{"id":21262860,"url":"https://github.com/stackql/stackql-gcp-foundations","last_synced_at":"2025-07-11T04:31:17.940Z","repository":{"id":46988349,"uuid":"501046061","full_name":"stackql/stackql-gcp-foundations","owner":"stackql","description":"GCP foundations using StackQL","archived":false,"fork":false,"pushed_at":"2022-07-22T05:33:46.000Z","size":16458,"stargazers_count":6,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-07-30T20:38:18.568Z","etag":null,"topics":["gcp","gcp-foundations","scaffolding","stackql","terraform"],"latest_commit_sha":null,"homepage":null,"language":"Jsonnet","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stackql.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-06-08T00:28:04.000Z","updated_at":"2023-02-24T04:16:48.000Z","dependencies_parsed_at":"2022-09-08T16:52:09.235Z","dependency_job_id":null,"html_url":"https://github.com/stackql/stackql-gcp-foundations","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackql%2Fstackql-gcp-foundations","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackql%2Fstackql-gcp-foundations/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackql%2Fstackql-gcp-foundations/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackql%2Fstackql-gcp-foundations/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stackql","download_url":"https://codeload.github.com/stackql/stackql-gcp-foundations/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225674897,"owners_count":17506272,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gcp","gcp-foundations","scaffolding","stackql","terraform"],"created_at":"2024-11-21T04:59:33.133Z","updated_at":"2024-11-21T04:59:33.944Z","avatar_url":"https://github.com/stackql.png","language":"Jsonnet","readme":"# GCP Org Bootstrapping and Foundations using StackQL\n\nThis project uses [StackQL](https://github.com/stackql/stackql) and [Jsonnet](https://jsonnet.org/) to deploy root level resources, including:\n\n- Root level projects for `audit`, `terraform`, and `sharedsvc`\n- Folders for environments, `Prod` and `Non Prod`\n- APIs enabled for root level projects\n- Backend buckets for each environment\n- Service accounts for Terraform\n- IAM bindings for TF service accounts and priveleged users\n- Shared VPC\n- Org and Folder level aggregated log sinks\n- Org policy contraints\n\nOnce deployed you can use Terraform and the service accounts created to manage resource deployments into projects in the `Prod` and `Non Prod` environments.  \n\nService account and priveleged user and group role bindings can be managed using the StackQL, see the [IAM Guide](iam.md).\n\n## Prerequisites\n1. Must be run by an authenticated member with the following role bindings:\n- `roles/resourcemanager.projectCreator`\n- `roles/resourcemanager.organizationAdmin`\n- `roles/billing.admin`\n- `roles/resourcemanager.folderAdmin`\n- `roles/storage.admin`\n\n2. [StackQL](https://stackql.io/downloads) downloaded \n\n3. `google` provider installed\n\n```bash\nregistry pull google v1.0.3;\n```\n\nThe steps involved are detailed below:  \n\n## 1. Create Folders\n\nCreates root level folders (representing each environment - in this example we have `prod`, `nonprod` and `datalabs` environments).  \n\nto perform a dryrun, use the `--dryrun` flag as shown here:\n\n```bash\nstackql exec -i ./1-create-folders/query.iql \\\n--iqldata ./data/vars.jsonnet \\\n--outfile 1-create-folders-TEMPLATED.iql \\\n--dryrun --output text --hideheaders\n```\ninspect `1-create-folders-TEMPLATED.iql`.  To deploy run:\n\n```bash \nstackql exec -i ./1-create-folders/query.iql \\\n--iqldata ./data/vars.jsonnet \\\n--auth '{ \"google\": { \"type\": \"interactive\" }}'\n```\nor  \n\n```bash\nstackql exec -i ./1-create-folders-TEMPLATED.iql \\\n--auth '{ \"google\": { \"type\": \"interactive\" }}'\n```\n\nor  \n\nrun the commands output from the dryrun in the StackQL shell (`stackql shell --auth '{ \"google\": { \"type\": \"interactive\" }}'`)  \n\nfor brevity we will omit these options from the subsequent steps.  \n\n\u003e NOTE: You can also authenticate using a service account, see [Google Authentication](https://registry.stackql.io/providers/google/#authentication)\n\n## 2. Root Level Projects\n\nCreates root level projects (directly under the org if this is your root node) and enables the required APIs in each respective project, the root level projects include:  \n\n| Project     | Description |\n| ----------- | ----------- |  \n| `terraform` | contains the environment (folder) scoped service accounts to used for Terraform deployment pipelines post-foundations also contains backend buckets for each environment to hold Terraform state or modules |\n| `audit`     | contains all of the log sinks and associated resources |\n| `sharedsvc` | host project for the Shared VPC |     \n\n```bash \nstackql exec -i ./2-create-root-level-projects/query.iql \\\n--iqldata ./data/vars.jsonnet \\\n--auth '{ \"google\": { \"type\": \"interactive\" }}'\n```\n\n## 3. Create Terraform Project Resources\n\nCreate terraform service accounts for each environment (used for Terraform deployment pipelines for resources in projects within each folder).  Also creates backend buckets for each environment (to be used for Terraform state files and modules).    \n\n```bash \nstackql exec -i ./3-create-terraform-project-resources/query.iql \\\n--iqldata ./data/vars.jsonnet \\\n--auth '{ \"google\": { \"type\": \"interactive\" }}'\n```\n\n## 4. Create Org and Folder Level Aggregated Log Sinks\n\nCreates resources in the audit project, which include organization and folder level aggregated log sinks.  \n\n\u003e This script can also be used to setup push subscriptions to off platform logging services like SumoLogic\n\n```bash \nstackql exec -i ./4-create-org-and-folder-level-aggregated-log-sinks/query.iql \\\n--iqldata ./data/vars.jsonnet \\\n--auth '{ \"google\": { \"type\": \"interactive\" }}'\n```\n\n## 5. Create Shared VPC\n\nEnables the `sharedsvc` project as a shared VPC network host project (`enableXpnHost`).  \n\nCreates shared VPC network resources including custom VPC network, subnets and external IPs (as defined in `data/networking.json`), also creates router and nat gw config.  \n\n```bash \nstackql exec -i ./5-create-shared-vpc/query.iql \\\n--iqldata ./data/vars.jsonnet \\\n--auth '{ \"google\": { \"type\": \"interactive\" }}'\n```\n\n./stackql exec -i ./5-create-shared-vpc/query.iql \\\n--iqldata ./data/vars.jsonnet \\\n--outfile 5-create-shared-vpc-TEMPLATED.iql \\\n--dryrun --output text --hideheaders\n\n## 6. Create or Update Org Policy Constraints\n\n\u003e Coming soon\n\n## 7. Create or Update IAM Policy Bindings at the Org, Folder and Resource Levels\n\n\u003e Coming soon","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstackql%2Fstackql-gcp-foundations","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstackql%2Fstackql-gcp-foundations","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstackql%2Fstackql-gcp-foundations/lists"}