Demo: Automated minimal landing zone with a (hub-env and core-landing-zone) KPT based deployment on a clean GCP organization - walkthrough

[obriensystems]

OCI/GitOps version at #766

Minimal Landing Zone from a clean GCP organization using a single script - use for development or CI/CD

FinOps: PAYG + GKE + GCE costs will be $80/day above the normal $10/day for the GKE cluster alone.

This jira will document standing up a subset of the full landing zone consisting of the following 2 packages in a clean org
References

• Example 258 fortigate perimeter package deploy procedure/verify for core lz unmanaged client #446
• Perimeter project for landing-zone-v2 #258
• repo diff #446 - Draft: gh446-hub to main diff only for #611 clean org hub-env/fortigate cluster deploy - script moved to #766 - no merge #612

See ongoing documentation in
https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/DevOps#landing-zone-user-procedures

• see https://cloud.google.com/architecture/managing-cloud-infrastructure-using-kpt#delete_the_resources
• see https://cloud.google.com/config-connector/docs/how-to/managing-deleting-resources
• see https://cloud.google.com/anthos-config-management/docs/tutorials/manage-resources-config-controller#delete_the_individual_resources

Clean Organization

• see onboarding at https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/Onboarding

Clean super admin

The super admin account will have the organization administrator role and be able to create projects through the project creator role on the organization (all users inherit this and we will lock it down later)

Launch shell.cloud.google.com

navigate to https://shell.cloud.google.com

By default the user is an Organization Administrator
We will add required roles to get the point of creating a bootstrap project and then let the landing zone setup script take over adding roles required for LZ bootstrap.

For those customers on direct billing - activate your credits

5 billing projects required

Prepare for increasing billing quota above 5 projects by paying early $50 and asking for a billing quota increase 2 days later - for how use shared billing to go past 5. For the purposes of the core-landing-zone and hub-env you need 1 bootstrap project, 1 config controller project, a logging and dns project and a hub project. Therefore disable billing on "My first project" to have all 5 for now.

follow instructions to increase your billing account quota to above 10 (I asked for 10 in addition to the default 5) using our instructions below

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/Onboarding#billing-quota
fill out
https://support.google.com/code/contact/billing_quota_increase

Usually you are approved within 60 seconds

licence key config
https://github.com/fortinetsolutions/terraform-modules/blob/master/GCP/modules/fortigate_byol/main.tf#L33

[obriensystems]

Create bootstrap project

Optionally create a folder to hold the landing zone or the script will do this for you
Create a bootstrap project and clone the landing zone repo
https://console.cloud.google.com/cloud-resource-manager

Use a unique project name/id - here I add kcc- and add my email + domain first letters in sequence

kcc-dcno

Navigate to the cloud shell and switch to your project

https://shell.cloud.google.com/?pli=1&show=ide%2Cterminal

Welcome to Cloud Shell! Type "help" to get started.
To set your Cloud Platform project in this session use “gcloud config set project [PROJECT_ID]”
dev@cloudshell:~$ history
    1  history
dev@cloudshell:~$ ls
README-cloudshell.txt
dev@cloudshell:~$ gcloud config set project kcc-dcno
Updated property [core/project].
dev@cloudshell:~ (kcc-dcno)$ 

[obriensystems]

Note: config-control namespace override

• Currently retesting in Add single Fortigate VM partner-ready minimal extract for dev - separate from production level hub-env/fortigate package and without need for core-landing-zone #654 and Demo: Automated minimal landing zone with a (hub-env and core-landing-zone) KPT based deployment on a clean GCP organization - walkthrough #611
  https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/project/hub-env/fortigate/service-account.yaml#L37
  needs
  https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/pull/612/files#diff-0453fd24870bbd1f648b0d14dcbd3877e4eceafba5cf535c1b962ac63969a94fR22
  on top of existing
  Update to Fortinet Hub ENV Package #609
  for
  hub-env: reference networking-sa service account in config controller project from hub-env setters.yaml #607

project/hub-env/fortigate/service-account.yaml:37

kind: IAMPolicyMember
metadata:
  name: fortigatesdn-sa-fortigatesdnviewer-role-permissions
  namespace: config-control # kpt-set: ${management-namespace}
 

via
project/hub-env/setters.yaml:22
  # keep config-control as the default
  management-namespace: config-control 

Clone landing zone repo and add IAM permissions for additional roles like quota administrator required later

Add additional IAM super admin roles

[obriensystems]

20231206 oi org core-landing-zone 0.7.0 deployment in
#654 (comment)