Edit

Integration

meshcloud can automatically provision GCP Projects as Tenants for meshProjects and configure them according to your organiziations policies using Landing Zones.

Integration Overview

To enable integration with GCP, operators need to deploy and configure the meshStack GCP Replicator. Operators can configure one or multiple PlatformInstances of PlatformType.GCP. This makes Azure available to meshProjects like any other cloud platform in meshStack.

Google Cloud Platform relies on Google Cloud Identity (GCI) for authentication and authorization. meshStack can seamlessly integrate with GCI and various hybrid identity setups. For organizations that do not already use google identity services, meshStack supports fully federated meshStack provisioned identities. Organizations already using Google Cloud Directory Sync or G-Suite can use meshStack with an externally provisioned identities configuration.

meshcloud helps organizations implement Google Cloud Platform in line with Governance best-practices by integrating with the GCP Organization Resource Hierarchy and Organization Policy Service using Landing Zones

In order to plan and execute a successful integration of GCP using meshcloud, organizations need to consider the following parts described in the sections below.

As part of an integration project meshcloud typically delivers a configuration tailored to your organization's specific requirements using infrastructure as code (IaC) tools. The descriptions below serve as a general reference.

Cloud Identity Setup

meshStack does not require Cloud Identity Premium nor G-Suite. Cloud Identity "Free" is sufficient for automated GCP IAM management through meshStack.

meshStack-provisioned Identities

When using meshStack-provisioned identites operators need to setup SSO beftween the Cloud Identity directory and meshIdB. This can be achieved by following the official instructions.

Organization Setup

Operators need to setup a GCP Organization to be used by meshStack. Please review the official GCP documentation on creating and managing organizations.

meshfed-service IAM Role

meshStack needs a well-defined set of permissions for it's automation. meshStack is designed so that it does not require access to workload. We highly recommend that permissions are configured according to the principle of least privilege.

Operators need to define a Custom Role called meshfed-service at the Organization Level with the following permissions

resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.create
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.move
resourcemanager.projects.setIamPolicy
resourcemanager.projects.update
resourcemanager.projects.createBillingAssignment
resourcemanager.projects.deleteBillingAssignment
billing.resourceAssociations.create
serviceusage.services.enable
serviceusage.services.get
deploymentmanager.deployments.delete
deploymentmanager.deployments.create
deploymentmanager.deployments.update
deploymentmanager.deployments.get

Root Project Configuration

For some resources we need a “root” project for meshStack in GCP. This project is reserved for use by meshstack and operators. For this guide, we’ll call the root project meshstack-root.

Enable APIs

Enable the following APIs on the meshstack-root project from the API Library

• Admin SDK
• Cloud Resource Manager API
• Cloud Billing API

meshfed-service ServiceAccount

Create a meshfed-service ServiceAccount on the Organization

• Enable the ServiceAccount for “G Suite Domain-wide Delegation” and notate the generated Client Id
• Generate and Download a ServiceAccount Key

The ServiceAccount doesn’t need any roles on itself, it will be merely used to impersonate a technical user set up on the Cloud Identity directory using the Admin Console for your Organization. This is required because Google does not support automation of Cloud Identity operations using ServiceAccounts.

The ServiceAccount will be identified by an email address like

meshfed-service@meshstack-root.iam.gserviceaccount.com

Cloud Identity Configuration

meshfed-service User

meshStack needs to impersonate a technical user to perform delegated operations using the Admin SDK. Depending on your organization's setup of Google Cloud Identity, provisioning a technical user in the cloud directory may require one of the following two alternatives.

1. Provisioning the user as a "cloud only" Account in the Google Admin Console.
2. Provisioning the user in an on-premises directory synced with the cloud directory

In any case, you will have to log in with the user once to accept Google's Terms of Service. If you provision the user as a "cloud only" account but have federation enabled on your cloud directory, temporarily making the technical user a "Super Admin" disables SSO and enables cloud only login.

We recommend calling this user meshfed-service. You may also want to consider provisioning it on a domain reserved for technical user accounts. The user will be identified by an email like:

meshfed-service@dev.meshcloud.io

You can reset the password of this user after completing the setup instructions. This helps ensure that only the meshfed-service Service Account is able to impersonate the technical user account.

Assign Admin Roles

Add the User to the following admin roles

• User Management Admin
• Groups Admin

Accept Google ToS

The technical user needs to accept Google’s ToS after signing in as meshfed-service@dev.meshcloud.io.

Open a private browser session and

• sign in to the admin console. Accept any ToS presented.
• sign in to the Google Cloud Console. Accept the GCP ToS.

Add to the meshfed-service GCP role

Add the meshfed-service@dev.meshcloud.io user to the meshfed-service role setup earlier on the organization level in GCP.

Enable Automated OAuth Consent

Enable Automated Consent in the G Admin Console

• Go to Manage OAuth Clients
• Add a new Authorized client with these details

  • Client Name = Client Id of meshfed-service Service Account from Google Cloud Console (displayed under “Domain-wide Delegation” on the Service Account Details Page )

  • Scopes:

    https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/cloud-platform, https://www.googleapis.com/auth/admin.directory.group
    

Platform Instance Config

This section describes the configuration of a GCP Platform Instance in the meshStack configuration model.

Organization

Configure the domain, service account and service user as they were setup above.

To retrieve the value of your Google Customer Id you can use the gcloud tool or look it up from Google Admin console.

{   customerId =
      "Cxxxx123"
    domain =
      "dev.meshcloud.io"
  , serviceUser =
      "meshfed-service@dev.meshcloud.io"
  , serviceAccount =
      { accountId =
          "meshfed-service@meshstack-root.iam.gserviceaccount.com"
      , privateKey =
          { name = "GCP_PRIVATE_KEY" }
      }
}

Billing Account

In order to maintain symmetry to other public cloud platforms, meshStack consolidates billing of all GCP projects managed under the same GCP Platform Instance to a single Google Cloud Billing Account. The billing account id is thus configured on the platform level.

{   billingAccountId =
      {- The id of your Billing Account as it's displayed in Google Cloud Console -}
      "123456-1234ABCD-1234FF"
}

To use multiple billing accounts consider configuring multiple GCP meshPlatforms in meshStack.

GCP Role Mapping

The project roles are mapped to user roles in GCP. This mapping is fully customizable and can use custom as well as built-in roles.

In order to configure the mapping use the roleMappings key in the platform config.

{ roleMappings =
    [ { mapKey = "admin", mapValue = "roles/editor" } {- Uses a built-in GCP role -}
    , { mapKey =
          "user"
      , mapValue =
          "organizations/632614034120/roles/meshstack.project_developer" {- Uses a custom role defined on the organization -}
      }
    ]
}

Project Id Pattern

Operators can configure the pattern used to dervice GCP Project Ids when meshStack creates a new GCP Project.

The arguments available here are:

1. argument: meshCustomer identifier
2. argument: meshProject identifier
3. argument: a random alphanumeric string suitable as a suffix

The resulting string must not exceed a total length of 30 characters. Only alphanumeric + hyphen are allowed. We recommend that configuration include at least 3 characters of the random parameter to reduce the chance of naming collisions. The example below shows a reference configuration:

{ projectIdPattern =
    {-
      15 (up to) chars customer identifier
      1 separator
      10 (up to) chars project id, this is usually short e.g. "prod", "dev" "staging"
      1 separator
      3 chars random id, alphanumeric, case insensitive  = 26+10 characters -> 36^3 = ~46.5k possibilities
      =
      30 chars total
    -}
      "%.15s-%.10s-%.3s"
}