开源软件名称（OpenSource Name）：

开源软件地址(OpenSource Url)：

开源编程语言(OpenSource Language)：

开源软件介绍(OpenSource Introduction)：

terraform-google-bootstrap

The purpose of this module is to help bootstrap a GCP organization, creating all the required GCP resources & permissions to start using the Cloud Foundation Toolkit (CFT). For users who want to use Cloud Build & Cloud Source Repos for foundations code, there is also a submodule to help bootstrap all the required resources to do this.

Usage

Basic usage of this module is as follows:

module "bootstrap" {
  source  = "terraform-google-modules/bootstrap/google"
  version = "~> 2.1"

  org_id               = "<ORGANIZATION_ID>"
  billing_account      = "<BILLING_ACCOUNT_ID>"
  group_org_admins     = "[email protected]"
  group_billing_admins = "[email protected]"
  default_region       = "australia-southeast1"
}

Functional examples are included in the examples directory.

Features

The Organization Bootstrap module will take the following actions:

1. Create a new GCP seed project using project_prefix. Use project_id if you need to use custom project ID.
2. Enable APIs in the seed project using activate_apis
3. Create a new service account for terraform in seed project
4. Create GCS bucket for Terraform state and grant access to service account
5. Grant IAM permissions required for CFT modules & Organization setup
   1. Overwrite organization wide project creator and billing account creator roles
   2. Grant Organization permissions to service account using sa_org_iam_permissions
   3. Grant access to billing account for service account
   4. Grant Organization permissions to group_org_admins using org_admins_org_iam_permissions
   5. Grant billing permissions to group_billing_admins
   6. (optional) Permissions required for service account impersonation using sa_enable_impersonation

For the cloudbuild submodule, see the README cloudbuild.

Inputs

[
  "serviceusage.googleapis.com",
  "servicenetworking.googleapis.com",
  "compute.googleapis.com",
  "logging.googleapis.com",
  "bigquery.googleapis.com",
  "cloudresourcemanager.googleapis.com",
  "cloudbilling.googleapis.com",
  "iam.googleapis.com",
  "admin.googleapis.com",
  "appengine.googleapis.com",
  "storage-api.googleapis.com",
  "monitoring.googleapis.com"
]

[
  "roles/billing.user",
  "roles/resourcemanager.organizationAdmin"
]

[
  "roles/billing.user",
  "roles/compute.networkAdmin",
  "roles/compute.xpnAdmin",
  "roles/iam.securityAdmin",
  "roles/iam.serviceAccountAdmin",
  "roles/logging.configWriter",
  "roles/orgpolicy.policyAdmin",
  "roles/resourcemanager.folderAdmin",
  "roles/resourcemanager.organizationViewer"
]

Outputs

Requirements

Software

• gcloud sdk >= 206.0.0
• Terraform >= 0.13.0
• [terraform-provider-google] plugin 3.50.x

Permissions

• roles/resourcemanager.organizationAdmin on GCP Organization
• roles/orgpolicy.policyAdmin on GCP Organization
• roles/billing.admin on supplied billing account
• Account running terraform should be a member of group provided in group_org_admins variable, otherwise they will loose roles/resourcemanager.projectCreator access. Additional members can be added by using the org_project_creators variable.

Credentials

For users interested in using service account impersonation which this module helps enable with sa_enable_impersonation, please see this blog post which explains how it works.

APIs

A project with the following APIs enabled must be used to host the resources of this module:

• Google Cloud Resource Manager API: cloudresourcemanager.googleapis.com
• Google Cloud Billing API: cloudbilling.googleapis.com
• Google Cloud IAM API: iam.googleapis.com
• Google Cloud Storage API storage-api.googleapis.com
• Google Cloud Service Usage API: serviceusage.googleapis.com

This API can be enabled in the default project created during establishing an organization.

Contributing

Refer to the contribution guidelines for information on contributing to this module.