.github/release-please.yml

@@ -0,0 +1,2 @@
+releaseType: terraform-module
+handleGHRelease: true

.kitchen.yml

@@ -90,17 +90,25 @@ suites:
     verifier:
       color: false
       systems:
-        - name: networks
+        - name: inspec-gcp
+          backend: gcp
+          controls:
+            - gcp_networks
+        - name: local
           backend: local
           controls:
-            - networks
+            - gcloud_networks
   - name: projects
     driver:
       root_module_directory: test/fixtures/projects/
     verifier:
       color: false
       systems:
         - name: projects
+          backend: gcp
+          controls:
+            - gcp-projects
+        - name: gcloud
           backend: local
           controls:
-            - projects
+            - gcloud-projects

0-bootstrap/README-Jenkins.md

@@ -113,7 +113,6 @@ You arrived to these instructions because you are using the `jenkins_bootstrap`
     1. Un-comment the `jenkins_bootstrap` module in `./main.tf`
     1. Un-comment the `jenkins_bootstrap` variables in `./variables.tf`
     1. Un-comment the `jenkins_bootstrap` outputs in `./outputs.tf`
-
 1. Rename `terraform.example.tfvars` to `terraform.tfvars` and update the file with values from your environment.
     - One of the value to supply (variable `jenkins_agent_gce_ssh_pub_key`) is the **public SSH key** you generated in the first step.
         - **Note: this is not the secret private key**. The public SSH key can be in your repository code.
@@ -157,101 +156,16 @@ You arrived to these instructions because you are using the `jenkins_bootstrap`
 1. Commit changes with `git add backend.tf` and `git commit -m 'Your message - Terraform Backend configuration using GCS'`
 1. Push my-0-bootstrap branch to your repository YOUR_NEW_REPO-0-bootstrap with `git push`
 
-### III. Create VPN connection
-Here you will configure a VPN Network tunnel to enable connectivity between the `prj-cicd` project and your on-prem environment. Learn more about [how to deploy a VPN tunnel in GCP](https://cloud.google.com/network-connectivity/docs/vpn/how-to).
+### III. Configure VPN connection
+
+Here you will configure a VPN Network tunnel to enable connectivity between the `prj-cicd` project and your on-prem environment. Learn more about [a VPN tunnel in GCP](https://cloud.google.com/network-connectivity/docs/vpn/how-to).
 - Required information:
-  - From previous step (you can run `terraform output` to find these values):
-    - CICD project ID
-    - Default region (see it in the `variables.tf` file or in `terraform.tfvars` if you changed it)
-    - Jenkins Agent VPC name, which was created in the `prj-cicd` project
-  - Usually, from your network administrator:
     - On-prem VPN public IP Address
     - Jenkins Master’s network CIDR (the example code uses "10.1.0.0/24")
     - Jenkins Agent network CIDR (the example code uses "172.16.1.0/24")
     - VPN PSK (pre-shared secret key)
 
-1. Supply the required values for the bash variables below:
-    ```
-    CICD_PROJECT_ID=`(terraform output cicd_project_id)`
-    DEFAULT_REGION="us-central1"
-    JENKINS_AGENT_VPC_NAME="vpc-b-jenkinsagents"
-
-    # New VPN variables
-    ONPREM_VPN_PUBLIC_IP_ADDRESS="x.x.x.x"
-    JENKINS_MASTER_NETWORK_CIDR="10.1.0.0/24"
-    JENKINS_AGENT_NETWORK_CIDR="172.16.1.0/24"
-    VPN_PSK_SECRET="my-secret"
-    CICD_VPN_PUBLIC_IP_NAME="cicd-vpn-external-static-ip"
-    CICD_VPN_NAME="vpn-from-onprem-to-cicd"
-    ```
-
-1. Reserve an `EXTERNAL` IP address for the VPN in the `prj-cicd` project (Your network administrator will need this IP address):
-    ```
-    # Reserve a new external IP for the VPN in the cicd project
-    gcloud compute addresses create $CICD_VPN_PUBLIC_IP_NAME \
-    --project="${CICD_PROJECT_ID}" --region="${DEFAULT_REGION}"
-
-    gcloud compute addresses list  --project="${CICD_PROJECT_ID}" \
-   | grep $CICD_VPN_PUBLIC_IP_NAME
-   ```
-
-1. The above command showed the `EXTERNAL` static IP address that has been reserved for your VPN in the `prj-cicd` project. **You need to do two things with this IP Address:**
-    1. Inform your Network administrator of the IP address so they configure the on-prem side of the VPN tunnel.
-    1. Set the variable below with the IP address you just obtained so you can create the GCP side of the VPN tunnel in the `cicd` project:
-        ```
-        # New VPN variables
-        CICD_VPN_PUBLIC_IP_ADDRESS="x.x.x.x"
-        ```
-
-1. We now have all the necessary information to create the VPN in the `cicd` project.
-    ```
-    # Create the new VPN gateway
-    gcloud compute --project $CICD_PROJECT_ID \
-      target-vpn-gateways create $CICD_VPN_NAME \
-      --region $DEFAULT_REGION \
-      --network $JENKINS_AGENT_VPC_NAME
-
-    # Create the forwarding rules
-    gcloud compute --project $CICD_PROJECT_ID \
-      forwarding-rules create "${CICD_VPN_NAME}-rule-esp" \
-      --region $DEFAULT_REGION \
-      --address $CICD_VPN_PUBLIC_IP_ADDRESS \
-      --ip-protocol "ESP" \
-      --target-vpn-gateway $CICD_VPN_NAME
-
-    gcloud compute --project $CICD_PROJECT_ID \
-      forwarding-rules create "${CICD_VPN_NAME}-rule-udp500" \
-      --region $DEFAULT_REGION \
-      --address $CICD_VPN_PUBLIC_IP_ADDRESS \
-      --ip-protocol "UDP" --ports "500" \
-      --target-vpn-gateway $CICD_VPN_NAME
-
-    gcloud compute --project $CICD_PROJECT_ID \
-      forwarding-rules create "${CICD_VPN_NAME}-rule-udp4500" \
-      --region $DEFAULT_REGION \
-      --address $CICD_VPN_PUBLIC_IP_ADDRESS \
-      --ip-protocol "UDP" --ports "4500" \
-      --target-vpn-gateway $CICD_VPN_NAME
-
-    # Create a Route-Based VPN tunnel
-    gcloud compute --project $CICD_PROJECT_ID \
-      vpn-tunnels create "${CICD_VPN_NAME}-tunnel-1" \
-      --region $DEFAULT_REGION \
-      --peer-address $ONPREM_VPN_PUBLIC_IP_ADDRESS \
-      --shared-secret $VPN_PSK_SECRET  \
-      --ike-version "2" \
-      --local-traffic-selector="0.0.0.0/0" \
-      --remote-traffic-selector="0.0.0.0/0" \
-      --target-vpn-gateway $CICD_VPN_NAME
-
-    # Create the necessary Route
-    gcloud compute --project $CICD_PROJECT_ID \
-      routes create "${CICD_VPN_NAME}-tunnel-1-route-1" \
-      --network $JENKINS_AGENT_VPC_NAME \
-      --next-hop-vpn-tunnel "${CICD_VPN_NAME}-tunnel-1" \
-      --next-hop-vpn-tunnel-region $DEFAULT_REGION \
-      --destination-range $JENKINS_MASTER_NETWORK_CIDR
-    ```
+1. Check in the `prj-cicd` project for the VPN gateway static IP addresses which have been reserved. These addresses are required by the Network Administrator for the configuration of the on-prem side of the VPN tunnels to GCP.
 
   - Assuming your network administrator already configured the on-prem end of the VPN, the CICD end of the VPN might show the message `First Handshake` for around 5 minutes.
   - When the VPN is ready, the status will show `Tunnel is up and running`. At this point, your Jenkins Master (on-prem) and Jenkins Agent (in `prj-cicd` project) must have network connectivity through the VPN.

0-bootstrap/README.md

@@ -12,7 +12,19 @@ The purpose of this step is to bootstrap a GCP organization, creating all the re
 
 Further details of permissions required and resources created, can be found in the bootstrap module [documentation.](https://github.com/terraform-google-modules/terraform-google-bootstrap)
 
-**Note:** when running the examples in this repository, you may receive an error like `Error code 8, message: The project cannot be created because you have exceeded your allotted project quota.` when applying terraform. That means you have reached your [Project creation quota](https://support.google.com/cloud/answer/6330231). In this case you can use this [Request Project Quota Increase](https://support.google.com/code/contact/project_quota_increase) form to request a quota increase. The `terraform_sa_email` created in `0-bootstrap` should also be listed in "Email addresses that will be used to create projects" in that support form. If you face others quota errors, check the [Quota documentation](https://cloud.google.com/docs/quota) for guidence.
+**Note:** when running the examples in this repository, you may receive various errors when applying terraform:
+- `Error code 8, message: The project cannot be created because you have exceeded your allotted project quota.`. That means you have reached your [Project creation quota](https://support.google.com/cloud/answer/6330231). In this case you can use this [Request Project Quota Increase](https://support.google.com/code/contact/project_quota_increase) form to request a quota increase. The `terraform_sa_email` created in `0-bootstrap` should also be listed in "Email addresses that will be used to create projects" in that support form. If you face others quota errors, check the [Quota documentation](https://cloud.google.com/docs/quota) for guidence.
+- `Error: Error when reading or editing Organization Not Found : <organization-id>: googleapi: Error 403: The caller does not have permission, forbidden`.
+    - Check that your user have [Organization Admin](https://cloud.google.com/iam/docs/understanding-roles#resource-manager-roles) predefined role at the Organization level.
+    -  If this is the case, try the following:
+        ```
+        gcloud auth application-default login
+        gcloud auth list # <- confirm that correct account has a star next to it
+        ```
+    - Re-run `terraform` after.
+- `Error: Error setting billing account "XXXXXX-XXXXXX-XXXXXX" for project "projects/some-project": googleapi: Error 400: Precondition check failed., failedPrecondition`. Most likely this is related to billing quota issue.
+    - To confirm this, try `gcloud alpha billing projects link projects/some-project --billing-account XXXXXX-XXXXXX-XXXXXX`.
+    - If output states `Cloud billing quota exceeded`, please request increase via [https://support.google.com/code/contact/billing_quota_increase](https://support.google.com/code/contact/billing_quota_increase).
 
 ## 0-bootstrap usage to deploy Jenkins
 
@@ -41,15 +53,16 @@ Currently, the bucket information is replaced in the state backends as a part of
 ## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| billing\_account | The ID of the billing account to associate projects with. | string | n/a | yes |
-| default\_region | Default region to create resources where applicable. | string | `"us-central1"` | no |
-| group\_billing\_admins | Google Group for GCP Billing Administrators | string | n/a | yes |
-| group\_org\_admins | Google Group for GCP Organization Administrators | string | n/a | yes |
-| org\_id | GCP Organization ID | string | n/a | yes |
-| org\_project\_creators | Additional list of members to have project creator role across the organization. Prefix of group: user: or serviceAccount: is required. | list(string) | `<list>` | no |
-| parent\_folder | Optional - if using a folder for testing. | string | `""` | no |
-| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | bool | `"true"` | no |
+|------|-------------|------|---------|:--------:|
+| billing\_account | The ID of the billing account to associate projects with. | `string` | n/a | yes |
+| default\_region | Default region to create resources where applicable. | `string` | `"us-central1"` | no |
+| group\_billing\_admins | Google Group for GCP Billing Administrators | `string` | n/a | yes |
+| group\_org\_admins | Google Group for GCP Organization Administrators | `string` | n/a | yes |
+| org\_id | GCP Organization ID | `string` | n/a | yes |
+| org\_policy\_admin\_role | Additional Org Policy Admin role for admin group. You can use this for testing purposes. | `bool` | `false` | no |
+| org\_project\_creators | Additional list of members to have project creator role across the organization. Prefix of group: user: or serviceAccount: is required. | `list(string)` | `[]` | no |
+| parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no |
+| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | `bool` | `true` | no |
 
 ## Outputs
 

0-bootstrap/main.tf

@@ -15,7 +15,7 @@
  */
 
 provider "google" {
-  version = "~> 3.30"
+  version = "~> 3.38"
 }
 
 provider "google-beta" {
@@ -35,6 +35,9 @@ provider "random" {
 *************************************************/
 locals {
   parent = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}"
+  org_admins_org_iam_permissions = var.org_policy_admin_role == true ? [
+    "roles/orgpolicy.policyAdmin", "roles/resourcemanager.organizationAdmin", "roles/billing.user"
+  ] : ["roles/resourcemanager.organizationAdmin", "roles/billing.user"]
 }
 
 resource "google_folder" "bootstrap" {
@@ -43,18 +46,20 @@ resource "google_folder" "bootstrap" {
 }
 
 module "seed_bootstrap" {
-  source                  = "terraform-google-modules/bootstrap/google"
-  version                 = "~> 1.3"
-  org_id                  = var.org_id
-  folder_id               = google_folder.bootstrap.id
-  billing_account         = var.billing_account
-  group_org_admins        = var.group_org_admins
-  group_billing_admins    = var.group_billing_admins
-  default_region          = var.default_region
-  org_project_creators    = var.org_project_creators
-  sa_enable_impersonation = true
-  parent_folder           = var.parent_folder == "" ? "" : local.parent
-  skip_gcloud_download    = var.skip_gcloud_download
+  source                         = "terraform-google-modules/bootstrap/google"
+  version                        = "~> 1.3"
+  org_id                         = var.org_id
+  folder_id                      = google_folder.bootstrap.id
+  billing_account                = var.billing_account
+  group_org_admins               = var.group_org_admins
+  group_billing_admins           = var.group_billing_admins
+  default_region                 = var.default_region
+  org_project_creators           = var.org_project_creators
+  sa_enable_impersonation        = true
+  parent_folder                  = var.parent_folder == "" ? "" : local.parent
+  skip_gcloud_download           = var.skip_gcloud_download
+  org_admins_org_iam_permissions = local.org_admins_org_iam_permissions
+
   project_labels = {
     environment       = "bootstrap"
     application_name  = "seed-bootstrap"
@@ -149,7 +154,6 @@ module "cloudbuild_bootstrap" {
   }
 
   cloud_source_repos = [
-    "gcp-bootstrap",
     "gcp-org",
     "gcp-environments",
     "gcp-networks",
@@ -181,4 +185,13 @@ module "cloudbuild_bootstrap" {
 #  nat_bgp_asn                             = var.nat_bgp_asn
 #  jenkins_agent_sa_email                  = var.jenkins_agent_sa_email
 #  jenkins_agent_gce_ssh_pub_key           = var.jenkins_agent_gce_ssh_pub_key
+#  vpn_shared_secret                       = var.vpn_shared_secret
+#  on_prem_vpn_public_ip_address           = var.on_prem_vpn_public_ip_address
+#  on_prem_vpn_public_ip_address2          = var.on_prem_vpn_public_ip_address2
+#  router_asn                              = var.router_asn
+#  bgp_peer_asn                            = var.bgp_peer_asn
+#  tunnel0_bgp_peer_address                = var.tunnel0_bgp_peer_address
+#  tunnel0_bgp_session_range               = var.tunnel0_bgp_session_range
+#  tunnel1_bgp_peer_address                = var.tunnel1_bgp_peer_address
+#  tunnel1_bgp_session_range               = var.tunnel1_bgp_session_range
 # }