Hi, and welcome to Tranquility Base - the open source multi-cloud infrastructure-as-code Landing Zone together with a self-service portal for automating the provisioning of a set of DevOps-ready reference architectures.
The current version is feature complete for this release but we are aware there will be bugs to be fixed and patches to be made. For example there will be security improvements to be made and we are working to identify and update the codebase to address them.
If you want to help us with this or contribute to Tranquility Base in general please contact us on [[email protected]]
The following instructions assume the following requisites are met:
- a project exists to host a service account and GCE images which will be used to deploy Tranquility Base;
- an organization exists as well as a folder under it. Tranquility Base's folder structure and projects will be created under this organization or folder;
- a billing account has been previously setup and can be used for all projects created by Tranquility Base;
terraform
~0.12
is installed;packer
~1.4
is installed.
- Setup environment variables to help through the deployment process:
BILLING_ACCOUNT=<billing_account_id>
FOLDER_ID=<folder_id>
PROJECT_ID=<project_id>
- Create a service account which will be used during the initial deployment process:
gcloud --project ${PROJECT_ID} iam service-accounts create tb-bootstrap-builder
gcloud --project ${PROJECT_ID} iam service-accounts keys create tb-bootstrap-builder.json --iam-account tb-bootstrap-builder@${PROJECT_ID}.iam.gserviceaccount.com
- Give the new service account the ability to link projects to the billing account.
gcloud beta billing accounts get-iam-policy ${BILLING_ACCOUNT} > billing.yaml
- Edit
billing.yaml
and add the following entry to the existing bindings (replacePROJECT_ID
below before saving):
members:
- serviceAccount:tb-bootstrap-builder@PROJECT_ID.iam.gserviceaccount.com
role: roles/billing.admin
- Deploy the new IAM binding:
gcloud beta billing accounts set-iam-policy ${BILLING_ACCOUNT} billing.yaml
- Give the service account the ability to share VPCs among projects:
gcloud resource-manager folders add-iam-policy-binding ${FOLDER_ID} --member=serviceAccount:tb-bootstrap-builder@${PROJECT_ID}.iam.gserviceaccount.com --role=roles/compute.xpnAdmin
- Give the service account the ability to create new folders and manage their IAM policies:
gcloud resource-manager folders add-iam-policy-binding ${FOLDER_ID} --member=serviceAccount:tb-bootstrap-builder@${PROJECT_ID}.iam.gserviceaccount.com --role=roles/resourcemanager.folderAdmin
- Give the service account the ability to create new project under the new folder structure:
gcloud resource-manager folders add-iam-policy-binding ${FOLDER_ID} --member=serviceAccount:tb-bootstrap-builder@${PROJECT_ID}.iam.gserviceaccount.com --role=roles/resourcemanager.projectCreator
- Give the service account the ability to create and use GCE disk images:
gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=serviceAccount:tb-bootstrap-builder@${PROJECT_ID}.iam.gserviceaccount.com --role=roles/compute.instanceAdmin.v1
gcloud --project ${PROJECT_ID} services enable compute.googleapis.com
gcloud --project ${PROJECT_ID} services enable cloudresourcemanager.googleapis.com
gcloud --project ${PROJECT_ID} services enable cloudbilling.googleapis.com
gcloud --project ${PROJECT_ID} services enable iam.googleapis.com
gcloud --project ${PROJECT_ID} services enable serviceusage.googleapis.com
gcloud --project ${PROJECT_ID} services enable storage-api.googleapis.com
- Authenticate
gcloud
with the new service account:
gcloud auth activate-service-account tb-bootstrap-builder@${PROJECT_ID}.iam.gserviceaccount.com --key-file=tb-bootstrap-builder.json
- Setup the environment for Terraform:
export GOOGLE_CREDENTIALS="$(pwd)/tb-bootstrap-builder.json"
- Clone the repository:
git clone [email protected]:tranquilitybase-io/tb-gcp.git
cd tb-gcp
NOTE: If the cloning operation fails, make sure you have an SSH key added to your GitHub profile or just use the https
URL [https://github.com/tranquilitybase-io/tb-gcp.git] instead.
- Use packer to create a GCE for the terraform-server:
cd tb-gcp-deploy/pack/
packer build -var "project_id=${PROJECT_ID}" packer.json
cd ../../
cd tb-gcp-tr/bootstrap/
- Edit your setup's specific variables on
input.tfvars
vim input.tfvars
- Run terraform to deploy Tranquility Base's bootstrap.
terraform init
terraform apply -var-file=input.tfvars
Note: Tranquility Base's bootstrap deployment (phase 1) is followed automatically by a landingZone deployment (phase 2) which is run from the terraform-server
hosted under a bootstrap-
project under the folder ID stated on the input.tfvars
.
- The landingZone deployment's progress can be followed by inspecting the
terraform-server
's Stackdriver logs.
Note: All resources are deployed under the folder ID stated on the input.tfvars
file.
Note: Tranquility Base deploys under a two tier folder hierarchy under the folder ID stated stated on the input.tfvars
file.
- After the bootstrap deployment, you may want to disable the
tb-bootstrap-builder
service account; - An initial password for the
itop
user used to access the Cloud SQL instance on theshared-operations-
project, this password is displayed on theterraform-server
logs and should be reset as soon as possible; - vault: root token should be surfaced from the vault terraform module to the root terraform module and changed as soon as possible.