project_service" "project_services" {
      + disable_dependent_services = true
      + disable_on_destroy         = true
      + id                         = (known after apply)
      + project                    = (known after apply)
      + service                    = "cloudasset.googleapis.com"
    }

  # module.administration.module.project-factory.module.project_services.google_project_service.project_services["iamcredentials.googleapis.com"] will be created
  + resource "google_project_service" "project_services" {
      + disable_dependent_services = true
      + disable_on_destroy         = true
      + id                         = (known after apply)
      + project                    = (known after apply)
      + service                    = "iamcredentials.googleapis.com"
    }

  # module.administration.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"] will be created
  + resource "google_project_service" "project_services" {
      + disable_dependent_services = true
      + disable_on_destroy         = true
      + id                         = (known after apply)
      + project                    = (known after apply)
      + service                    = "logging.googleapis.com"

Plan: 37 to add, 0 to change, 0 to destroy.

odule.administration.module.project-factory.random_id.random_project_id_suffix: Creation complete after 0s [id=-NE]
random_string.suffix: Creating...
random_string.suffix: Creation complete after 0s [id=j5c1]
google_organization_iam_member.billing_viewer: Creating...
module.administration.module.project-factory.google_project.main: Creating...
google_organization_iam_member.asset_inventory_viewer: Creating...
google_organization_iam_member.ssc-billing: Creating...

module.org-policy.google_organization_policy.org_policy_list_allow_values[0]: Creating...
google_organization_iam_audit_config.org_config[0]: Creating...
module.org-policy.google_organization_policy.org_policy_list_allow_values[0]: Creation complete after 0s [id=931661755206/constraints/gcp.resourceLocations]
google_organization_iam_member.ssc-billing: Creation complete after 8s [id=931661755206/roles/billing.viewer/group:ssc_broker@gcp.packet.global]
google_organization_iam_member.billing_viewer: Still creating... [10s elapsed]
google_organization_iam_member.asset_inventory_viewer: Still creating... [10s elapsed]

odule.org-policy.google_organization_policy.org_policy_list_allow_values[0]: Modifications complete after 1s [id=931661755206/constraints/gcp.resourceLocations]
module.administration.module.project-factory.google_project.main: Still creating... [10s elapsed]
module.administration.module.project-factory.google_project.main: Still creating... [20s elapsed]
module.administration.module.project-factory.google_project.main: Still creating... [30s elapsed]
module.administration.module.project-factory.google_project.main: Still creating... [40s elapsed]
module.administration.module.project-factory.google_project.main: Still creating... [50s elapsed]
module.administration.module.project-factory.google_project.main: Still creating... [1m0s elapsed]
module.administration.module.project-factory.google_project.main: Still creating... [1m10s elapsed]
module.administration.module.project-factory.google_project.main: Still creating... [1m20s elapsed]
module.administration.module.project-factory.google_project.main: Still creating... [1m30s elapsed]
module.administration.module.project-factory.google_project.main: Still creating... [1m40s elapsed]
module.administration.module.project-factory.google_project.main: Still creating... [1m50s elapsed]

on guardrails
     "metadata": {
│       "consumer": "projects/217784992238",
│       "service": "iam.googleapis.com"
│     },
│     "reason": "SERVICE_DISABLED"

admin_super@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (pgdev-seed-project)$ gcloud services list --enabled --project pgdev-seed-project
NAME: bigquery.googleapis.com
TITLE: BigQuery API

NAME: bigquerymigration.googleapis.com
TITLE: BigQuery Migration API

NAME: bigquerystorage.googleapis.com
TITLE: BigQuery Storage API

NAME: cloudapis.googleapis.com
TITLE: Google Cloud APIs

NAME: cloudbilling.googleapis.com
TITLE: Cloud Billing API

NAME: clouddebugger.googleapis.com
TITLE: Cloud Debugger API

NAME: cloudresourcemanager.googleapis.com
TITLE: Cloud Resource Manager API

NAME: cloudtrace.googleapis.com
TITLE: Cloud Trace API

NAME: datastore.googleapis.com
TITLE: Cloud Datastore API

NAME: iam.googleapis.com
TITLE: Identity and Access Management (IAM) API

NAME: iamcredentials.googleapis.com
TITLE: IAM Service Account Credentials API

NAME: identitytoolkit.googleapis.com
TITLE: Identity Toolkit API

NAME: logging.googleapis.com
TITLE: Cloud Logging API

NAME: monitoring.googleapis.com
TITLE: Cloud Monitoring API

NAME: pubsub.googleapis.com
TITLE: Cloud Pub/Sub API

NAME: servicemanagement.googleapis.com
TITLE: Service Management API

NAME: serviceusage.googleapis.com
TITLE: Service Usage API

NAME: sql-component.googleapis.com
TITLE: Cloud SQL

NAME: storage-api.googleapis.com
TITLE: Google Cloud Storage JSON API

NAME: storage-component.googleapis.com
TITLE: Cloud Storage

NAME: storage.googleapis.com
TITLE: Cloud Storage API

admin_super@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (pgdev-seed-project)$ gcloud services list --enabled --project guardrails-f8d1
NAME: bigquery.googleapis.com
TITLE: BigQuery API

NAME: bigquerymigration.googleapis.com
TITLE: BigQuery Migration API

NAME: bigquerystorage.googleapis.com
TITLE: BigQuery Storage API

NAME: billingbudgets.googleapis.com
TITLE: Cloud Billing Budget API

NAME: cloudasset.googleapis.com
TITLE: Cloud Asset API

NAME: compute.googleapis.com
TITLE: Compute Engine API

NAME: iamcredentials.googleapis.com
TITLE: IAM Service Account Credentials API

NAME: logging.googleapis.com
TITLE: Cloud Logging API

NAME: oslogin.googleapis.com
TITLE: Cloud OS Login API

NAME: pubsub.googleapis.com
TITLE: Cloud Pub/Sub API

NAME: storage-component.googleapis.com
TITLE: Cloud Storage

admin_super@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (pgdev-seed-project)$ gcloud services enable iam.googleapis.com  --project guardrails-f8d1
Operation "operations/acat.p2-135106978367-96dd5aae-4dc9-4cad-bee6-a91c724ddf2f" finished successfully.

rerun


Terraform will perform the following actions:

  # module.org-policy.google_organization_policy.org_policy_list_allow_values[0] will be updated in-place
  ~ resource "google_organization_policy" "org_policy_list_allow_values" {
        id          = "931661755206/constraints/gcp.resourceLocations"
        # (5 unchanged attributes hidden)

      ~ list_policy {
            # (1 unchanged attribute hidden)

          ~ allow {
              ~ values = [
                  - "in:northamerica-northeast1-locations",
                  - "in:northamerica-northeast2-locations",
                  + "northamerica-northeast1",
                  + "northamerica-northeast2",
                ]
                # (1 unchanged attribute hidden)
            }
        }
    }

  # module.pubsub_destination.google_pubsub_subscription_iam_member.pubsub_subscriber_role[0] will be created
  + resource "google_pubsub_subscription_iam_member" "pubsub_subscriber_role" {
      + etag         = (known after apply)
      + id           = (known after apply)
      + member       = (known after apply)
      + project      = "guardrails-f8d1"
      + role         = "roles/pubsub.subscriber"
      + subscription = "projects/guardrails-f8d1/subscriptions/tp-org-logs-j5c1-subscription"
    }

  # module.pubsub_destination.google_pubsub_topic_iam_member.pubsub_viewer_role[0] will be created
  + resource "google_pubsub_topic_iam_member" "pubsub_viewer_role" {
      + etag    = (known after apply)
      + id      = (known after apply)
      + member  = (known after apply)
      + project = "guardrails-f8d1"
      + role    = "roles/pubsub.viewer"
      + topic   = "tp-org-logs-j5c1"
    }

  # module.pubsub_destination.google_service_account.pubsub_subscriber[0] will be created
  + resource "google_service_account" "pubsub_subscriber" {
      + account_id   = "tp-org-logs-j5c1-subscriber"
      + disabled     = false
      + display_name = "tp-org-logs-j5c1 Topic Subscriber"
      + email        = (known after apply)
      + id           = (known after apply)
      + name         = (known after apply)
      + project      = "guardrails-f8d1"
      + unique_id    = (known after apply)
    }

  # module.administration.module.project-factory.google_service_account.default_service_account[0] will be created
  + resource "google_service_account" "default_service_account" {
      + account_id   = "project-service-account"
      + disabled     = false
      + display_name = "guardrails Project Service Account"
      + email        = (known after apply)
      + id           = (known after apply)
      + name         = (known after apply)
      + project      = "guardrails-f8d1"
      + unique_id    = (known after apply)
    }

Plan: 4 to add, 1 to change, 0 to destroy.
module.administration.module.project-factory.google_service_account.default_service_account[0]: Creation complete after 1s [id=projects/guardrails-f8d1/serviceAccounts/project-service-account@guardrails-f8d1.iam.gserviceaccount.com]
module.pubsub_destination.google_pubsub_topic_iam_member.pubsub_viewer_role[0]: Creating...
module.pubsub_destination.google_pubsub_subscription_iam_member.pubsub_subscriber_role[0]: Creating...
module.pubsub_destination.google_pubsub_topic_iam_member.pubsub_viewer_role[0]: Creation complete after 4s [id=projects/guardrails-f8d1/topics/tp-org-logs-j5c1/roles/pubsub.viewer/serviceAccount:tp-org-logs-j5c1-subscriber@guardrails-f8d1.iam.gserviceaccount.com]
module.pubsub_destination.google_pubsub_subscription_iam_member.pubsub_subscriber_role[0]: Creation complete after 4s [id=projects/guardrails-f8d1/subscriptions/tp-org-logs-j5c1-subscription/roles/pubsub.subscriber/serviceAccount:tp-org-logs-j5c1-subscriber@guardrails-f8d1.iam.gserviceaccount.com]

Apply complete! Resources: 4 added, 1 changed, 0 destroyed.

rerun 20220606 nuage-cloud.info

admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ ./bootstrap.sh -d ssc -p accelerator-nc-info
seed project id: ssc-seed-project
boostrap project id: accelerator-nc-info
org id: 93413315325
billing id: 01522C-BEE0DC-529989
Updated property [core/project].
checking roles of current account: admin-root@nuage-cloud.info
iam.serviceAccountTokenCreator
ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account
roles/resourcemanager.folderAdmin
ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account
roles/resourcemanager.organizationAdmin
ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account
orgpolicy.policyAdmin
roles/orgpolicy.policyAdmin role missing

admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ ./bootstrap.sh -d ssc -p accelerator-nc-info
seed project id: ssc-seed-project
boostrap project id: accelerator-nc-info
org id: 93413315325
billing id: 01522C-BEE0DC-529989
Updated property [core/project].
checking roles of current account: admin-root@nuage-cloud.info
iam.serviceAccountTokenCreator
ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account
roles/resourcemanager.folderAdmin
ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account
roles/resourcemanager.organizationAdmin
ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account
orgpolicy.policyAdmin
ROLE: roles/orgpolicy.policyAdmin role set OK on super admin account
resourcemanager.projectCreator
roles/resourcemanager.projectCreator role missing

admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ ./bootstrap.sh -d ssc -p accelerator-nc-info
seed project id: ssc-seed-project
boostrap project id: accelerator-nc-info
org id: 93413315325
billing id: 01522C-BEE0DC-529989
Updated property [core/project].
checking roles of current account: admin-root@nuage-cloud.info
iam.serviceAccountTokenCreator
ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account
roles/resourcemanager.folderAdmin
ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account
roles/resourcemanager.organizationAdmin
ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account
orgpolicy.policyAdmin
ROLE: roles/orgpolicy.policyAdmin role set OK on super admin account
resourcemanager.projectCreator
ROLE: roles/resourcemanager.projectCreator role set OK on super admin account
billing.projectManager
roles/billing.projectManager role missing

ERROR: (gcloud.projects.create) Project creation failed. The project ID you specified is already in use by another project. Please try an alternative ID.

admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ ./bootstrap.sh -d sscncinfo -p accelerator-nc-infoseed project id: sscncinfo-seed-project
boostrap project id: accelerator-nc-info
org id: 93413315325
billing id: 01522C-BEE0DC-529989
Updated property [core/project].
checking roles of current account: admin-root@nuage-cloud.info
iam.serviceAccountTokenCreator
ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account
roles/resourcemanager.folderAdmin
ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account
roles/resourcemanager.organizationAdmin
ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account
orgpolicy.policyAdmin
ROLE: roles/orgpolicy.policyAdmin role set OK on super admin account
resourcemanager.projectCreator
ROLE: roles/resourcemanager.projectCreator role set OK on super admin account
billing.projectManager
ROLE: roles/billing.projectManager role set OK on super admin account
all roles set OK on super admin account:  admin-root@nuage-cloud.info - proceeding
enabling pubsub.googleapis.com identitytoolkit cloudresourcemanager iam cloudbilling on accelerator-nc-info project
Operation "operations/acat.p2-22751541827-4306a61b-7ded-4f53-9f84-90ec99f0308e" finished successfully.

version: 1
Updated IAM policy for organization [93413315325].
bindings:
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/accesscontextmanager.policyAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/bigquery.dataEditor
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/billing.admin
- members:
  - domain:nuage-cloud.info
  role: roles/billing.creator
- members:
  - user:admin-root@nuage-cloud.info
  role: roles/billing.projectManager
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/billing.user
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/compute.networkAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/compute.xpnAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/iam.organizationRoleAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/iam.serviceAccountAdmin
- members:
  - user:admin-root@nuage-cloud.info
  role: roles/iam.serviceAccountTokenCreator
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/logging.configWriter
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/orgpolicy.policyAdmin
- members:
  - user:admin-root@nuage-cloud.info
  role: roles/owner
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/pubsub.admin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/resourcemanager.folderAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/resourcemanager.organizationAdmin
- members:
  - domain:nuage-cloud.info
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/resourcemanager.projectCreator
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/resourcemanager.projectDeleter
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/resourcemanager.projectIamAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/resourcemanager.projectMover
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/serviceusage.serviceUsageAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/storage.admin
etag: BwXg0nKAunQ=
version: 1
gs://sscncinfo-seed-project-guardrails
Creating gs://sscncinfo-seed-project-guardrails/...
Replace backend.tf bucketname
Your active configuration is: [cloudshell-29815]
Updated property [core/project].
wrote TF SA to provider.tf and variables.tfvar along with the bucket, billing account and org id - verify them
enabling pubsub identitytoolkit cloudresourcemanager iam cloudbilling on sscncinfo-seed-project project
Operation "operations/acf.p2-812518854148-daa12580-0728-4c5c-b618-9cbd23a91b02" finished successfully.
NAME: cloudresourcemanager.googleapis.com
NAME: identitytoolkit.googleapis.com
NAME: pubsub.googleapis.com
NAME: cloudbilling.googleapis.com
NAME: iam.googleapis.com
if you get an iam permission on the guardrails-aaaa project - run gcloud services enable iam.googleapis.com --project guardrails-nnnn
Status: 0
GCP seed project created project id: sscncinfo-seed-project \n
 Terraform Service account to be used for creating GCP landing zone =  tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com \n
 Terraform Backend Storage Bucket: gs://sscncinfo-seed-project-guardrails

3 groups

audit_data_users="audit_data_users@nuage-cloud.info"
ssc_broker_users="ssc_broker_users@nuage-cloud.info"
org_id="93413315325"
terraform_service_account="tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com"
billing_account="01522C-BEE0DC-529989"
billing_data_users="billing_data_users@nuage-cloud.info"
audit_logs_table_delete_contents_on_destroy=true
log_export_storage_force_destroy=true
allowed_regions=["northamerica-northeast1", "northamerica-northeast2"]
bucket_name="sscncinfo-guardrails-assets"

remember to edit the service account in providers

locals { terraform_service_account = "tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com" }

admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (sscncinfo-seed-project)$ cd ..
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails (sscncinfo-seed-project)$ cd ..
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform (sscncinfo-seed-project)$ ls
guardrails
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform (sscncinfo-seed-project)$ gcloud config set project accelerator-nc-info
Updated property [core/project].
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform (accelerator-nc-info)$ cd guardrails/1-guardrails/
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (accelerator-nc-info)$ terraform init

stay in the seed project

Initializing the backend...
╷
│ Error: Failed to get existing workspaces: querying Cloud Storage failed: storage: bucket doesn't exist

admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (accelerator-nc-info)$ gcloud config set project sscncinfo-seed-project
Updated property [core/project].
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (sscncinfo-seed-project)$ terraform init

forgot to edit the service account

locals { terraform_service_account = "" }
locals { terraform_service_account = "tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com" }

issue with bucket was a misname in the past was not fixed

    bucket = "ssc-seed-project-guardrails"

    should be

    bucket = "sscncinfo-seed-project-guardrails"

    admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (sscncinfo-seed-project)$ terraform init
Initializing modules...

Initializing the backend...

Successfully configured the backend "gcs"! Terraform will automatically
use this backend unless the backend configuration changes.

Initializing provider plugins...
- Finding hashicorp/google versions matching ">= 2.5.0, >= 3.43.0, >= 3.50.0, >= 3.53.0, < 4.0.0, < 5.0.0"...
- Finding hashicorp/random versions matching "~> 2.2"...
- Finding hashicorp/google-beta versions matching ">= 3.1.0, >= 3.43.0, >= 3.50.0, < 4.0.0"...
- Finding hashicorp/null versions matching "~> 2.1"...
- Installing hashicorp/google v3.90.1...
- Installed hashicorp/google v3.90.1 (signed by HashiCorp)
- Installing hashicorp/random v2.3.1...
- Installed hashicorp/random v2.3.1 (signed by HashiCorp)
- Installing hashicorp/google-beta v3.90.1...
- Installed hashicorp/google-beta v3.90.1 (signed by HashiCorp)
- Installing hashicorp/null v2.1.2...
- Installed hashicorp/null v2.1.2 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (sscncinfo-seed-project)$ terraform apply -var-file variables.tfvar

Plan: 37 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value:

  2256

google_organization_iam_audit_config.org_config[0]: Creating...
module.org-policy.google_organization_policy.org_policy_list_allow_values[0]: Creating...
google_organization_iam_member.ssc-billing: Creating...
module.org-policy.google_organization_policy.org_policy_list_allow_values[0]: Creation complete after 1s [id=93413315325/constraints/gcp.resourceLocations]
google_organization_iam_member.asset_inventory_viewer: Creation complete after 5s [id=93413315325/roles/cloudasset.viewer/group:ssc_broker_users@nuage-cloud.info]
google_organization_iam_member.billing_viewer: Still creating... [10s elapsed]
google_organization_iam_audit_config.org_config[0]: Still creating... [10s elapsed]
module.administration.module.project-factory.google_project.main: Still creating... [10s elapsed]
google_organization_iam_member.ssc-billing: Still creating... [10s elapsed]
google_organization_iam_member.billing_viewer: Creation complete after 17s [id=93413315325/roles/billing.viewer/group:billing_data_users@nuage-cloud.info]
google_organization_iam_audit_config.org_config[0]: Creation complete after 17s [id=93413315325/audit_config/allServices]
google_organization_iam_member.ssc-billing: Creation complete after 18s [id=93413315325/roles/billing.viewer/group:ssc_broker_users@nuage-cloud.info]
module.administration.module.project-factory.google_project.main: Still creating... [20s elapsed]
module.administration.module.project-factory.google_project.main: Still creating... [30s elapsed]

module.administration.module.project-factory.google_project.main: Still creating... [2m0s elapsed]

odule.administration.module.project-factory.google_project.main: Still creating... [3m10s elapsed]
module.administration.module.project-factory.google_project.main: Creation complete after 3m13s [id=projects/guardrails-eaba]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["bigquery.googleapis.com"]: Creating...
module.administration.module.project-factory.google_service_account.default_service_account[0]: Creating...

module.administration.module.project-factory.google_service_account.default_service_account[0]: Creating...
module.administration.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Creating...
module.administration.module.project-factory.module.project_services.google_project_service.project_services["iamcredentials.googleapis.com"]: Creating...
module.administration.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Creating...
module.administration.module.project-factory.module.project_services.google_project_service.project_services["cloudasset.googleapis.com"]: Creating...
module.administration.module.project-factory.google_service_account.default_service_account[0]: Creation complete after 1s [id=projects/guardrails-eaba/serviceAccounts/project-service-account@guardrails-eaba.iam.gserviceaccount.com]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["bigquery.googleapis.com"]: Still creating... [10s elapsed]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Still creating... [10s elapsed]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["iamcredentials.googleapis.com"]: Still creating... [10s elapsed]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["cloudasset.googleapis.com"]: Still creating... [10s elapsed]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Still creating... [10s elapsed]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["bigquery.googleapis.com"]: Creation complete after 17s [id=guardrails-eaba/bigquery.googleapis.com]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Still creating... [20s elapsed]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["iamcredentials.googleapis.com"]: Still creating... [20s elapsed]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Still creating... [20s elapsed]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["cloudasset.googleapis.com"]: Still creating... [20s elapsed]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["iamcredentials.googleapis.com"]: Creation complete after 20s [id=guardrails-eaba/iamcredentials.googleapis.com]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["cloudasset.googleapis.com"]: Creation complete after 20s [id=guardrails-eaba/cloudasset.googleapis.com]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Creation complete after 20s [id=guardrails-eaba/billingbudgets.googleapis.com]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Creation complete after 20s [id=guardrails-eaba/logging.googleapis.com]
module.administration.module.budget.data.google_project.project[0]: Reading...
module.bigquery_destination.google_project_service.enable_destination_api: Creating...
module.storage_destination.google_project_service.enable_destination_api: Creating...
google_project_iam_member.audit_log_bq_data_viewer: Creating...
module.administration.module.project-factory.google_project_default_service_accounts.default_service_accounts[0]: Creating...
google_project_iam_member.audit_log_bq_user: Creating...
google_project_iam_member.billing_bq_viewer: Creating...
google_project_iam_member.billing_bq_user: Creating...
google_storage_bucket.guardrails-bucket: Creating...
google_bigquery_dataset.billing_dataset: Creating...
module.administration.module.budget.data.google_project.project[0]: Read complete after 0s [id=projects/guardrails-eaba]
module.pubsub_destination.google_project_service.enable_destination_api: Creating...
google_storage_bucket.guardrails-bucket: Creation complete after 0s [id=sscncinfo-guardrails-assets]
google_bigquery_dataset.billing_dataset: Creation complete after 0s [id=projects/guardrails-eaba/datasets/billing_data]
module.administration.module.project-factory.google_project_default_service_accounts.default_service_accounts[0]: Creation complete after 0s [id=projects/guardrails-eaba]
module.bigquery_destination.google_project_service.enable_destination_api: Creation complete after 3s [id=guardrails-eaba/bigquery.googleapis.com]
module.bigquery_destination.google_bigquery_dataset.dataset: Creating...
module.bigquery_destination.google_bigquery_dataset.dataset: Creation complete after 1s [id=projects/guardrails-eaba/datasets/audit_logs]
module.log_export_to_biqquery.google_logging_organization_sink.sink[0]: Creating...
module.log_export_to_biqquery.google_logging_organization_sink.sink[0]: Creation complete after 0s [id=organizations/93413315325/sinks/log_sink-bq]
module.bigquery_destination.google_project_iam_member.bigquery_sink_member: Creating...
module.storage_destination.google_project_service.enable_destination_api: Still creating... [10s elapsed]
google_project_iam_member.billing_bq_viewer: Still creating... [10s elapsed]
google_project_iam_member.billing_bq_user: Still creating... [10s elapsed]
module.pubsub_destination.google_project_service.enable_destination_api: Still creating... [10s elapsed]
module.bigquery_destination.google_project_iam_member.bigquery_sink_member: Still creating... [10s elapsed]
google_project_iam_member.billing_bq_viewer: Creation complete after 18s [id=guardrails-eaba/roles/bigquery.dataViewer/group:billing_data_users@nuage-cloud.info]
google_project_iam_member.billing_bq_user: Creation complete after 18s [id=guardrails-eaba/roles/bigquery.user/group:billing_data_users@nuage-cloud.info]
module.bigquery_destination.google_project_iam_member.bigquery_sink_member: Creation complete after 14s [id=guardrails-eaba/roles/bigquery.dataEditor/serviceAccount:o93413315325-184367@gcp-sa-logging.iam.gserviceaccount.com]
module.storage_destination.google_project_service.enable_destination_api: Still creating... [20s elapsed]
module.pubsub_destination.google_project_service.enable_destination_api: Still creating... [20s elapsed]
module.storage_destination.google_project_service.enable_destination_api: Creation complete after 20s [id=guardrails-eaba/storage-component.googleapis.com]
module.pubsub_destination.google_project_service.enable_destination_api: Creation complete after 20s [id=guardrails-eaba/pubsub.googleapis.com]
module.pubsub_destination.google_pubsub_topic.topic: Creating...
module.storage_destination.google_storage_bucket.bucket: Creating...
module.storage_destination.google_storage_bucket.bucket: Creation complete after 1s [id=bkt-guardrails-eaba-org-logs-5ufo]
module.log_export_to_storage.google_logging_organization_sink.sink[0]: Creating...
module.log_export_to_storage.google_logging_organization_sink.sink[0]: Creation complete after 1s [id=organizations/93413315325/sinks/org_log_sink]
module.storage_destination.google_storage_bucket_iam_member.storage_sink_member: Creating...
module.pubsub_destination.google_pubsub_topic.topic: Creation complete after 2s [id=projects/guardrails-eaba/topics/tp-org-logs-5ufo]
module.pubsub_destination.google_service_account.pubsub_subscriber[0]: Creating...
module.log_export_to_pubsub.google_logging_organization_sink.sink[0]: Creating...
module.pubsub_destination.google_pubsub_subscription.pubsub_subscription[0]: Creating...
module.pubsub_destination.google_service_account.pubsub_subscriber[0]: Creation complete after 1s [id=projects/guardrails-eaba/serviceAccounts/tp-org-logs-5ufo-subscriber@guardrails-eaba.iam.gserviceaccount.com]
module.pubsub_destination.google_pubsub_topic_iam_member.pubsub_viewer_role[0]: Creating...
module.log_export_to_pubsub.google_logging_organization_sink.sink[0]: Creation complete after 1s [id=organizations/93413315325/sinks/sk-c-logging-pub]
module.pubsub_destination.google_pubsub_topic_iam_member.pubsub_sink_member: Creating...
module.pubsub_destination.google_pubsub_subscription.pubsub_subscription[0]: Creation complete after 2s [id=projects/guardrails-eaba/subscriptions/tp-org-logs-5ufo-subscription]
module.pubsub_destination.google_pubsub_subscription_iam_member.pubsub_subscriber_role[0]: Creating...
module.storage_destination.google_storage_bucket_iam_member.storage_sink_member: Creation complete after 4s [id=b/bkt-guardrails-eaba-org-logs-5ufo/roles/storage.objectCreator/serviceAccount:o93413315325-175817@gcp-sa-logging.iam.gserviceaccount.com]
module.pubsub_destination.google_pubsub_topic_iam_member.pubsub_viewer_role[0]: Creation complete after 4s [id=projects/guardrails-eaba/topics/tp-org-logs-5ufo/roles/pubsub.viewer/serviceAccount:tp-org-logs-5ufo-subscriber@guardrails-eaba.iam.gserviceaccount.com]
module.pubsub_destination.google_pubsub_subscription_iam_member.pubsub_subscriber_role[0]: Creation complete after 5s [id=projects/guardrails-eaba/subscriptions/tp-org-logs-5ufo-subscription/roles/pubsub.subscriber/serviceAccount:tp-org-logs-5ufo-subscriber@guardrails-eaba.iam.gserviceaccount.com]
module.pubsub_destination.google_pubsub_topic_iam_member.pubsub_sink_member: Creation complete after 8s [id=projects/guardrails-eaba/topics/tp-org-logs-5ufo/roles/pubsub.publisher/serviceAccount:o93413315325-076548@gcp-sa-logging.iam.gserviceaccount.com]
╷
│ Error: Request `Create IAM Members roles/bigquery.user group:audit_data_users@nuage-cloud.info for project "guardrails-eaba"` returned error: Batch request and retried single request "Create IAM Members roles/bigquery.user group:audit_data_users@nuage-cloud.info for project \"guardrails-eaba\"" both failed. Final error: Error applying IAM policy for project "guardrails-eaba": Error setting IAM policy for project "guardrails-eaba": googleapi: Error 400: Group audit_data_users@nuage-cloud.info does not exist., badRequest
│
│   with google_project_iam_member.audit_log_bq_user,
│   on iam.tf line 37, in resource "google_project_iam_member" "audit_log_bq_user":
│   37: resource "google_project_iam_member" "audit_log_bq_user" {
│
╵
╷
│ Error: Request `Create IAM Members roles/bigquery.dataViewer group:audit_data_users@nuage-cloud.info for project "guardrails-eaba"` returned error: Batch request and retried single request "Create IAM Members roles/bigquery.dataViewer group:audit_data_users@nuage-cloud.info for project \"guardrails-eaba\"" both failed. Final error: Error applying IAM policy for project "guardrails-eaba": Error setting IAM policy for project "guardrails-eaba": googleapi: Error 400: Group audit_data_users@nuage-cloud.info does not exist., badRequest
│
│   with google_project_iam_member.audit_log_bq_data_viewer,
│   on iam.tf line 43, in resource "google_project_iam_member" "audit_log_bq_data_viewer":
│   43: resource "google_project_iam_member" "audit_log_bq_data_viewer" {
│
╵
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (sscncinfo-seed-project)$

should be audit-data-brokers@nuage-cloud.info

audit_data_users="audit_data_brokers@nuage-cloud.info"

admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (sscncinfo-seed-project)$ terraform apply -var-file variables.tfvar

Plan: 2 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value:

create users not brokers key

audit_data_users="audit_data_users@nuage-cloud.info"

admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (sscncinfo-seed-project)$ terraform apply -var-file variables.tfvar

Plan: 2 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

google_project_iam_member.audit_log_bq_data_viewer: Creating...
google_project_iam_member.audit_log_bq_user: Creating...
module.org-policy.google_organization_policy.org_policy_list_allow_values[0]: Modifying... [id=93413315325/constraints/gcp.resourceLocations]
module.org-policy.google_organization_policy.org_policy_list_allow_values[0]: Modifications complete after 1s [id=93413315325/constraints/gcp.resourceLocations]
google_project_iam_member.audit_log_bq_user: Creation complete after 8s [id=guardrails-eaba/roles/bigquery.user/group:audit_data_users@nuage-cloud.info]
google_project_iam_member.audit_log_bq_data_viewer: Creation complete after 8s [id=guardrails-eaba/roles/bigquery.dataViewer/group:audit_data_users@nuage-cloud.info]

Apply complete! Resources: 2 added, 1 changed, 0 destroyed.
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (sscncinfo-seed-project)$

validator

https://github.com/canada-ca/cloud-guardrails-gcp/blob/main/guardrails-validation/README.md

admin_root@cloudshell:~$ gcloud config set project accelerator-nc-info
Updated property [core/project].
admin_root@cloudshell:~ (accelerator-nc-info)$ cd
.cache/          cloudshell_open/ .config/         .docker/         .gsutil/         .npm/            .terraform.d/    .theia/
admin_root@cloudshell:~ (accelerator-nc-info)$ cd cloudshell_open/
admin_root@cloudshell:~/cloudshell_open (accelerator-nc-info)$ ls
accelerators_accelerateurs-gcp
admin_root@cloudshell:~/cloudshell_open (accelerator-nc-info)$ cd accelerators_accelerateurs-gcp/
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp (accelerator-nc-info)$ gcloud services enable cloudasset.googleapis.com
Operation "operations/acat.p2-22751541827-9232fb11-294b-4628-a2c2-35b2661fa8a0" finished successfully.
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp (accelerator-nc-info)$ export MY_BUCKET_NAME=sccninfo-guardrails-validator
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp (accelerator-nc-info)$ gsutil mb gs://$MY_BUCKET_NAME
Creating gs://sccninfo-guardrails-validator/...
PreconditionException: 412 'us' violates constraint 'constraints/gcp.resourceLocations'
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp (accelerator-nc-info)$

gcloud asset export --output-path=gs://$MY_BUCKET_NAME/resource_inventory.json --content-type=resource --project=guardrails-eaba

not the gr project - we have a NA constraint
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp (accelerator-nc-info)$ gcloud config set project guardrails-eaba
Updated property [core/project].
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp (guardrails-eaba)$ gcloud services enable cloudasset.googleapis.com
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp (guardrails-eaba)$ export MY_BUCKET_NAME=sccninfo-guardrails-validator-gr
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp (guardrails-eaba)$ gsutil mb gs://$MY_BUCKET_NAME
Creating gs://sccninfo-guardrails-validator-gr/...
PreconditionException: 412 'us' violates constraint 'constraints/gcp.resourceLocations'

or
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp (sscncinfo-seed-project)$ gsutil mb gs://$MY_BUCKET_NAME
Creating gs://sccninfo-guardrails-validator-seed/...
PreconditionException: 412 'us' violates constraint 'constraints/gcp.resourceLocations'

step back - clone first - then determine which of the 3 projects https://github.com/canada-ca/cloud-guardrails-gcp

canada-ca / accelerators_accelerateurs-gcp

Remaining config changes to fully deploy #24