search

terraform-google-modules / terraform-example-foundation

Shows how the CFT modules can be composed to build a secure cloud foundation
https://cloud.google.com/architecture/security-foundations
Apache License 2.0
1.22k stars 715 forks source link

Out-of-order dependencies issues with `A-VALID-PROJECT-ID` in bootstrap #935

Open eeaton opened 1 year ago

eeaton commented 1 year ago

TL;DR

https://github.com/terraform-google-modules/terraform-example-foundation/blob/44d51df886e165098ebbd13a02ac1b26ac9c2b6e/0-bootstrap/README.md

Written employment instructions in the bootstrap stage recommend use of A-VALID-PROJECT-ID as a billing and quota project for the terraform validator. This is poor usability and out-of-order dependencies, because the blueprint is intended for new environments that don't have existing projects, and does not have any prior instructions to manually create A-VALID-PROJECT-ID .

Expected behavior

If I follow the deployment instructions in a new environment, there should not be assumptions or dependencies about pre-existing resources in my environment. Where those dependencies are necessary, they should be enumerated as mandatory steps in the Prerequisites section.

Specifically, commands for terraform validator with A-VALID-PROJECT-ID should reference project IDs that have already been created somewhere in the instructions.

Observed behavior

Following the flow as a greenfield customer, no projects have been created yet. I have to manually create a project and associate billing in a way that is not addressed in the deployment instructions.

Terraform Configuration

n/a

Terraform Version

n/a

Additional information

No response

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

fmichaelobrien commented 1 year ago

Hi, some triage to help out with initial project creation. I will update the docs shortly Yes, it helps if you have a bootstrap project to use when initially running the onboarding. All GCP organizations come with at least 1 project. Usually you delete this example project, increase project quota above 15 and billing/project quota above 5, then create a boot project like boot-"first letters of your org domain" for example lz-boot-clz for an org under cloud.landing.zone

A bootstrap project (before usage of this terraform landing zone) is useful to derive the billing and organizations id's as well.

create project example

export CC_PROJECT_ID=bootstrap-plz
root_@cloudshell:~/lz-tef-plz/CloudLandingZone/terraform-example-foundation/0-bootstrap (lz-tef-plz)$  gcloud projects create $CC_PROJECT_ID --name="${CC_PROJECT_ID}" --set-as-default
Create in progress for [https://cloudresourcemanager.googleapis.com/v1/projects/bootstrap-plz].
Waiting for [operations/cp.5122135151997130492] to finish...done.                                                                                                                                                                    
Enabling service [[cloudapis.googleapis.com](http://cloudapis.googleapis.com/)] on project [bootstrap-plz]...
Operation "operations/acat.p2-208036100419-ba66496b-4a17-45fe-806c-c7f154c9bca2" finished successfully.
Updated property [core/project] to [bootstrap-plz].
root_@cloudshell:~/lz-tef-plz/CloudLandingZone/terraform-example-foundation/0-bootstrap (bootstrap-plz)$ export BILLING_ID=$(gcloud alpha billing projects describe $CC_PROJECT_ID '--format=value(billingAccountName)' | sed 's/.*\///')
root_@cloudshell:~/lz-tef-plz/CloudLandingZone/terraform-example-foundation/0-bootstrap (bootstrap-plz)$ echo $BILLING_ID
- notice billing is not set - even though we are either a "Billing Account Administrator" or "Billing Account User" - we get the billing ID from another project with billing set - or we set the BILLING_ID variable manually
root_@cloudshell:~/lz-tef-plz/CloudLandingZone/terraform-example-foundation/0-bootstrap (bootstrap-plz)$ export BILLING_ID=$(gcloud alpha billing projects describe lz-tef-plz '--format=value(billingAccountName)' | sed 's/.*\///')
root_@cloudshell:~/lz-tef-plz/CloudLandingZone/terraform-example-foundation/0-bootstrap (bootstrap-plz)$ echo $BILLING_ID
01906F-.....-859F42
root_@cloudshell:~/lz-tef-plz/CloudLandingZone/terraform-example-foundation/0-bootstrap (bootstrap-plz)$ export ORGANIZATION_ID=$(gcloud projects get-ancestors $CC_PROJECT_ID --format='get(id)' | tail -1)
root_@cloudshell:~/lz-tef-plz/CloudLandingZone/terraform-example-foundation/0-bootstrap (bootstrap-plz)$ echo $ORGANIZATION_ID
93...09
root_@cloudshell:~/lz-tef-plz/CloudLandingZone/terraform-example-foundation/0-bootstrap (bootstrap-plz)$ gcloud beta billing projects link ${CC_PROJECT_ID} --billing-account ${BILLING_ID}
billingAccountName: billingAccounts/01906F-...-859F42
billingEnabled: true
name: projects/bootstrap-plz/billingInfo
projectId: bootstrap-plz

- now recheck the billing id on the new project and we are good to use it
root_@cloudshell:~/lz-tef-plz/CloudLandingZone/terraform-example-foundation/0-bootstrap (bootstrap-plz)$ export BILLING_ID=$(gcloud alpha billing projects describe $CC_PROJECT_ID '--format=value(billingAccountName)' | sed 's/.*\///')
root_@cloudshell:~/lz-tef-plz/CloudLandingZone/terraform-example-foundation/0-bootstrap (bootstrap-plz)$ echo $BILLING_ID
01906F-...-859F42

an evolving day0 example is in #940