The purpose of this module is to help bootstrap a GCP organization, creating all the required GCP resources & permissions to start using the Cloud Foundation Toolkit (CFT). For users who want to use Cloud Build & Cloud Source Repos for foundations code, there is also a submodule to help bootstrap all the required resources to do this.
Basic usage of this module is as follows:
module "bootstrap" {
source = "terraform-google-modules/bootstrap/google"
version = "~> 1.0"
org_id = "<ORGANIZATION_ID>"
billing_account = "<BILLING_ACCOUNT_ID>"
group_org_admins = "gcp-organization-admins@example.com"
group_billing_admins = "gcp-billing-admins@example.com"
default_region = "australia-southeast1"
}
Functional examples are included in the examples directory.
The Organization Bootstrap module will take the following actions:
- Create a new GCP seed project using
project_prefix
. - Enable APIs in the seed project using
activate_apis
- Create a new service account for terraform in seed project
- Create GCS bucket for Terraform state and grant access to service account
- Grant IAM permissions required for CFT modules & Organization setup
- Overwrite organization wide project creator and billing account creator roles
- Grant Organization permissions to service account using
sa_org_iam_permissions
- Grant access to billing account for service account
- Grant Organization permissions to
group_org_admins
usingorg_admins_org_iam_permissions
- Grant billing permissions to
group_billing_admins
- (optional) Permissions required for service account impersonation using
sa_enable_impersonation
For the cloudbuild submodule, see the README cloudbuild.
Name | Description | Type | Default | Required |
---|---|---|---|---|
activate_apis | List of APIs to enable in the seed project. | list(string) | <list> |
no |
billing_account | The ID of the billing account to associate projects with. | string | n/a | yes |
default_region | Default region to create resources where applicable. | string | "us-central1" |
no |
folder_id | The ID of a folder to host this project | string | "" |
no |
grant_billing_user | Grant roles/billing.user role to CFT service account | bool | "true" |
no |
group_billing_admins | Google Group for GCP Billing Administrators | string | n/a | yes |
group_org_admins | Google Group for GCP Organization Administrators | string | n/a | yes |
org_admins_org_iam_permissions | List of permissions granted to the group supplied in group_org_admins variable across the GCP organization. | list(string) | <list> |
no |
org_id | GCP Organization ID | string | n/a | yes |
org_project_creators | Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. | list(string) | <list> |
no |
project_labels | Labels to apply to the project. | map(string) | <map> |
no |
project_prefix | Name prefix to use for projects created. | string | "cft" |
no |
sa_enable_impersonation | Allow org_admins group to impersonate service account & enable APIs required. | bool | "false" |
no |
sa_org_iam_permissions | List of permissions granted to Terraform service account across the GCP organization. | list(string) | <list> |
no |
storage_bucket_labels | Labels to apply to the storage bucket. | map(string) | <map> |
no |
Name | Description |
---|---|
gcs_bucket_tfstate | Bucket used for storing terraform state for foundations pipelines in seed project. |
seed_project_id | Project where service accounts and core APIs will be enabled. |
terraform_sa_email | Email for privileged service account for Terraform. |
terraform_sa_name | Fully qualified name for privileged service account for Terraform. |
- gcloud sdk >= 206.0.0
- Terraform >= 0.12.6
- [terraform-provider-google] plugin 2.1.x
- [terraform-provider-google-beta] plugin 2.1.x
roles/resourcemanager.organizationAdmin
on GCP Organizationroles/billing.admin
on supplied billing account- Account running terraform should be a member of group provided in
group_org_admins
variable, otherwise they will looseroles/resourcemanager.projectCreator
access. Additional members can be added by using theorg_project_creators
variable.
For users interested in using service account impersonation which this module helps enable with sa_enable_impersonation
, please see this blog post which explains how it works.
A project with the following APIs enabled must be used to host the resources of this module:
- Google Cloud Resource Manager API:
cloudresourcemanager.googleapis.com
- Google Cloud Billing API:
cloudbilling.googleapis.com
- Google Cloud IAM API:
iam.googleapis.com
- Google Cloud Storage API
storage-api.googleapis.com
- Google Cloud Service Usage API:
serviceusage.googleapis.com
This API can be enabled in the default project created during establishing an organization.
Refer to the contribution guidelines for information on contributing to this module.