The Secure Cloud Architecture (SCA) is a location & cloud agnostic flexible and repeatable conceptual deployment pattern that can adapt for all customers challenges in the cloud.
Customers should be using a project factory to ensure birthright accounts are created consistently in sandbox, dev, test, and production environments - these customers will need to know the service accounts needed along with roles. For customers that are not using a project factory, sample Terraform to setup the foundational resources should be provided - something like https://github.com/memes/f5-bootstrap-gcp-project but focused only on SCA needs.
As an SCA deployer, I need to understand the foundational resources that are expected to be in-place before these SCA components can be effectively used. I must also understand the compromises that may be inherent if I do not use the recommended configurations.
Required
[ ] APIs to be enabled on target project
[ ] Terraform service account with set of required roles in target project and impersonation enabled
[ ] BIG-IP service account with correct roles, assuming BIG-IP is to be deployed
[ ] NGINX service account with correct roles, if NGINX to be deployed
Recommended
[ ] Dedicated GCS bucket for SCA Terraform state, with object admin rights granted to Terraform service account above
[ ] User group allowed to impersonate Terraform service account
Optional
[ ] BYOL licenses for BIG-IP
[ ] NGINX customer certificate and key
[ ] Cloud Build enabled and with ability to impersonate Terraform service account
[ ] Terraform Cloud service account with ability to impersonate fully-privileged service account
Customers should be using a project factory to ensure birthright accounts are created consistently in sandbox, dev, test, and production environments - these customers will need to know the service accounts needed along with roles. For customers that are not using a project factory, sample Terraform to setup the foundational resources should be provided - something like https://github.com/memes/f5-bootstrap-gcp-project but focused only on SCA needs.
Required
Recommended
Optional