common-setup contains the infrastructure as code (IaC) for provisioning the automation workflows. The common-setup folder is hydrated into a repository during the execution of the bootstrap.sh script.
Workflows like automatic access provisioning of the Applications will be created through this repo. For example, when an application is created, the Service Account that deploys the application to GKE will need access on the cluster to do so. The automation workflows via this repo make that happen. Since this workflow is common across this Software Delivery Platform, we are calling it common setup repo.
The above diagram depicts the architecture used for automation workflows.
The common-setup repo is connected to a Cloud Build trigger in multi-tenant admin project and listens to any push that happens on this repo. When a push happens, the trigger gets invoked and runs the Terraform on the files in the repo.
When the Cloud Build trigger in multi-tenant admin project that is connected to common-setup repo runs, it creates three Cloud Functions:
- add-secret-permission
- This Cloud Function is used to provide read permission on secrets stored in secretmanager to application service accounts.
- The Cloud Function is triggered when an object arrives in the GCS bucket
add-secret-permission-trg. - The Application Factory while creating a new application writes the service account that needs this access to the GCS bucket
add-secret-permission-trgas an object. This invokes the Cloud Function that provides the service account the required access.
- add-billing-permission
- This Cloud Function is used to provide billing user role to application service accounts so that they can create new projects.
- The Cloud Function is triggered when an object arrives in the GCS bucket
add-billing-permission-trg. - The Application Factory while creating a new application writes the service account that needs this access to the GCS bucket
add-billing-permission-trgas an object. This invokes the Cloud Function that provides the service account the required access.
- add-project-permission
- This Cloud Function is used to provide project creator role to application service accounts so that they can create new projects.
- The Cloud Function is triggered when an object arrives in the GCS bucket
add-project-permission-trg. - The Application Factory while creating a new application writes the service account that needs this access to the GCS bucket
add-project-permission-trgas an object. This invokes the Cloud Function that provides the service account the required access.
Copyright 2022 Google. This software is shared as sample code and not intended for production use and provided as-is, without warranty or representation for any use or purpose. Your use of it is discretionary and subject to your agreement with Google.