- Complete setup of Google Cloud Identity and organization.
- Login to GCP from CLI tool using
gcloud auth application-default loginbefore running terraform. - Need to add following role for the user that execute from local.
- Organization Administrator
- Organization Policy Administrator
- Billing Account Administrator
- Folder Creator
- Manually enable the Identity Platform API in the GCP console at https://console.cloud.google.com/customer-identity
- Running post foundation setup script
PROJECT_ID=neutrino-develop-g1-f1f1f [email protected] [email protected] APP_ORG_LABEL="Neutrino" ./foundation-post.sh - The OAuth client ID & secret from
post-foundationscript output is required to be used in "Infra" project, please take a note of it.
Neutrino Terraform module is using GCP impersonation to deploy the resources. Running in Terraform Cloud requires a setup of Google Workload Identity Federation and integrate with Terraform OIDC. Typical process is as follows:
- Configuring Google Workload Identity Federation with a require pool and provider.
- Granting the Terraform Cloud service account access to the required pool.
- Configuring Terraform Cloud to use the OIDC provider.
Please follow the instructions in the following link for the detail process. https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/gcp-configuration
| Name | Version |
|---|---|
| 4.69.1 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| billing_account | The ID of the billing account to associate projects with | string |
n/a | yes |
| enable_common_stack | Whether to enable the common application stack | bool |
true |
no |
| enable_default_stack | Whether to enable the default application stack | bool |
false |
no |
| iam_billing_principal | The principal to grant billing access to | string |
n/a | yes |
| iam_organization_principal | The principal to grant organization access to | string |
n/a | yes |
| org_domain | The domain of the organization | string |
n/a | yes |
| org_id | The organization id for the associated resources | string |
n/a | yes |
| stack_label | The label of the default stack | string |
"" |
no |
| stack_name | The name of the default stack | string |
"" |
no |
| Name | Description |
|---|---|
| common-network | The common network module resource. |
| common-project | The common project module resource. |
| common_folder | The Common folder resource. |
| foundation-stack-folder | The foundation stack folder module resource. |
| foundation-stack-project-develop | The foundation stack project for the development environment module resource. |
| foundation-stack-project-production | The foundation stack project for the production environment module resource. |
| foundation-stack-project-staging | The foundation stack project for the staging environment module resource. |
| org_domain | The organization domain. |
| org_id | The organization ID. |
Error: Error when reading or editing Resource "folder \"folders/$folder_id\"" with IAM Member: Role "roles/resourcemanager.projectCreator" Member "group:[email protected]": Error retrieving IAM policy for folder "folders/$folder_id": Post "https://cloudresourcemanager.googleapis.com/v2/folders/$folder_id:getIamPolicy?alt=json&prettyPrint=false": oauth2: cannot fetch token: 400 Bad Request
Response: {
"error": "invalid_grant",
"error_description": "reauth related error (invalid_rapt)",
"error_subtype": "invalid_rapt"
}
The error might happen due to the application default credential has been overwritten by the service account credential. To fix this issue, please run the following command to reset the application default credential
gcloud auth application-default login
A Module is a canonical, reusable, best-practices definition for how to run a single piece of infrastructure, such as a database or server cluster. Each Module is written using a combination of Terraform and scripts (mostly bash) and include automated tests, documentation, and examples. It is maintained both by the open source community and companies that provide commercial support.
Instead of figuring out the details of how to run a piece of infrastructure from scratch, you can reuse existing code that has been proven in production. And instead of maintaining all that infrastructure code yourself, you can leverage the work of the Module community to pick up infrastructure improvements through a version number bump.
This Module and its Submodules are maintained by Nematix. If you are looking for help or commercial support, send an email to [email protected].
Nematix can help with:
- Setup, customization, and support for this Module.
- Modules and submodules for other types of infrastructure, such as VPCs, Docker clusters, databases, and continuous integration.
- Consulting & Training on AWS, Terraform, and DevOps.
This Module follows the principles of Semantic Versioning.
During initial development, the major version will be 0 (e.g., 0.x.y), which indicates the code does not yet have a
stable API. Once we hit 1.0.0, we will make every effort to maintain a backwards compatible API and use the MAJOR,
MINOR, and PATCH versions on each release to indicate any incompatibilities.
Please see LICENSE for how the code in this repo is licensed.