This project uses StackQL and Jsonnet to deploy root level resources, including:
- Root level projects for
audit,terraform, andsharedsvc - Folders for environments,
ProdandNon Prod - APIs enabled for root level projects
- Backend buckets for each environment
- Service accounts for Terraform
- IAM bindings for TF service accounts and priveleged users
- Shared VPC
- Org and Folder level aggregated log sinks
- Org policy contraints
Once deployed you can use Terraform and the service accounts created to manage resource deployments into projects in the Prod and Non Prod environments.
Service account and priveleged user and group role bindings can be managed using the StackQL, see the IAM Guide.
- Must be run by an authenticated member with the following role bindings:
roles/resourcemanager.projectCreatorroles/resourcemanager.organizationAdminroles/billing.adminroles/resourcemanager.folderAdminroles/storage.admin
-
StackQL downloaded
-
googleprovider installed
registry pull google v1.0.3;The steps involved are detailed below:
Creates root level folders (representing each environment - in this example we have prod, nonprod and datalabs environments).
to perform a dryrun, use the --dryrun flag as shown here:
stackql exec -i ./1-create-folders/query.iql \
--iqldata ./data/vars.jsonnet \
--outfile 1-create-folders-TEMPLATED.iql \
--dryrun --output text --hideheadersinspect 1-create-folders-TEMPLATED.iql. To deploy run:
stackql exec -i ./1-create-folders/query.iql \
--iqldata ./data/vars.jsonnet \
--auth '{ "google": { "type": "interactive" }}'or
stackql exec -i ./1-create-folders-TEMPLATED.iql \
--auth '{ "google": { "type": "interactive" }}'or
run the commands output from the dryrun in the StackQL shell (stackql shell --auth '{ "google": { "type": "interactive" }}')
for brevity we will omit these options from the subsequent steps.
NOTE: You can also authenticate using a service account, see Google Authentication
Creates root level projects (directly under the org if this is your root node) and enables the required APIs in each respective project, the root level projects include:
| Project | Description |
|---|---|
terraform |
contains the environment (folder) scoped service accounts to used for Terraform deployment pipelines post-foundations also contains backend buckets for each environment to hold Terraform state or modules |
audit |
contains all of the log sinks and associated resources |
sharedsvc |
host project for the Shared VPC |
stackql exec -i ./2-create-root-level-projects/query.iql \
--iqldata ./data/vars.jsonnet \
--auth '{ "google": { "type": "interactive" }}'Create terraform service accounts for each environment (used for Terraform deployment pipelines for resources in projects within each folder). Also creates backend buckets for each environment (to be used for Terraform state files and modules).
stackql exec -i ./3-create-terraform-project-resources/query.iql \
--iqldata ./data/vars.jsonnet \
--auth '{ "google": { "type": "interactive" }}'Creates resources in the audit project, which include organization and folder level aggregated log sinks.
This script can also be used to setup push subscriptions to off platform logging services like SumoLogic
stackql exec -i ./4-create-org-and-folder-level-aggregated-log-sinks/query.iql \
--iqldata ./data/vars.jsonnet \
--auth '{ "google": { "type": "interactive" }}'Enables the sharedsvc project as a shared VPC network host project (enableXpnHost).
Creates shared VPC network resources including custom VPC network, subnets and external IPs (as defined in data/networking.json), also creates router and nat gw config.
stackql exec -i ./5-create-shared-vpc/query.iql \
--iqldata ./data/vars.jsonnet \
--auth '{ "google": { "type": "interactive" }}'./stackql exec -i ./5-create-shared-vpc/query.iql
--iqldata ./data/vars.jsonnet
--outfile 5-create-shared-vpc-TEMPLATED.iql
--dryrun --output text --hideheaders
Coming soon
Coming soon