Open fmichaelobrien opened 2 years ago
In your GCP account browser navigate to https://github.com/fmichaelobrien/accelerators_accelerateurs-gcp
test results Archive.zip
Roles for super admin project billing manager, folder admin, organization admin, organization policy admin, project creator, service account token creator
michaelobrien@mbp7 accelerators_accelerateurs-gcp % gcloud organizations get-iam-policy 8....0 --filter="bindings.members:mi...g" --flatten="bindings[].members" --format="table(bindings.role)"
roles/billing.projectManager
roles/iam.serviceAccountTokenCreator
roles/orgpolicy.policyAdmin
roles/resourcemanager.folderAdmin
roles/resourcemanager.organizationAdmin
roles/resourcemanager.projectCreator
reverified with 1 deleted role
iam.serviceAccountTokenCreator
ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account
roles/resourcemanager.folderAdmin
ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account
roles/resourcemanager.organizationAdmin
ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account
orgpolicy.policyAdmin
ROLE: roles/orgpolicy.policyAdmin role set OK on super admin account
resourcemanager.projectCreator
roles/resourcemanager.projectCreator role missing
PR rebase flow
1277 [2022-03-31 20:51:42 -0400] git clone https://github.com/fmichaelobrien/accelerators_accelerateurs-gcp.git
1278 [2022-03-31 20:52:00 -0400] git checkout -b canada-ca-main main
1279 [2022-03-31 20:52:03 -0400] cd accelerators_accelerateurs-gcp/
1280 [2022-03-31 20:52:04 -0400] git checkout -b canada-ca-main main
1281 [2022-03-31 20:52:12 -0400] git pull git://github.com/canada-ca/accelerators_accelerateurs-gcp.git main
1282 [2022-03-31 20:53:08 -0400] git config --global pull.rebase false
1283 [2022-03-31 20:53:11 -0400] git pull git://github.com/canada-ca/accelerators_accelerateurs-gcp.git main
1287 [2022-03-31 20:57:07 -0400] git add deployment-templates/
1289 [2022-03-31 20:57:57 -0400] git commit -m "merge remote"
1290 [2022-03-31 20:58:07 -0400] git push origin main
1292 [2022-03-31 20:59:09 -0400] git checkout main
1294 [2022-03-31 20:59:28 -0400] git merge --no-ff canada-ca-main
1296 [2022-03-31 21:00:15 -0400] git push origin main
rerun simulation
michael@cloudshell:~$ gcloud config set project accelerator-dev-cn
Updated property [core/project].
michael@cloudshell:~ (accelerator-dev-cn)$
rerun 20220606 nuage-cloud.info
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ ./bootstrap.sh -d ssc -p accelerator-nc-info
seed project id: ssc-seed-project
boostrap project id: accelerator-nc-info
org id: 93413315325
billing id: 01522C-BEE0DC-529989
Updated property [core/project].
checking roles of current account: admin-root@nuage-cloud.info
iam.serviceAccountTokenCreator
ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account
roles/resourcemanager.folderAdmin
ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account
roles/resourcemanager.organizationAdmin
ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account
orgpolicy.policyAdmin
roles/orgpolicy.policyAdmin role missing
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ ./bootstrap.sh -d ssc -p accelerator-nc-info
seed project id: ssc-seed-project
boostrap project id: accelerator-nc-info
org id: 93413315325
billing id: 01522C-BEE0DC-529989
Updated property [core/project].
checking roles of current account: admin-root@nuage-cloud.info
iam.serviceAccountTokenCreator
ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account
roles/resourcemanager.folderAdmin
ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account
roles/resourcemanager.organizationAdmin
ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account
orgpolicy.policyAdmin
ROLE: roles/orgpolicy.policyAdmin role set OK on super admin account
resourcemanager.projectCreator
roles/resourcemanager.projectCreator role missing
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ ./bootstrap.sh -d ssc -p accelerator-nc-info
seed project id: ssc-seed-project
boostrap project id: accelerator-nc-info
org id: 93413315325
billing id: 01522C-BEE0DC-529989
Updated property [core/project].
checking roles of current account: admin-root@nuage-cloud.info
iam.serviceAccountTokenCreator
ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account
roles/resourcemanager.folderAdmin
ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account
roles/resourcemanager.organizationAdmin
ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account
orgpolicy.policyAdmin
ROLE: roles/orgpolicy.policyAdmin role set OK on super admin account
resourcemanager.projectCreator
ROLE: roles/resourcemanager.projectCreator role set OK on super admin account
billing.projectManager
roles/billing.projectManager role missing
ERROR: (gcloud.projects.create) Project creation failed. The project ID you specified is already in use by another project. Please try an alternative ID.
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ ./bootstrap.sh -d sscncinfo -p accelerator-nc-infoseed project id: sscncinfo-seed-project
boostrap project id: accelerator-nc-info
org id: 93413315325
billing id: 01522C-BEE0DC-529989
Updated property [core/project].
checking roles of current account: admin-root@nuage-cloud.info
iam.serviceAccountTokenCreator
ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account
roles/resourcemanager.folderAdmin
ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account
roles/resourcemanager.organizationAdmin
ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account
orgpolicy.policyAdmin
ROLE: roles/orgpolicy.policyAdmin role set OK on super admin account
resourcemanager.projectCreator
ROLE: roles/resourcemanager.projectCreator role set OK on super admin account
billing.projectManager
ROLE: roles/billing.projectManager role set OK on super admin account
all roles set OK on super admin account: admin-root@nuage-cloud.info - proceeding
enabling pubsub.googleapis.com identitytoolkit cloudresourcemanager iam cloudbilling on accelerator-nc-info project
Operation "operations/acat.p2-22751541827-4306a61b-7ded-4f53-9f84-90ec99f0308e" finished successfully.
version: 1
Updated IAM policy for organization [93413315325].
bindings:
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/accesscontextmanager.policyAdmin
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/bigquery.dataEditor
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
- user:admin-root@nuage-cloud.info
role: roles/billing.admin
- members:
- domain:nuage-cloud.info
role: roles/billing.creator
- members:
- user:admin-root@nuage-cloud.info
role: roles/billing.projectManager
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/billing.user
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/compute.networkAdmin
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/compute.xpnAdmin
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/iam.organizationRoleAdmin
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/iam.serviceAccountAdmin
- members:
- user:admin-root@nuage-cloud.info
role: roles/iam.serviceAccountTokenCreator
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/logging.configWriter
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
- user:admin-root@nuage-cloud.info
role: roles/orgpolicy.policyAdmin
- members:
- user:admin-root@nuage-cloud.info
role: roles/owner
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/pubsub.admin
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
- user:admin-root@nuage-cloud.info
role: roles/resourcemanager.folderAdmin
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
- user:admin-root@nuage-cloud.info
role: roles/resourcemanager.organizationAdmin
- members:
- domain:nuage-cloud.info
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
- user:admin-root@nuage-cloud.info
role: roles/resourcemanager.projectCreator
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/resourcemanager.projectDeleter
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/resourcemanager.projectIamAdmin
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/resourcemanager.projectMover
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/serviceusage.serviceUsageAdmin
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/storage.admin
etag: BwXg0nKAunQ=
version: 1
gs://sscncinfo-seed-project-guardrails
Creating gs://sscncinfo-seed-project-guardrails/...
Replace backend.tf bucketname
Your active configuration is: [cloudshell-29815]
Updated property [core/project].
wrote TF SA to provider.tf and variables.tfvar along with the bucket, billing account and org id - verify them
enabling pubsub identitytoolkit cloudresourcemanager iam cloudbilling on sscncinfo-seed-project project
Operation "operations/acf.p2-812518854148-daa12580-0728-4c5c-b618-9cbd23a91b02" finished successfully.
NAME: cloudresourcemanager.googleapis.com
NAME: identitytoolkit.googleapis.com
NAME: pubsub.googleapis.com
NAME: cloudbilling.googleapis.com
NAME: iam.googleapis.com
if you get an iam permission on the guardrails-aaaa project - run gcloud services enable iam.googleapis.com --project guardrails-nnnn
Status: 0
GCP seed project created project id: sscncinfo-seed-project \n
Terraform Service account to be used for creating GCP landing zone = tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com \n
Terraform Backend Storage Bucket: gs://sscncinfo-seed-project-guardrails
3 groups
audit_data_users="audit_data_users@nuage-cloud.info"
ssc_broker_users="ssc_broker_users@nuage-cloud.info"
org_id="93413315325"
terraform_service_account="tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com"
billing_account="01522C-BEE0DC-529989"
billing_data_users="billing_data_users@nuage-cloud.info"
audit_logs_table_delete_contents_on_destroy=true
log_export_storage_force_destroy=true
allowed_regions=["northamerica-northeast1", "northamerica-northeast2"]
bucket_name="sscncinfo-guardrails-assets"
remember to edit the service account in providers
locals { terraform_service_account = "tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com" }
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (sscncinfo-seed-project)$ cd ..
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails (sscncinfo-seed-project)$ cd ..
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform (sscncinfo-seed-project)$ ls
guardrails
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform (sscncinfo-seed-project)$ gcloud config set project accelerator-nc-info
Updated property [core/project].
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform (accelerator-nc-info)$ cd guardrails/1-guardrails/
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (accelerator-nc-info)$ terraform init
stay in the seed project
Initializing the backend...
╷
│ Error: Failed to get existing workspaces: querying Cloud Storage failed: storage: bucket doesn't exist
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (accelerator-nc-info)$ gcloud config set project sscncinfo-seed-project
Updated property [core/project].
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (sscncinfo-seed-project)$ terraform init
forgot to edit the service account
locals { terraform_service_account = "" }
locals { terraform_service_account = "tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com" }
issue with bucket was a misname in the past was not fixed
bucket = "ssc-seed-project-guardrails"
should be
bucket = "sscncinfo-seed-project-guardrails"
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (sscncinfo-seed-project)$ terraform init
Initializing modules...
Initializing the backend...
Successfully configured the backend "gcs"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding hashicorp/google versions matching ">= 2.5.0, >= 3.43.0, >= 3.50.0, >= 3.53.0, < 4.0.0, < 5.0.0"...
- Finding hashicorp/random versions matching "~> 2.2"...
- Finding hashicorp/google-beta versions matching ">= 3.1.0, >= 3.43.0, >= 3.50.0, < 4.0.0"...
- Finding hashicorp/null versions matching "~> 2.1"...
- Installing hashicorp/google v3.90.1...
- Installed hashicorp/google v3.90.1 (signed by HashiCorp)
- Installing hashicorp/random v2.3.1...
- Installed hashicorp/random v2.3.1 (signed by HashiCorp)
- Installing hashicorp/google-beta v3.90.1...
- Installed hashicorp/google-beta v3.90.1 (signed by HashiCorp)
- Installing hashicorp/null v2.1.2...
- Installed hashicorp/null v2.1.2 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (sscncinfo-seed-project)$ terraform apply -var-file variables.tfvar
Plan: 37 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value:
2256
google_organization_iam_audit_config.org_config[0]: Creating...
module.org-policy.google_organization_policy.org_policy_list_allow_values[0]: Creating...
google_organization_iam_member.ssc-billing: Creating...
module.org-policy.google_organization_policy.org_policy_list_allow_values[0]: Creation complete after 1s [id=93413315325/constraints/gcp.resourceLocations]
google_organization_iam_member.asset_inventory_viewer: Creation complete after 5s [id=93413315325/roles/cloudasset.viewer/group:ssc_broker_users@nuage-cloud.info]
google_organization_iam_member.billing_viewer: Still creating... [10s elapsed]
google_organization_iam_audit_config.org_config[0]: Still creating... [10s elapsed]
module.administration.module.project-factory.google_project.main: Still creating... [10s elapsed]
google_organization_iam_member.ssc-billing: Still creating... [10s elapsed]
google_organization_iam_member.billing_viewer: Creation complete after 17s [id=93413315325/roles/billing.viewer/group:billing_data_users@nuage-cloud.info]
google_organization_iam_audit_config.org_config[0]: Creation complete after 17s [id=93413315325/audit_config/allServices]
google_organization_iam_member.ssc-billing: Creation complete after 18s [id=93413315325/roles/billing.viewer/group:ssc_broker_users@nuage-cloud.info]
module.administration.module.project-factory.google_project.main: Still creating... [20s elapsed]
module.administration.module.project-factory.google_project.main: Still creating... [30s elapsed]
module.administration.module.project-factory.google_project.main: Still creating... [2m0s elapsed]
odule.administration.module.project-factory.google_project.main: Still creating... [3m10s elapsed]
module.administration.module.project-factory.google_project.main: Creation complete after 3m13s [id=projects/guardrails-eaba]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["bigquery.googleapis.com"]: Creating...
module.administration.module.project-factory.google_service_account.default_service_account[0]: Creating...
module.administration.module.project-factory.google_service_account.default_service_account[0]: Creating...
module.administration.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Creating...
module.administration.module.project-factory.module.project_services.google_project_service.project_services["iamcredentials.googleapis.com"]: Creating...
module.administration.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Creating...
module.administration.module.project-factory.module.project_services.google_project_service.project_services["cloudasset.googleapis.com"]: Creating...
module.administration.module.project-factory.google_service_account.default_service_account[0]: Creation complete after 1s [id=projects/guardrails-eaba/serviceAccounts/project-service-account@guardrails-eaba.iam.gserviceaccount.com]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["bigquery.googleapis.com"]: Still creating... [10s elapsed]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Still creating... [10s elapsed]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["iamcredentials.googleapis.com"]: Still creating... [10s elapsed]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["cloudasset.googleapis.com"]: Still creating... [10s elapsed]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Still creating... [10s elapsed]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["bigquery.googleapis.com"]: Creation complete after 17s [id=guardrails-eaba/bigquery.googleapis.com]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Still creating... [20s elapsed]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["iamcredentials.googleapis.com"]: Still creating... [20s elapsed]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Still creating... [20s elapsed]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["cloudasset.googleapis.com"]: Still creating... [20s elapsed]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["iamcredentials.googleapis.com"]: Creation complete after 20s [id=guardrails-eaba/iamcredentials.googleapis.com]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["cloudasset.googleapis.com"]: Creation complete after 20s [id=guardrails-eaba/cloudasset.googleapis.com]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Creation complete after 20s [id=guardrails-eaba/billingbudgets.googleapis.com]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Creation complete after 20s [id=guardrails-eaba/logging.googleapis.com]
module.administration.module.budget.data.google_project.project[0]: Reading...
module.bigquery_destination.google_project_service.enable_destination_api: Creating...
module.storage_destination.google_project_service.enable_destination_api: Creating...
google_project_iam_member.audit_log_bq_data_viewer: Creating...
module.administration.module.project-factory.google_project_default_service_accounts.default_service_accounts[0]: Creating...
google_project_iam_member.audit_log_bq_user: Creating...
google_project_iam_member.billing_bq_viewer: Creating...
google_project_iam_member.billing_bq_user: Creating...
google_storage_bucket.guardrails-bucket: Creating...
google_bigquery_dataset.billing_dataset: Creating...
module.administration.module.budget.data.google_project.project[0]: Read complete after 0s [id=projects/guardrails-eaba]
module.pubsub_destination.google_project_service.enable_destination_api: Creating...
google_storage_bucket.guardrails-bucket: Creation complete after 0s [id=sscncinfo-guardrails-assets]
google_bigquery_dataset.billing_dataset: Creation complete after 0s [id=projects/guardrails-eaba/datasets/billing_data]
module.administration.module.project-factory.google_project_default_service_accounts.default_service_accounts[0]: Creation complete after 0s [id=projects/guardrails-eaba]
module.bigquery_destination.google_project_service.enable_destination_api: Creation complete after 3s [id=guardrails-eaba/bigquery.googleapis.com]
module.bigquery_destination.google_bigquery_dataset.dataset: Creating...
module.bigquery_destination.google_bigquery_dataset.dataset: Creation complete after 1s [id=projects/guardrails-eaba/datasets/audit_logs]
module.log_export_to_biqquery.google_logging_organization_sink.sink[0]: Creating...
module.log_export_to_biqquery.google_logging_organization_sink.sink[0]: Creation complete after 0s [id=organizations/93413315325/sinks/log_sink-bq]
module.bigquery_destination.google_project_iam_member.bigquery_sink_member: Creating...
module.storage_destination.google_project_service.enable_destination_api: Still creating... [10s elapsed]
google_project_iam_member.billing_bq_viewer: Still creating... [10s elapsed]
google_project_iam_member.billing_bq_user: Still creating... [10s elapsed]
module.pubsub_destination.google_project_service.enable_destination_api: Still creating... [10s elapsed]
module.bigquery_destination.google_project_iam_member.bigquery_sink_member: Still creating... [10s elapsed]
google_project_iam_member.billing_bq_viewer: Creation complete after 18s [id=guardrails-eaba/roles/bigquery.dataViewer/group:billing_data_users@nuage-cloud.info]
google_project_iam_member.billing_bq_user: Creation complete after 18s [id=guardrails-eaba/roles/bigquery.user/group:billing_data_users@nuage-cloud.info]
module.bigquery_destination.google_project_iam_member.bigquery_sink_member: Creation complete after 14s [id=guardrails-eaba/roles/bigquery.dataEditor/serviceAccount:o93413315325-184367@gcp-sa-logging.iam.gserviceaccount.com]
module.storage_destination.google_project_service.enable_destination_api: Still creating... [20s elapsed]
module.pubsub_destination.google_project_service.enable_destination_api: Still creating... [20s elapsed]
module.storage_destination.google_project_service.enable_destination_api: Creation complete after 20s [id=guardrails-eaba/storage-component.googleapis.com]
module.pubsub_destination.google_project_service.enable_destination_api: Creation complete after 20s [id=guardrails-eaba/pubsub.googleapis.com]
module.pubsub_destination.google_pubsub_topic.topic: Creating...
module.storage_destination.google_storage_bucket.bucket: Creating...
module.storage_destination.google_storage_bucket.bucket: Creation complete after 1s [id=bkt-guardrails-eaba-org-logs-5ufo]
module.log_export_to_storage.google_logging_organization_sink.sink[0]: Creating...
module.log_export_to_storage.google_logging_organization_sink.sink[0]: Creation complete after 1s [id=organizations/93413315325/sinks/org_log_sink]
module.storage_destination.google_storage_bucket_iam_member.storage_sink_member: Creating...
module.pubsub_destination.google_pubsub_topic.topic: Creation complete after 2s [id=projects/guardrails-eaba/topics/tp-org-logs-5ufo]
module.pubsub_destination.google_service_account.pubsub_subscriber[0]: Creating...
module.log_export_to_pubsub.google_logging_organization_sink.sink[0]: Creating...
module.pubsub_destination.google_pubsub_subscription.pubsub_subscription[0]: Creating...
module.pubsub_destination.google_service_account.pubsub_subscriber[0]: Creation complete after 1s [id=projects/guardrails-eaba/serviceAccounts/tp-org-logs-5ufo-subscriber@guardrails-eaba.iam.gserviceaccount.com]
module.pubsub_destination.google_pubsub_topic_iam_member.pubsub_viewer_role[0]: Creating...
module.log_export_to_pubsub.google_logging_organization_sink.sink[0]: Creation complete after 1s [id=organizations/93413315325/sinks/sk-c-logging-pub]
module.pubsub_destination.google_pubsub_topic_iam_member.pubsub_sink_member: Creating...
module.pubsub_destination.google_pubsub_subscription.pubsub_subscription[0]: Creation complete after 2s [id=projects/guardrails-eaba/subscriptions/tp-org-logs-5ufo-subscription]
module.pubsub_destination.google_pubsub_subscription_iam_member.pubsub_subscriber_role[0]: Creating...
module.storage_destination.google_storage_bucket_iam_member.storage_sink_member: Creation complete after 4s [id=b/bkt-guardrails-eaba-org-logs-5ufo/roles/storage.objectCreator/serviceAccount:o93413315325-175817@gcp-sa-logging.iam.gserviceaccount.com]
module.pubsub_destination.google_pubsub_topic_iam_member.pubsub_viewer_role[0]: Creation complete after 4s [id=projects/guardrails-eaba/topics/tp-org-logs-5ufo/roles/pubsub.viewer/serviceAccount:tp-org-logs-5ufo-subscriber@guardrails-eaba.iam.gserviceaccount.com]
module.pubsub_destination.google_pubsub_subscription_iam_member.pubsub_subscriber_role[0]: Creation complete after 5s [id=projects/guardrails-eaba/subscriptions/tp-org-logs-5ufo-subscription/roles/pubsub.subscriber/serviceAccount:tp-org-logs-5ufo-subscriber@guardrails-eaba.iam.gserviceaccount.com]
module.pubsub_destination.google_pubsub_topic_iam_member.pubsub_sink_member: Creation complete after 8s [id=projects/guardrails-eaba/topics/tp-org-logs-5ufo/roles/pubsub.publisher/serviceAccount:o93413315325-076548@gcp-sa-logging.iam.gserviceaccount.com]
╷
│ Error: Request `Create IAM Members roles/bigquery.user group:audit_data_users@nuage-cloud.info for project "guardrails-eaba"` returned error: Batch request and retried single request "Create IAM Members roles/bigquery.user group:audit_data_users@nuage-cloud.info for project \"guardrails-eaba\"" both failed. Final error: Error applying IAM policy for project "guardrails-eaba": Error setting IAM policy for project "guardrails-eaba": googleapi: Error 400: Group audit_data_users@nuage-cloud.info does not exist., badRequest
│
│ with google_project_iam_member.audit_log_bq_user,
│ on iam.tf line 37, in resource "google_project_iam_member" "audit_log_bq_user":
│ 37: resource "google_project_iam_member" "audit_log_bq_user" {
│
╵
╷
│ Error: Request `Create IAM Members roles/bigquery.dataViewer group:audit_data_users@nuage-cloud.info for project "guardrails-eaba"` returned error: Batch request and retried single request "Create IAM Members roles/bigquery.dataViewer group:audit_data_users@nuage-cloud.info for project \"guardrails-eaba\"" both failed. Final error: Error applying IAM policy for project "guardrails-eaba": Error setting IAM policy for project "guardrails-eaba": googleapi: Error 400: Group audit_data_users@nuage-cloud.info does not exist., badRequest
│
│ with google_project_iam_member.audit_log_bq_data_viewer,
│ on iam.tf line 43, in resource "google_project_iam_member" "audit_log_bq_data_viewer":
│ 43: resource "google_project_iam_member" "audit_log_bq_data_viewer" {
│
╵
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (sscncinfo-seed-project)$
should be audit-data-brokers@nuage-cloud.info
audit_data_users="audit_data_brokers@nuage-cloud.info"
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (sscncinfo-seed-project)$ terraform apply -var-file variables.tfvar
Plan: 2 to add, 1 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value:
create users not brokers key
audit_data_users="audit_data_users@nuage-cloud.info"
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (sscncinfo-seed-project)$ terraform apply -var-file variables.tfvar
Plan: 2 to add, 1 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
google_project_iam_member.audit_log_bq_data_viewer: Creating...
google_project_iam_member.audit_log_bq_user: Creating...
module.org-policy.google_organization_policy.org_policy_list_allow_values[0]: Modifying... [id=93413315325/constraints/gcp.resourceLocations]
module.org-policy.google_organization_policy.org_policy_list_allow_values[0]: Modifications complete after 1s [id=93413315325/constraints/gcp.resourceLocations]
google_project_iam_member.audit_log_bq_user: Creation complete after 8s [id=guardrails-eaba/roles/bigquery.user/group:audit_data_users@nuage-cloud.info]
google_project_iam_member.audit_log_bq_data_viewer: Creation complete after 8s [id=guardrails-eaba/roles/bigquery.dataViewer/group:audit_data_users@nuage-cloud.info]
Apply complete! Resources: 2 added, 1 changed, 0 destroyed.
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (sscncinfo-seed-project)$
https://github.com/canada-ca/cloud-guardrails-gcp/blob/main/guardrails-validation/README.md
admin_root@cloudshell:~$ gcloud config set project accelerator-nc-info
Updated property [core/project].
admin_root@cloudshell:~ (accelerator-nc-info)$ cd
.cache/ cloudshell_open/ .config/ .docker/ .gsutil/ .npm/ .terraform.d/ .theia/
admin_root@cloudshell:~ (accelerator-nc-info)$ cd cloudshell_open/
admin_root@cloudshell:~/cloudshell_open (accelerator-nc-info)$ ls
accelerators_accelerateurs-gcp
admin_root@cloudshell:~/cloudshell_open (accelerator-nc-info)$ cd accelerators_accelerateurs-gcp/
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp (accelerator-nc-info)$ gcloud services enable cloudasset.googleapis.com
Operation "operations/acat.p2-22751541827-9232fb11-294b-4628-a2c2-35b2661fa8a0" finished successfully.
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp (accelerator-nc-info)$ export MY_BUCKET_NAME=sccninfo-guardrails-validator
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp (accelerator-nc-info)$ gsutil mb gs://$MY_BUCKET_NAME
Creating gs://sccninfo-guardrails-validator/...
PreconditionException: 412 'us' violates constraint 'constraints/gcp.resourceLocations'
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp (accelerator-nc-info)$
gcloud asset export --output-path=gs://$MY_BUCKET_NAME/resource_inventory.json --content-type=resource --project=guardrails-eaba
not the gr project - we have a NA constraint
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp (accelerator-nc-info)$ gcloud config set project guardrails-eaba
Updated property [core/project].
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp (guardrails-eaba)$ gcloud services enable cloudasset.googleapis.com
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp (guardrails-eaba)$ export MY_BUCKET_NAME=sccninfo-guardrails-validator-gr
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp (guardrails-eaba)$ gsutil mb gs://$MY_BUCKET_NAME
Creating gs://sccninfo-guardrails-validator-gr/...
PreconditionException: 412 'us' violates constraint 'constraints/gcp.resourceLocations'
or
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp (sscncinfo-seed-project)$ gsutil mb gs://$MY_BUCKET_NAME
Creating gs://sccninfo-guardrails-validator-seed/...
PreconditionException: 412 'us' violates constraint 'constraints/gcp.resourceLocations'
step back - clone first - then determine which of the 3 projects https://github.com/canada-ca/cloud-guardrails-gcp
The TF account in the billing account (as Claudia has suggested) is in "Billing Account Administrator" matching what was set in IAM
admin_root@cloudshell:~$ history
1 cloudshell_open --repo_url "https://github.com/fmichaelobrien/accelerators_accelerateurs-gcp" --page "editor" --tutorial "README.md" --force_new_clone
2 ls
3 cd cd deployment-templates/Terraform/guardrails/0-bootstrap/
4 ls
5 cd deployment-templates/Terraform/guardrails/0-bootstrap/
6 ld
7 ls
8 ls -la
9 chmod 755 bootstrap.sh
10 gcloud config set project accelerator-nc-info
11 ./bootstrap.sh -d ssc -p accelerator-nc-info
12 ./bootstrap.sh -d sscncinfo -p accelerator-nc-info
13 cd ..
14 ls
15 gcloud config set project accelerator-nc-info
16 cd guardrails/1-guardrails/
17 terraform init
18 gcloud config set project sscncinfo-seed-project
19 terraform init
20 terraform apply -var-file variables.tfvar
21 gcloud config set project accelerator-nc-info
22 cd cloudshell_open/
23 ls
24 cd accelerators_accelerateurs-gcp/
25 gcloud services enable cloudasset.googleapis.com
26 export MY_BUCKET_NAME=sccninfo-guardrails-validator
27 gsutil mb gs://$MY_BUCKET_NAME
28 gcloud asset export --output-path=gs://$MY_BUCKET_NAME/resource_inventory.json --content-type=resource --project=guardrails-eaba
29 gcloud config set project guardrails-eaba
30 gcloud services enable cloudasset.googleapis.com
31 export MY_BUCKET_NAME=sccninfo-guardrails-validator-gr
32 gsutil mb gs://$MY_BUCKET_NAME
33 gcloud config set project sscncinfo-seed-project
34 gcloud services enable cloudasset.googleapis.com
35 gcloud config set project sscncinfo-seed-project-seed
36 gcloud config set project sscncinfo-seed-project
37 gcloud services enable cloudasset.googleapis.com
38 export MY_BUCKET_NAME=sccninfo-guardrails-validator-seed
39 gsutil mb gs://$MY_BUCKET_NAME
40 history
Claudia and Michael triage
fixes (will get past permissions issues running terraform)
New org will require at least one project created (under "no organization") in order for organization to show up in billing under the org. admin groups can be team or public visibility
If not running from home folder (in cloudshell_open) - rename and change the HOME var in the bootstrap.sh script
Instead of relying on "owner" on account being impersonated
add following role to impersonating account (at the org level)
service account token creator = iam.serviceAccountTokenCreator
add following roles to SA tfadmin account (in addition)
roles/pubsub.admin and roles/iam.serviceAccountAdmin ![Uploading Screen Shot 2022-03-25 at 4.59.02 PM.png…]()
Enable APIs on both guardrails and seed projects see https://console.cloud.google.com/apis/dashboard?referrer=search&project=accelerator-pg-dev
check services
When roles are added - rerun terraform init
Which project to use for load (seed or gr) - seed
replace provider.tf
Testing 20220326
test positive/negative role tests admin_super@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-pg-dev)$ ./bootstrap.sh -d dev -p accelerator-pg-dev checking roles of current account: ad...bal ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account all roles set OK on super admin account: ad...al - proceeding admin_super@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-pg-dev)$ ./bootstrap.sh -d dev -p accelerator-pg-dev checking roles of current account: adm...bal roles/iam.serviceAccountTokenCreator role missing ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account missing roles listed above on the super admin account: ad..bal admin_super@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-pg-dev)$ ./bootstrap.sh -d dev -p accelerator-pg-dev checking roles of current account: ad...bal ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account roles/resourcemanager.folderAdmin role missing ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account missing roles listed above on the super admin account: ad...bal admin_super@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-pg-dev)$ ./bootstrap.sh -d dev -p accelerator-pg-dev checking roles of current account: admi...bal ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account roles/resourcemanager.organizationAdmin role missing missing roles listed above on the super admin account: ad...bal admin_super@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-pg-dev)$
run
admin_super@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-pg-dev)$ ./bootstrap.sh -d pgdev -p accelerator-pg-dev seed project id: pgdev-seed-project boostrap project id: accelerator-pg-dev org id: 9...6 billing id: 0...B checking roles of current account: adm...bal ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account all roles set OK on super admin account: ad..er@g..al - proceeding pgdev-seed-project project already exists and will be reused to provision resources billingAccountName: billingAccounts/01...B billingEnabled: true name: projects/pgdev-seed-project/billingInfo projectId: pgdev-seed-project TF SA Already exists as: tfadmin-pgdev@pgdev-seed-project.iam.gserviceaccount.com
gs://pgdev-seed-project-guardrails Creating gs://pgdev-seed-project-guardrails/... Replace backend.tf bucketname Your active configuration is: [cloudshell-10722] Updated property [core/project]. Status: 0 GCP seed project created project id: pgdev-seed-project \n Terraform Service account to be used for creating GCP landing zone = tfadmin-pgdev@pgdev-seed-project.iam.gserviceaccount.com \n Terraform Backend Storage Bucket: gs://pgdev-seed-project-guardrails
add 3 admin accounts
billing_data, ssc_broker, ssc_broker
verify/edit tfvar
run terraform
rerun