Page tree
Skip to end of metadata
Go to start of metadata

Code

https://github.com/cloud-quickstart/gcp-landing-zone

https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding

Corporate

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/dev/solutions/landing-zone/architecture.md

https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/tree/main/docs

Prerequisites

For cloud interconnect https://cloud.google.com/network-connectivity/docs/interconnect make sure to open the on prem firewall to 35.199.192.0/19 used by Cloud DNS in managed zones https://cloud.google.com/dns/docs/zones

Setup GCP Account for Landing Zone Deployment

Following https://cloud.google.com/anthos-config-management/docs/tutorials/landing-zone

Repo https://github.com/GoogleCloudPlatform/blueprints/search?q=anthos

Organization Policies at 

https://cloud.google.com/anthos-config-management/docs/tutorials/landing-zone#manage_organization_policies


Using workspace account containerized.org


Login to your admin user for your organization in a separate chrome window and navigate to the "manage resources" pane.

Create GCP folder and project


Navigate/Select project drop dropdown

CLI

GCP Cloud Shell

Start your Cloud Shell instance via the browser top left bar.

As of this writing 20220119 - gcloud shell has the following versions

michael@cloudshell:~ (landingzone-stg)$ gcloud --version
Google Cloud SDK 368.0.0
alpha 2022.01.07
app-engine-go 1.9.72
app-engine-java 1.9.93
app-engine-python 1.9.98
app-engine-python-extras 1.9.96
beta 2022.01.07
bigtable
bq 2.0.72
cbt 0.10.2
cloud-build-local 0.5.2
cloud-datastore-emulator 2.1.0
core 2022.01.07
datalab 20190610
gsutil 5.6
kind 0.7.0
kpt 1.0.0-beta.9
local-extract 1.3.2
minikube 1.24.0
pubsub-emulator 0.6.0
skaffold 1.35.1
michael@cloudshell:~ (landingzone-stg)$ terraform --version
Terraform v1.1.3
on linux_amd64


Verify cloud billing is enabled for the project 

https://cloud.google.com/billing/docs/how-to/modify-project#confirm_billing_is_enabled_on_a_project

Verify billing for a project either via the console or the shell.  Use the alpha billing cli at https://cloud.google.com/sdk/gcloud/reference/alpha/billing/projects/describe

michael@cloudshell:~ (landingzone-stg)$ gcloud alpha billing projects describe landingzone-stg | grep billingEnabled
billingEnabled: true

Gcloud Local CLI

You may have an existing gcloud configuration or need a new one - run gcloud init to start.


gcloud init
Settings from your current configuration [default] are:
core:
  account: f...com
  disable_usage_reporting: 'False'
  project: biometric-...

Pick configuration to use:
 [1] Re-initialize this configuration [default] with new settings 
 [2] Create a new configuration
Please enter your numeric choice:  2

Enter configuration name. Names start with a lower case letter and contain only lower case letters a-z, digits 0-9, and hyphens '-':  c...g   
Your current configuration has been set to: [co...g]
Choose the account you would like to use to perform operations for this configuration:
 [1] f...m
 [2] Log in with a new account
Please enter your numeric choice:  2

Your browser has been opened to visit:

    https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=32.....6

You are logged in as: [m...g].
Pick cloud project to use: 
 [1] biometric-dev
 [2] biometric-prd
 [3] biometric-sbx
 [4] landingzone-stg
 [5] Create a new project
Please enter numeric choice or text value (must exactly match list item):  4
Your current project has been set to: [landingzone-stg].
Do you want to configure a default Compute Region and Zone? (Y/n)?  y
Which Google Compute Engine zone would you like to use as project default?
If you do not specify a zone via a command line flag while working with Compute Engine resources, the default is assumed.
 [7] us-central1-c
 [50] asia-northeast3-a
Did not print [39] options.
Too many options [89]. Enter "list" at prompt to print choices fully.
Please enter numeric choice or text value (must exactly match list item):  us-central1-a
Your project default Compute Engine zone has been set to [us-central1-a].
You can change it by running [gcloud config set compute/zone NAME].
Your project default Compute Engine region has been set to [us-central1].
You can change it by running [gcloud config set compute/region NAME].
Your Google Cloud SDK is configured and ready to use!
* Commands that require authentication will use m...g by default
* Commands will reference project `landingzone-stg` by default
* Compute Engine commands will use region `us-central1` by default
* Compute Engine commands will use zone `us-central1-a` by default

gcloud projects list
PROJECT_ID       NAME             PROJECT_NUMBER
biometric-dev    biometric        40..1
biometric-prd    biometric-prd    2..4
biometric-sbx    biometric-sbx    8..0
landingzone-stg  LandingZone-stg  4..2


https://cloud.google.com/sdk/auth_success

Add nomos, kubectl and kpt

biometric:wse_github michaelobrien$ sudo gcloud components install pkg
Password:
Your current Cloud SDK version is: 369.0.0
Installing components from version: 369.0.0
┌─────────────────────────────────────────────────────────────────────────┐
│                   These components will be installed.                   │
├───────────────────────┬──────────────────────────┬──────────────────────┤
│          Name         │         Version          │         Size         │
├───────────────────────┼──────────────────────────┼──────────────────────┤
│ Appctl                │                   0.1.12 │             18.5 MiB │
│ Kustomize             │                    4.4.0 │              7.6 MiB │
│ Nomos CLI             │              1.10.0-rc.8 │             23.6 MiB │
│ kpt                   │             1.0.0-beta.9 │             12.2 MiB │
└───────────────────────┴──────────────────────────┴──────────────────────┘
For the latest full release notes, please visit:
  https://cloud.google.com/sdk/release_notes

biometric:wse_github michaelobrien$ kubectl version
Client Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.4", GitCommit:"b695d79d4f967c403a96986f1750a35eb75e75f1", GitTreeState:"clean", BuildDate:"2021-11-17T15:48:33Z", GoVersion:"go1.16.10", Compiler:"gc", Platform:"darwin/amd64"}
biometric:wse_github michaelobrien$ kpt version
1.0.0-beta.9


Prepare the environment

https://cloud.google.com/anthos-config-management/docs/tutorials/landing-zone#preparing_the_environment


Install gcloud Alpha Commands first

biometric:wse_github michaelobrien$ sudo gcloud alpha billing projects describe $PROJECT_ID
Password:
You do not currently have this command group installed.  Using it 
requires the installation of components: [alpha]
Your current Cloud SDK version is: 369.0.0
Installing components from version: 369.0.0
┌──────────────────────────────────────────────┐
│     These components will be installed.      │
├───────────────────────┬────────────┬─────────┤
│          Name         │  Version   │   Size  │
├───────────────────────┼────────────┼─────────┤
│ gcloud Alpha Commands │ 2022.01.14 │ < 1 MiB │
└───────────────────────┴────────────┴─────────┘
For the latest full release notes, please visit:
  https://cloud.google.com/sdk/release_notes
Do you want to continue (Y/n)?  

Restarting command:
  $ gcloud alpha billing projects describe landingzone-stg


for some reason TBD billing was flagged as false - but it was true above
API [cloudbilling.googleapis.com] not enabled on project [4033...2]. Would you like to enable and retry (this will take a few minutes)? (y/N)?  y

Enabling service [cloudbilling.googleapis.com] on project [4033...2]...
Operation "operations/acf.p2-403373923652-306c9a12-d0d3-46df-8ec1-63bcbbe7a100" finished successfully.
billingAccountName: billingAccounts/01..3B
billingEnabled: true
name: projects/landingzone-stg/billingInfo
projectId: landingzone-stg


export PROJECT_ID=landingzone-stg
export CONFIG_CONTROLLER_NAME=config-controller-1
export BILLING_ACCOUNT=$(gcloud alpha billing projects describe $PROJECT_ID \
  '--format=value(billingAccountName)' | sed 's/.*\///')
export ORG_ID=$(gcloud projects get-ancestors ${PROJECT_ID} --format='get(id)' | tail -1)
gcloud config set project ${PROJECT_ID}

Setup Config Controller

https://cloud.google.com/anthos-config-management/docs/tutorials/landing-zone#setting_up

biometric:wse_github michaelobrien$  gcloud services enable krmapihosting.googleapis.com container.googleapis.com
Operation "operations/acf.p2-403373923652-41504998-20c7-4d4e-8407-e4ba3376d3a8" finished successfully.

biometric:wse_github michaelobrien$ gcloud anthos config controller create ${CONFIG_CONTROLLER_NAME} \
>   --location=us-central1
Create request issued for: [config-controller-1]
Waiting for operation [projects/landingzone-stg/locations/us-central1/operations/operation-1642620510039-5d5f464006ea9-1f52e35c-26d7e77a] to complete...⠼ 

15 min 1428-1447

Waiting for operation [projects/landingzone-stg/locations/us-central1/operations/operation-1642620510039-5d5f464006ea9-1f52e35c-26d7e77a] to complete...done.                                                      
Created instance [config-controller-1].
Fetching cluster endpoint and auth data.
kubeconfig entry generated for krmapihost-config-controller-1.

biometric:wse_github michaelobrien$ kubectl version
Client Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.4", GitCommit:"b695d79d4f967c403a96986f1750a35eb75e75f1", GitTreeState:"clean", BuildDate:"2021-11-17T15:48:33Z", GoVersion:"go1.16.10", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.5-gke.1302", GitCommit:"639f3a74abf258418493e9b75f2f98a08da29733", GitTreeState:"clean", BuildDate:"2021-10-21T21:35:48Z", GoVersion:"go1.16.7b7", Compiler:"gc", Platform:"linux/amd64"}
biometric:wse_github michaelobrien$ kubectl get pods --all-namespaces
NAMESPACE                         NAME                                                             READY   STATUS    RESTARTS   AGE
cnrm-system                       cnrm-controller-manager-c7k6ilsgkgt5j1ikibtg-0                   2/2     Running   0          8m2s
cnrm-system                       cnrm-deletiondefender-0                                          1/1     Running   0          7m44s
cnrm-system                       cnrm-resource-stats-recorder-6dfc78996c-cx8rc                    2/2     Running   0          7m45s
cnrm-system                       cnrm-webhook-manager-778cdd84cb-26h9d                            1/1     Running   0          7m25s
cnrm-system                       cnrm-webhook-manager-778cdd84cb-clnpz                            1/1     Running   0          7m45s
config-management-system          config-management-operator-7d5f54c74c-tjc7t                      1/1     Running   0          8m19s
configconnector-operator-system   configconnector-operator-0                                       1/1     Running   0          8m11s
gatekeeper-system                 gatekeeper-audit-6f46754545-bgpkb                                1/1     Running   0          6m40s
gatekeeper-system                 gatekeeper-controller-manager-7f778d8b94-pdvv5                   1/1     Running   0          6m40s
krmapihosting-monitoring          krmapihosting-metrics-agent-2c2l9                                1/1     Running   0          8m16s
krmapihosting-monitoring          krmapihosting-metrics-agent-7flgl                                1/1     Running   0          8m16s
krmapihosting-monitoring          krmapihosting-metrics-agent-gc454                                1/1     Running   0          8m16s
krmapihosting-system              bootstrap-544688568b-zlmp9                                       1/1     Running   2          8m34s
kube-system                       event-exporter-gke-5479fd58c8-kl9jm                              2/2     Running   0          14m
kube-system                       fluentbit-gke-44tpv                                              2/2     Running   0          9m5s
kube-system                       fluentbit-gke-4x5n5                                              2/2     Running   0          9m6s
kube-system                       fluentbit-gke-t6qz5                                              2/2     Running   0          9m13s
kube-system                       gke-metadata-server-4wq2m                                        1/1     Running   0          9m13s
kube-system                       gke-metadata-server-6n9wg                                        1/1     Running   0          9m4s
kube-system                       gke-metadata-server-fvtjr                                        1/1     Running   0          9m5s
kube-system                       gke-metrics-agent-hcqdz                                          1/1     Running   0          9m5s
kube-system                       gke-metrics-agent-v4kxf                                          1/1     Running   0          9m13s
kube-system                       gke-metrics-agent-zmfj2                                          1/1     Running   0          9m6s
kube-system                       kube-dns-697dc8fc8b-cxvsb                                        4/4     Running   0          14m
kube-system                       kube-dns-697dc8fc8b-m8m8m                                        4/4     Running   0          14m
kube-system                       kube-dns-autoscaler-844c9d9448-v7z9s                             1/1     Running   0          14m
kube-system                       kube-proxy-gke-krmapihost-confi-krmapihost-confi-2e7c156a-r3ct   1/1     Running   0          9m12s
kube-system                       kube-proxy-gke-krmapihost-confi-krmapihost-confi-b263dd6a-m0ks   1/1     Running   0          9m5s
kube-system                       kube-proxy-gke-krmapihost-confi-krmapihost-confi-b34ca582-nqwq   1/1     Running   0          9m5s
kube-system                       l7-default-backend-865b4c8f8b-n5qpl                              1/1     Running   0          14m
kube-system                       metrics-server-v0.4.4-857776bc9c-k28zq                           2/2     Running   0          8m39s
kube-system                       netd-hpxw7                                                       1/1     Running   0          9m4s
kube-system                       netd-tzfmn                                                       1/1     Running   0          9m13s
kube-system                       netd-x4c4r                                                       1/1     Running   0          9m5s
kube-system                       pdcsi-node-gbnxn                                                 2/2     Running   0          9m6s
kube-system                       pdcsi-node-nhpxs                                                 2/2     Running   0          9m5s
kube-system                       pdcsi-node-r8wfl                                                 2/2     Running   0          9m13s
resource-group-system             resource-group-controller-manager-5449bc55f4-w88rn               2/2     Running   0          6m40s
biometric:wse_github michaelobrien$ kubectl get nodes
NAME                                                  STATUS   ROLES    AGE     VERSION
gke-krmapihost-confi-krmapihost-confi-2e7c156a-r3ct   Ready    <none>   9m30s   v1.21.5-gke.1302
gke-krmapihost-confi-krmapihost-confi-b263dd6a-m0ks   Ready    <none>   9m22s   v1.21.5-gke.1302
gke-krmapihost-confi-krmapihost-confi-b34ca582-nqwq   Ready    <none>   9m23s   v1.21.5-gke.1302

I see the cluster and VMs even though I have not enabled the 30 day trial - investigating and "Enable" Anthos as well to be able to receive a separate 30 day $800 US credit.

https://cloud.google.com/anthos-config-management/docs/overview?_ga=2.34170721.-156343137.1641500237

Pausing the anthos cluster

Cost without the 30 day trial is $70/3d = $23 CAD/day or a minimum of 700/month

biometric:wse_github michaelobrien$ kubectl get nodes
NAME                                                  STATUS   ROLES    AGE    VERSION
gke-krmapihost-confi-krmapihost-confi-2e7c156a-r3ct   Ready    <none>   6d3h   v1.21.5-gke.1302
gke-krmapihost-confi-krmapihost-confi-b263dd6a-m0ks   Ready    <none>   6d3h   v1.21.5-gke.1302
gke-krmapihost-confi-krmapihost-confi-b34ca582-nqwq   Ready    <none>   6d3h   v1.21.5-gke.1302

biometric:wse_github michaelobrien$ gcloud anthos config controller list
NAME                                                                            LOCATION     STATE
projects/landingzone-stg/locations/us-central1/krmApiHosts/config-controller-1  us-central1  RUNNING
biometric:wse_github michaelobrien$ gcloud anthos config controller
ERROR: (gcloud.anthos.config.controller) Command name argument expected.

Available commands for gcloud anthos config controller:

      create                  Create Anthos Config Controller instances.
      delete                  Delete Anthos Config Controller instances.
      describe                Describe Anthos Config Controller instances.
      get-credentials         Fetch credentials for a running Anthos Config
                              Controller.
      list                    List Anthos Config Controller instances.
biometric:wse_github michaelobrien$ gcloud anthos config controller delete config-controller-1 --location=us-central1
You are about to delete instance [config-controller-1]

Do you want to continue (Y/n)?  y

Delete request issued for: [config-controller-1]
Waiting for operation [projects/landingzone-stg/locations/us-central1/operations/operation-1643151730836-5d670133a8272-66185ae0-de0c320e] to complete...⠼


Guardrails





Region Restriction

Use the local endpoints


Links

https://github.com/GoogleCloudPlatform/gcp-fedramp-quickstart

https://d1.awsstatic.com/events/reinvent/2019/AWS_Control_Tower_versus_AWS_Landing_Zone_GPSTEC203.pdf


  • No labels

1 Comment

  1. Notes:

    projects that disable automatic role grants for default service accounts