kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2fb8decab3ecb235ca0a8b2a28480cfd0999e716
hunfabric/data-solutions/data-platform-foundations/01-environment
History
Julio Castillo cb7c65135e Update CI processes (#296) 
- Upgrade to latest terraform version (1.0.4)
- Remove tflint from linting pipeline (was not doing anything)
- Add terraform fmt check to linting pipeline
- Pass all code through terraform fmt
2021-08-12 17:30:53 +02:00
..
diagram.png
Folders rename
2021-06-15 16:12:20 +03:00
main.tf
add vpc-sc support
2021-07-08 16:51:57 +02:00
outputs.tf
fix variables
2021-06-28 10:57:11 +02:00
README.md
Add details on VPC-SC and CMEK in README files
2021-07-09 10:52:52 +02:00
variables.tf
Update CI processes (#296)
2021-08-12 17:30:53 +02:00
versions.tf
Folders rename
2021-06-15 16:12:20 +03:00

README.md

Data Platform Foundations - Environment (Step 1)

This is the first step needed to deploy Data Platform Foundations, which creates projects and service accounts. Please refer to the top-level Data Platform README for prerequisites.

The projects that will be created are:

  • Common services
  • Landing
  • Orchestration & Transformation
  • DWH
  • Datamart

A main service account named projects-editor-sa will be created under the common services project, and it will be granted editor permissions on all the projects in scope.

This is a high level diagram of the created resources:

Environment - Phase 1

Running the example

To create the infrastructure:

  • specify your variables in a terraform.tvars
billing_account = "1234-1234-1234"
parent          = "folders/12345678"
  • make sure you have the right authentication setup (application default credentials, or a service account key)
  • The output of this stage contains the values for the resources stage
  • run terraform init and terraform apply

Once done testing, you can clean up resources by running terraform destroy.

CMEK configuration

You can configure GCP resources to use existing CMEK keys configuring the 'service_encryption_key_ids' variable. You need to specify a 'global' and a 'multiregional' key.

VPC-SC configuration

You can assign projects to an existing VPC-SC standard perimeter configuring the 'service_perimeter_standard' variable. You can retrieve the list of existing perimeters from the GCP console or using the following command:

''' gcloud access-context-manager perimeters list --format="json" | grep name '''

The script use 'google_access_context_manager_service_perimeter_resource' terraform resource. If this resource is used alongside the 'vpc-sc' module, remember to uncomment the lifecycle block in the 'vpc-sc' module so they don't fight over which resources should be in the perimeter.

Variables

name description type required default
billing_account_id Billing account id. string
root_node Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. string
prefix Prefix used to generate project id and name. string null
project_names Override this variable if you need non-standard names. object({...}) ...
service_account_names Override this variable if you need non-standard names. object({...}) ...
service_encryption_key_ids Cloud KMS encryption key in {LOCATION => [KEY_URL]} format. Keys belong to existing project. object({...}) ...
service_perimeter_standard VPC Service control standard perimeter name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'. All projects will be added to the perimeter in enforced mode. string null

Outputs

name description sensitive
project_ids Project ids for created projects.
service_account Main service account.
service_encryption_key_ids Cloud KMS encryption keys in {LOCATION => [KEY_URL]} format.