Setting Up Your GCP Foundations Through Terraform — Chapter 1 — Introduction & First Steps
Introduction:
When I was in college I was introduced to the Marshmallow Challenge — The challenge is to build the tallest free-standing structure in just 18 minutes using no more than 20 sticks of spaghetti, one yard of tape, one yard of string, and one marshmallow. The marshmallow must be on top and cannot be deformed to hold it in place. — usually, only about 50% of the teams succeed in this challenge.
The key finding from the exercise: Prototyping Matters — The reason kids do better than college students is that kids spend more time playing and prototyping. They naturally start with the marshmallow and stick on the sticks. The college students spend a vast amount of time planning, then executing the plan, with almost no time to fix the design once they put the marshmallow on top.
This is very similar to the way we build SW today — a company has an idea and they focus on building a working prototype of that idea. From there they continue expanding on that prototype, all the while accumulating technical debt, which ultimately reduces the reliability of the system and slows down development and feature velocity.
The challenge is what do you prioritize — delivering features or making sure it is built according to industry best practices, using IaC CI/CD, etc. — For companies/product teams starting out this is not really a decision — you need to deliver value as soon as possible — so delivering features will always win.
The goal of this series is to help guide you on how to set up your company’s GCP foundations through Terraform and CI/CD best practices, in addition, we will also be building out an open-source example GCP foundations/landing zone following GCP best practices and the GCP Architecture framework.
Hopefully, this will enable you to focus on delivering value to your customers while also reducing as much as possible your technical debt as your product scales.
To set expectations and also hold myself accountable, I’m setting a goal of publishing a new chapter in the series once a week on Wednesday at 12:00 PM CET
Scenario:
- The product we want to launch is the GCP Microservices Demo — this is a demo of an online boutique that is designed to run on Kubernetes.
- In order to support this product, we will be building out the landing zone following the DoiT GCP Secure Reference Architecture (credit to Mike Sparr)
First steps:
There are two main parts to this process. First, create your first super admin account in cloud identity, If you have all the required credentials and access this process should take no longer than 30–60 minutes, and second verify your domain, which according to Google documentation could take several hours — this sets up your organizational node.
Some important things to be aware of in GCP:
- For cloud identity, you have a free tier and a premium tier. For most customers, it is more than enough to start with the free tier and then extend to the premium tier as needed whether additional users or additional features are required. Be aware that the free tier for cloud identity can be expanded from 50 users through a request form — dependent on Google’s approval.
- Super admins and org admins are two different roles.
- Super admins administrate your cloud identity environment including setting up admins, adding and removing users, and adding and removing cloud identity services.
- Org Admins — manage access permissions within your GCP environment. It is important to understand that they are not “god mode” permissions on your GCP environment, what they allow is for the admin to create and assign roles to users — for example, and org admin cannot see billing data if they have not provided themselves with the billing admin role.
Working Checklist:
- If you don’t already have a domain — buy one — there are many ways to do this through registrars like GoDaddy, Google domains and others.
- If your company has a domain already — make sure you have the admin credentials — this is required in order to set up your GCP organization and cloud identity environment, this is the Identity part of your IAM (Identity and access management controls)
- Read the Super Administrator Account Best Practices (3–5 minute read)
- Follow the steps as they are documented in part 1 of the Google Cloud Setup Checklist to set up your GCP organization and first Super Admin user and recovery email address.
- Pay attention to the Troubleshooting steps at the end of the documentation for chapter 1, quite often a customer will try to verify their domain and receive an error because someone from within the org has already verified the domain.
Coming Next Week:
- Setting up our first user groups and assigning them roles.
- Setting up our Github Environment to allow for collaboration and set the foundations for our CI/CD pipeline.
