-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update setup docs, adding azure setup doc instructions (#98)
- Loading branch information
1 parent
57fdcab
commit 2da31a5
Showing
4 changed files
with
65 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| # Preparing Azure for Github Foundations | ||
|
|
||
| This document will walk you through what is required of your Azure (Az) setup to run the Github Foundations bootstrap layer. | ||
|
|
||
| ## Setup | ||
|
|
||
| **1. Install Azure CLI tool** | ||
| * Install the Azure CLI tool according to your operating system's instructions ([https://learn.microsoft.com/en-us/cli/azure/install-azure-cli](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli)) | ||
|
|
||
| **2. Setup an Azure Key Vault (optional)** | ||
| * Create an Azure Key Vault to store secrets that will be required by the Github Foundations organization layer to authenticate with Github. If you wish to bring your own secret manager you can skip this step. | ||
| * **Note: If you do bring a different solution to the toolkit ensure that it's secrets can either be accessed via Terraform or added to the environment of the github action runner so it can be read by Terraform** | ||
|
|
||
| **3. Authenticate with required permissions** | ||
| * At minimum your account will need the following roles scoped to the subscription or resource group that the Azure resources should be created in: | ||
| * `Reader` | ||
| * `Storage Account Contributor` | ||
| * `Storage Blob Data Contributor` | ||
| * `Managed Identity Contributor` | ||
| * `Role Based Access Control Administrator` | ||
| * Additionally you will need the following roles if: | ||
| * You want Github Foundations to create a new Resource Group for it's Azure resources: | ||
| * `Contributor` or `Owner` scoped to the subscription the resource group will be created in. | ||
| * **Note The previously listed roles should be scoped to the subscription since the resource group won't exist yet** | ||
| * If you are using an Azure Key Vault to store secrets needed to authenticate with Github: | ||
| * `Key Vault Reader` scoped to the resource group that the Azure Key Vault exists under. | ||
| * `Role Based Access Control Administrator` scoped to the Azure Key Vault you want to use. | ||
| * Once you have confirmed your account has the required permissions authenticate using the Azure CLI: `az login` | ||
|
|
||
| **Resources:** | ||
|
|
||
| * Azure CLI: [https://learn.microsoft.com/en-us/cli/azure/install-azure-cli](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) | ||
| * Azure Role-Based Access Control Built-in Roles: [https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles) | ||
| * Azure CLI Role Assignment: [https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-cli](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-cli) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| # Preparing Google Cloud Platform for Github Foundations | ||
|
|
||
| This document will walk you through what is required of your Google Cloud Platform (GCP) setup to run the Github Foundations bootstrap layer. | ||
|
|
||
| ## Setup | ||
|
|
||
| **1. Install Gcloud CLI tool** | ||
| * Install the Google Cloud Platform tool according to your operating system's instructions ([https://cloud.google.com/sdk/docs/install](https://cloud.google.com/sdk/docs/install)) | ||
|
|
||
| **2. Authenticate with required permissions** | ||
| * Login to the GCP CLI with the command `gcloud auth application-default login` under a service account with the following roles for your organization: | ||
| * `roles/iam.workloadIdentityPoolAdmin` | ||
| * `roles/iam.serviceAccountAdmin` | ||
| * `roles/resourcemanager.projectMover` | ||
| * `roles/resourcemanager.projectDeleter` | ||
| * `roles/resourcemanager.folderEditor` | ||
| * `roles/storage.admin` | ||
| * `roles/storage.objectAdmin` | ||
|
|
||
| **Note:** This setup will grant extensive permissions within your GCP project and organization. Please ensure you understand the implications of assigning these roles and permissions before proceeding. | ||
|
|
||
| **Resources:** | ||
|
|
||
| * GCP CLI: [https://cloud.google.com/sdk/docs/install](https://cloud.google.com/sdk/docs/install) | ||
| * GCP IAM Roles: [https://cloud.google.com/iam/docs/understanding-roles](https://cloud.google.com/iam/docs/understanding-roles) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters