In GCP, a Landing Zone is defined via folder the project will be assigned to. Policies can be applied to these folders.
The Landing Zone can be configured in the
Administration section. If a project is selected to have an GCP location a Landing Zone must be selected by the user. By choosing a landing zone, platform specific configuration can be set (in this case for GCP). The options for GCP are:
Resource Manager Folder Id
Folders and the application of organization constrains on the projects contained in them through the use of Organization Policy Service can be setup outside of meshcloud by an Operator.
Template Config URL
You can define an URL pointing to a template configuration for the Deployment Manager. These template, will be fetched and deployed during the execution process. These can be used to setup projects with certain pre-sets of resources.
In contrast to the official GCP documentation you must leave out the imports in your config file. It should have the following format:
resources: - name: enable_api type: gs://likvid-gdm-templates/single_vm2/enable_api.jinja - name: vm_template type: gs://likvid-gdm-templates/single_vm2/vm_template.py properties: zone: europe-west1-b
The maximum filesize currently is 1MB please contact us if you need support for bigger template configurations.
The replicator needs to assign the project service accounts read access to the bucket so the templates can be fetched. Its therefore necessairy to give the meshfed service account the following permissions on the storage bucket:
storage.buckets.setIamPolicy storage.buckets.getIamPolicy storage.objects.get storage.objects.list storage.buckets.list storage.buckets.get
We suggest to create a custom role containing this conditions. The replicator then assignes read access for the projects service accounts which have the form of
The name of the template deployment is
template-<CUSTOMER_IDENTIFER>-<PROJECT_IDENTIFIER> cut to a maximum length of 63 chars.
If the URL is changed or the underlying template updated the projects will automatically get an update of the template. Please make sure that the templates can be deployed without errors beforehand.
Please note that you probably want to enable all the necessary APIs on the GCP project in order to allow deployment of this template. Templates can enable APIs via the virtual template type
deploymentmanager.v2.virtual.enableService. For more information see the official Deployment Manager docs.
Available Google Deployment Manager Properties
The properties of the provided configuration file will be expanded with properties from meshcloud and these can be used inside the template itself. The following properties are provided:
|tagCostCenter||ID of the CostCenter defined for this meshProject.|
|projectIdentifier||The project identifier|
|projectId||The ID of the GCP project associated with this meshProject|
|tagCostCenter||Example for a metadata tag named |
As the example
tagCostCenter in the above table indicates, any payment settings, project tags or customer tags are also provided to the template.
The following modifications are applied to metdata tag keys by meshstack before making them available as properties:
- Parameters are prefixed with
- First letter of metadata tag key is capitalized
In the example, a metadata tag named
costCenter would be provided as a property with name
See metadata tags for more information.
If you are planning on converting any of the template properties into GCP labels, please be aware of the limits and requirements that GCP has described in their docs.
Key takeaways here:
- A resource can have a maximum of 64 labels
- Keys and values can only contain lowercase letters, numeric characters, underscores and hyphens.
- Label keys must start with a lowercase letter
meshRole to Platform Role Mapping
The meshProject roles must be mapped to GCP specific roles. You are able to control this mapping with a Landing Zone setting. You can specifiy these mappings by adding role mappings and supplying a GCP Role. You can both use custom roles which look like
organizations/123123123123/roles/meshstack.project_developer or predifined GCP roles like
You can specify multiple GCP roles for each meshRole. All defined GCP roles are added to the user group of the assigned users.
Cloud Function URL
If you specify a Cloud Function URL this function will get invoked during a project replication. This can happen several times and thus your function invocation must be idempotent. The function gets variables provided via HTTP headers similar to the Azure Function.
Please make sure the GCP service user of the replicator is allowed to access this function.
Please review the meshStack Landing Zone Http Header interface for metadata meshStack makes available to Azure Functions.
In addition to the headers referenced above, meshStack provides the following GCP-specific HTTP headers:
|HTTP Header Name||Description|
|x-mesh-project-id||The ID of the GCP project associated with this meshProject|