Skip to content

Commit

Permalink
feat: Implement landing-zone-lite and fix some issues in the existing…
Browse files Browse the repository at this point in the history 
… LZ blueprints (#93)

* Implement landing-zone-lite and fix some issues in the existing LZ blueprint that cause deployment failures

1. landing-zone-lite blueprint contains only hierarchy and projects; no logging, networking or policies

2. Add necessary service enablements needed to make certain GCP APIs work (serviceusage + resourcemanager)

3. Add an projectIAMAdmin policy to the organization for projects-sa so that it can update and manage IAM policies on the corresponding projects that are created

* Change services to use ProjectServiceSet. Update some Kptfile metadata + function versions
  • Loading branch information
@coding-daddo
coding-daddo authored Dec 16, 2021
1 parent f0d690a commit bdd20a5
Show file tree
Hide file tree
Showing 12 changed files with 491 additions and 7 deletions.
20 changes: 20 additions & 0 deletions catalog/landing-zone-lite/Kptfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: kpt.dev/v1
kind: Kptfile
metadata:
name: landing-zone-lite
annotations:
blueprints.cloud.google.com/title: Landing Zone Lite blueprint
info:
description: |
Foundational landing zone blueprint for GCP for creating only a resource
hierarchy and projects.

This blueprint configures organization level IAM permissions.

For a full tutorial, see
[Deploy a landing zone blueprint](https://cloud.google.com/anthos-config-management/docs/tutorials/landing-zone).
pipeline:
mutators:
- image: gcr.io/kpt-fn/apply-setters:v0.2
configPath: setters.yaml
- image: gcr.io/kpt-fn/enable-gcp-services:v0.1
101 changes: 101 additions & 0 deletions catalog/landing-zone-lite/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
# Landing Zone blueprint

Foundational landing zone blueprint for GCP.

This blueprint configures organization level IAM permissions.

For a full tutorial, see
[Deploy a landing zone blueprint](https://cloud.google.com/anthos-config-management/docs/tutorials/landing-zone).

## Setters

```
Setter Usages
billing-account-id 0
group-billing-admins 1
group-org-admins 1
management-namespace 15
management-project-id 26
org-id 2
```

## Sub-packages

This package has no sub-packages.

## Resources

```
File APIVersion Kind Name Namespace
iam.yaml iam.cnrm.cloud.google.com/v1beta1 IAMPartialPolicy billing-admins-iam config-control
iam.yaml iam.cnrm.cloud.google.com/v1beta1 IAMPartialPolicy org-admins-iam config-control
namespaces/hierarchy.yaml core.cnrm.cloud.google.com/v1beta1 ConfigConnectorContext configconnectorcontext.core.cnrm.cloud.google.com hierarchy
namespaces/hierarchy.yaml iam.cnrm.cloud.google.com/v1beta1 IAMPartialPolicy hierarchy-sa-folderadmin-permissions config-control
namespaces/hierarchy.yaml iam.cnrm.cloud.google.com/v1beta1 IAMPartialPolicy hierarchy-sa-workload-identity-binding config-control
namespaces/hierarchy.yaml iam.cnrm.cloud.google.com/v1beta1 IAMServiceAccount hierarchy-sa config-control
namespaces/hierarchy.yaml rbac.authorization.k8s.io/v1 RoleBinding allow-resource-reference-from-hierarchy hierarchy
namespaces/hierarchy.yaml v1 Namespace hierarchy
namespaces/projects.yaml core.cnrm.cloud.google.com/v1beta1 ConfigConnectorContext configconnectorcontext.core.cnrm.cloud.google.com projects
namespaces/projects.yaml iam.cnrm.cloud.google.com/v1beta1 IAMPartialPolicy projects-sa-billinguser-permissions config-control
namespaces/projects.yaml iam.cnrm.cloud.google.com/v1beta1 IAMPartialPolicy projects-sa-projectiamadmin-permissions config-control
namespaces/projects.yaml iam.cnrm.cloud.google.com/v1beta1 IAMPartialPolicy projects-sa-projectcreator-permissions config-control
namespaces/projects.yaml iam.cnrm.cloud.google.com/v1beta1 IAMPartialPolicy projects-sa-projectdeleter-permissions config-control
namespaces/projects.yaml iam.cnrm.cloud.google.com/v1beta1 IAMPartialPolicy projects-sa-projectmover-permissions config-control
namespaces/projects.yaml iam.cnrm.cloud.google.com/v1beta1 IAMPartialPolicy projects-sa-serviceusageadmin-permissions config-control
namespaces/projects.yaml iam.cnrm.cloud.google.com/v1beta1 IAMPartialPolicy projects-sa-workload-identity-binding config-control
namespaces/projects.yaml iam.cnrm.cloud.google.com/v1beta1 IAMServiceAccount projects-sa config-control
namespaces/projects.yaml v1 Namespace projects
services.yaml serviceusage.cnrm.cloud.google.com/v1beta1 Service management-project-id-cloudbilling config-control
services.yaml serviceusage.cnrm.cloud.google.com/v1beta1 Service management-project-id-resourcemanager config-control
services.yaml serviceusage.cnrm.cloud.google.com/v1beta1 Service management-project-id-serviceusage config-control
```

## Resource References

- [ConfigConnectorContext](https://cloud.google.com/config-connector/docs/how-to/advanced-install#addon-configuring)
- ConstraintTemplate
- [IAMPartialPolicy](https://cloud.google.com/config-connector/docs/reference/resource-docs/iam/iampartialpolicy)
- [IAMServiceAccount](https://cloud.google.com/config-connector/docs/reference/resource-docs/iam/iamserviceaccount)
- [Namespace](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#namespace-v1-core)
- [ResourceManagerPolicy](https://cloud.google.com/config-connector/docs/reference/resource-docs/resourcemanager/resourcemanagerpolicy)
- [RoleBinding](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#rolebinding-v1-rbac-authorization-k8s-io)
- [Service](https://cloud.google.com/config-connector/docs/reference/resource-docs/serviceusage/service)

## Usage

1. Clone the package:
```
kpt pkg get https://github.com/GoogleCloudPlatform/blueprints.git/catalog/landing-zone-lite@${VERSION}
```
Replace `${VERSION}` with the desired repo branch or tag
(for example, `main`).
1. Move into the local package:
```
cd "./landing-zone-lite/"
```
1. Edit the function config file(s):
- setters.yaml
1. Execute the function pipeline
```
kpt fn render
```
1. Initialize the resource inventory
```
kpt live init --namespace ${NAMESPACE}"
```
Replace `${NAMESPACE}` with the namespace in which to manage
the inventory ResourceGroup (for example, `config-control`).
1. Apply the package resources to your cluster
```
kpt live apply
```
1. Wait for the resources to be ready
```
kpt live status --output table --poll-until current
```
42 changes: 42 additions & 0 deletions catalog/landing-zone-lite/iam.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
name: org-admins-iam
namespace: config-control # kpt-set: ${management-namespace}
annotations:
cnrm.cloud.google.com/blueprint: cnrm/landing-zone-lite/v0.4.0
spec:
resourceRef:
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Organization
external: "123456789012" # kpt-set: ${org-id}
role: roles/resourcemanager.organizationAdmin
member: group:[email protected] # kpt-set: group:${group-org-admins}
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
name: billing-admins-iam
namespace: config-control # kpt-set: ${management-namespace}
annotations:
cnrm.cloud.google.com/blueprint: cnrm/landing-zone-lite/v0.4.0
spec:
resourceRef:
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Organization
external: "123456789012" # kpt-set: ${org-id}
role: roles/billing.admin
member: group:[email protected] # kpt-set: group:${group-billing-admins}
88 changes: 88 additions & 0 deletions catalog/landing-zone-lite/namespaces/hierarchy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
name: hierarchy-sa
namespace: config-control # kpt-set: ${management-namespace}
annotations:
cnrm.cloud.google.com/blueprint: cnrm/landing-zone-lite/v0.4.0
cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id}
spec:
displayName: hierarchy-sa
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
name: hierarchy-sa-folderadmin-permissions
namespace: config-control # kpt-set: ${management-namespace}
annotations:
cnrm.cloud.google.com/blueprint: cnrm/landing-zone-lite/v0.4.0
cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id}
spec:
resourceRef:
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Organization
external: "123456789012" # kpt-set: ${org-id}
role: roles/resourcemanager.folderAdmin
member: "serviceAccount:[email protected]" # kpt-set: serviceAccount:hierarchy-sa@${management-project-id}.iam.gserviceaccount.com
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPartialPolicy
metadata:
name: hierarchy-sa-workload-identity-binding
namespace: config-control # kpt-set: ${management-namespace}
annotations:
cnrm.cloud.google.com/blueprint: cnrm/landing-zone-lite/v0.4.0
cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id}
spec:
resourceRef:
name: hierarchy-sa
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
bindings:
- role: roles/iam.workloadIdentityUser
members:
- member: serviceAccount:management-project-id.svc.id.goog[cnrm-system/cnrm-controller-manager-hierarchy] # kpt-set: serviceAccount:${management-project-id}.svc.id.goog[cnrm-system/cnrm-controller-manager-hierarchy]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: allow-resource-reference-from-hierarchy
namespace: hierarchy
roleRef:
name: cnrm-viewer
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
- name: cnrm-controller-manager-projects
namespace: cnrm-system
kind: ServiceAccount
---
apiVersion: v1
kind: Namespace
metadata:
name: hierarchy
annotations:
cnrm.cloud.google.com/organization-id: "123456789012" # kpt-set: ${org-id}
---
apiVersion: core.cnrm.cloud.google.com/v1beta1
kind: ConfigConnectorContext
metadata:
name: configconnectorcontext.core.cnrm.cloud.google.com
namespace: hierarchy
annotations:
cnrm.cloud.google.com/blueprint: cnrm/landing-zone-lite/v0.4.0
spec:
googleServiceAccount: [email protected] # kpt-set: hierarchy-sa@${management-project-id}.iam.gserviceaccount.com
Loading

0 comments on commit bdd20a5

Please sign in to comment.