Setup a new project for a client organization¶
This documentation is out of date. We ended up deciding that we could not programmatically create projects. This section will be removed, see this issue for details.
Each client organization of 2i2c gets their own GCP Project. This allows us to:
Maintain billing easily, since projects are the easiest unit of billing.
Give members of client organizations (such as IT teams) full access to the cloud project, without granting access to other client organizations’ resources
Allow client organizations to take over running of the infrastructure themselves, with minimal disruption.
Client organizations can give us access to a billing account, or just to a project. This document describes what 2i2c engineers should do once client organizations give us access.
See Add a new Kubernetes cluster fore more detailed guidance.
Client organization provides billing account¶
Our pilot docs has information on how client organizations can provision a billing account and give us access.
projects.tfvars, adding an entry to
fully_managed_projects. The key should be the name of the project we want to create, and the value should be the billing account ID. Add a comment referencing more information about the client organization, ideally pointing to a GitHub issue.
Make a commit, and create a pull request in the org-ops repository.
terraform plan -var-file project.tfvarsto give you a detailed plan on what exactly terraform will do. Paste this in the PR description, and ask someone else for review.
Someone else should review the plan, and merge the PR. There should be co-ordination on when this is merged, so immediately after either the PR creator or merger can run
terraform apply -var-file projects.tfvarsafter merging. They should make sure the diff isn’t that different, and comment on the PR once it’s done.
Validate that the project has been created, and you have access to it with your user account.
Without billing account access¶
Sometimes, we won’t have access to the billing account - the project would be pre-created for us by the client organization. Our pilot docs have information on how client organizations can give us access
If these projects can not be moved into the 2i2c.org GCP organization, we can not automatically add 2i2c engineers as owners on the project. They will need to be added manually via the GCP Console web interface. They will get an invite in their mail, which they must manually accept.
Find current list of 2i2c engineers who should have access to this GCP project, maintained in
project_ownersin the org-ops, repository.
Use the GCP console to invite all these users to the project, giving them
Basic -> Ownerpermissions. Make sure you are doing this in the correct GCP project!
Ping all those 2i2c engineers to make sure they accept the invite.
In the future, we should support:
Moving projects into 2i2c.org GCP organization when possible.
Decommission access to GCP projects when 2i2c engineers leave.
Make sure new 2i2c engineers are added to all projects we have access to.