This repository contains an example Google Cloud Platform Project Landing Zone OpenTofu module. The Landing Zone module manages following resources:
- GitHub Actions OIDC configuration & Service account
- Log & metric alerts and alert policies
- Artifact Registry Repository for container images
- Secret Manager secrets (not secret versions)
The LZ module itself uses few modules to promote reusability.
This configuration is used with OpenTofu, but can easily be adjusted to be used with Terraform. No OpenTofu specific features are used.
| Name | Version |
|---|---|
| terraform | ~> 1.9 |
| ~> 6.18 |
| Name | Version |
|---|---|
| ~> 6.18 |
| Name | Source | Version |
|---|---|---|
| mod_docker_repository | ./modules/docker-repository/v1.0.0 | n/a |
| mod_github_oidc | ./modules/github-oidc/v1.0.0 | n/a |
| mod_monitoring | ./modules/monitoring/v1.0.0 | n/a |
| mod_secrets | ./modules/secret/v1.0.0 | n/a |
| Name | Type |
|---|---|
| google_project_service.this | resource |
| google_project.this | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| alert_notification_channels | Map of notification channels | map(object({ |
{} |
no |
| app_name | App Name. Resource names are derived from this and environment. | string |
n/a | yes |
| docker_repository | Artifact Registry Docker repository configuration settings | object({ |
n/a | yes |
| enable_monitoring | Enable monitoring | bool |
true |
no |
| environment | The environment where the Cloud Run service will be deployed | string |
n/a | yes |
| github_oidc | GitHub OIDC configuration settings | object({ |
n/a | yes |
| log_alerts | Map of log alert configurations | map(object({ |
{} |
no |
| metric_alerts | Map of metric alert configurations | map(object({ |
{} |
no |
| project | The GCP project name | string |
n/a | yes |
| region | The GCP region where resources will be created | string |
"europe-north1" |
no |
| secrets | List of secrets to create. This DOES NOT create secret versions. | set(string) |
n/a | yes |
| Name | Description |
|---|---|
| docker_repository | Artifact Registry Docker repository (only shown if repository was created) |
| environment | Environment name |
| github_oidc_details | GitHub OIDC configuration details (only shown if OIDC was configured) |
| monitoring_log_alerts | Monitoring configuration details for log alerts (only shown if alerts were configured) |
| monitoring_metric_alerts | Monitoring configuration details for metric alerts (only shown if alerts were configured) |
| monitoring_notification_channels | Monitoring notification channels (only shown if channels were configured) |
| project_name | Project name |
| secret_ids | List of secret IDs created (only shown if secrets were created) |
Initial setup is done on laptop, further iterations can be run with GitHub Actions after setting those up. Make sure these prerequisites are met before continuing:
- Install OpenTofu. Version 1.9.* is required. Note: None of OpenTofu specific features are used, so you can use Terraform instead. In this case check all version constraints! (look for all occurances of
required_versionon repo-scope). - Install gcloud CLI. Version 509.* is expected.
- Make sure you have the required permissions to:
- Create projects
- Link the Cloud Billing account
- In addition, you are expected to get/have
roles/adminto the newly created project.
- Login to Google Cloud on the CLI.
- OpenTofu (and Terraform) will use local authentication credentials, so create them with:
gcloud auth application-default login
- You are now ready to proceed.
A working example is found in ./example directory. Following commands are expected to be run in this directory.
This module expects, that a clean GCP Project exists with billing project association, and a Storage bucket for TF backend. If you need to create a new GCP Project, see Bonus: Create new GCP Project for LZ below.
- Edit TF configuration in
environment.auto.tfvarsandproviders.tf. - Step-by-step:
# format source code tofu fmt -recursive # init tofu init # validate tofu validate # plan tofu plan -out=env.tfplan # apply tofu apply env.tfplan
If you need to completely delete the Landing Zone, run
tofu destroyThis LZ module creates OIDC configuration for GitHub Actions, assuming you will use https://github.com/google-github-actions/setup-gcloud for authentication in your workflow.
Actions workflow authenticate to GCP using project-specific OIDC configuration and Service account.
Project / environment specific Actions secrets must be created, for example:
GCP_SA_EMAIL_DEVGCP_WORKLOAD_IDENTITY_PROVIDER_DEV
DEV in the above corresponds to the environment you set in environment.auto.tfvars, but this is not "hard mapping" so feel free to use what ever secret names you want.
To create a new Project, and some other things:
- Create new Project
- Associate it with existing Billing Project (assuming there is only one of them)
- Enable following Cloud APIs:
- artifactregistry.googleapis.com
- clouderrorreporting.googleapis.com
- cloudresourcemanager.googleapis.com
- cloudscheduler.googleapis.com
- dns.googleapis.com
- iam.googleapis.com
- iamcredentials.googleapis.com
- pubsub.googleapis.com
- run.googleapis.com
- secretmanager.googleapis.com
- Create Cloud Storage bucket for TF state backend
# run
./scripts/setup-new-gcp-project.sh [project-name] [GCP-region]Save the printed Storage Bucket name for further use in Landing Zone configuration.
Note: This was created and used with zsh shell. Adjust as needed for your shell of choice.
MIT License. Copyright janik6n.