Create Config Controller

Org Admin Duration: 20 min | Persona: Org Admin

In this section, you will create your Config Controller instance. You will also add the least privilege Google Cloud roles to its associated service account. This Config Controller instance will allow throughout this workshop to deploy any infrastructure via Kubernetes manifests.

Define variables:

WORK_DIR=~/
source ${WORK_DIR}acm-workshop-variables.sh
echo "export CONFIG_CONTROLLER_NAME=configcontroller" >> ${WORK_DIR}acm-workshop-variables.sh
echo "export CONFIG_CONTROLLER_LOCATION=northamerica-northeast1" >> ${WORK_DIR}acm-workshop-variables.sh
echo "export CONFIG_CONTROLLER_NETWORK=default" >> ${WORK_DIR}acm-workshop-variables.sh
source ${WORK_DIR}acm-workshop-variables.sh
Info

We are creating the Config Controller instance in northamerica-northeast1 because that’s the greenest Google Cloud region (Low CO2) in the regions supported by Config Controller: europe-north1, europe-west1, europe-west3, australia-southeast1, australia-southeast2, us-east1, us-central1, northamerica-northeast1, northamerica-northeast2, asia-northeast1 and asia-northeast2.

Create the Config Controller instance

Enable the required Google Cloud APIs:

gcloud services enable \
    compute.googleapis.com \
    krmapihosting.googleapis.com \
    cloudresourcemanager.googleapis.com

If you don’t have a default network in your project, create one by running the following command:

gcloud compute networks create $CONFIG_CONTROLLER_NETWORK \
    --subnet-mode=auto

If you get an error telling you that the default network already exists, you can ignore it.

Create the Config Controller instance:

gcloud alpha anthos config controller create $CONFIG_CONTROLLER_NAME \
    --location $CONFIG_CONTROLLER_LOCATION \
    --network $CONFIG_CONTROLLER_NETWORK \
    --full-management

Tip

As a security best practice you could provision your Config Controller instance with the --man-block $(curl -4 ifconfig.co)/32 parameter. We are not doing this in this workshop to avoid any issues with Cloud Shell which is allocating a new IP address as soon as the session expired.

Note

The Config Controller instance provisioning could take around 15-20 min.

Check that the Config Controller instance was successfully created:

gcloud anthos config controller list \
    --location $CONFIG_CONTROLLER_LOCATION
gcloud anthos config controller describe $CONFIG_CONTROLLER_NAME \
    --location $CONFIG_CONTROLLER_LOCATION

Get the Config Controller instance credentials

gcloud anthos config controller get-credentials $CONFIG_CONTROLLER_NAME \
    --location $CONFIG_CONTROLLER_LOCATION

Set Config Controller’s service account roles

Get the actual the Config Controller’s service account:

CONFIG_CONTROLLER_SA="$(kubectl get ConfigConnectorContext \
    -n config-control \
    -o jsonpath='{.items[0].spec.googleServiceAccount}')"

Set the resourcemanager.projectCreator role either at the Folder level or the Organization level:

Create this resource at a Folder level:

gcloud resource-manager folders add-iam-policy-binding ${FOLDER_OR_ORG_ID} \
    --member="serviceAccount:${CONFIG_CONTROLLER_SA}" \
    --role='roles/resourcemanager.projectCreator'

Alternatively, you could also create this resource at the Organization level:

gcloud organizations add-iam-policy-binding ${FOLDER_OR_ORG_ID} \
    --member="serviceAccount:${CONFIG_CONTROLLER_SA}" \
    --role='roles/resourcemanager.projectCreator'

Set the serviceusage.serviceUsageAdmin and iam.serviceAccountAdmin roles:

gcloud projects add-iam-policy-binding ${HOST_PROJECT_ID} \
    --member="serviceAccount:${CONFIG_CONTROLLER_SA}" \
    --role='roles/serviceusage.serviceUsageAdmin'
gcloud projects add-iam-policy-binding ${HOST_PROJECT_ID} \
    --member="serviceAccount:${CONFIG_CONTROLLER_SA}" \
    --role='roles/iam.serviceAccountAdmin'

Finally, you need to assign the billing.user role too. Later in this workshop, it will be needed to attach a Project to a Billing Account. If you don’t have the proper role you may have an error by running the command below. In this case you need to ask your Billing Account or Organization admins in order to run this command for you.

gcloud beta billing accounts add-iam-policy-binding ${BILLING_ACCOUNT_ID} \
    --member="serviceAccount:${CONFIG_CONTROLLER_SA}" \
    --role='roles/billing.user'
Note

In some specific scenario, you may not be able to accomplish this step. You could skip it for now, another way to assign the Billing Account to a Project will be provided later in this workshop, when you will need it.

Check deployments

List the Google Cloud resources created:

gcloud anthos config controller list \
    --project $HOST_PROJECT_ID
gcloud beta billing accounts get-iam-policy ${BILLING_ACCOUNT_ID} \
    --filter="bindings.members:${CONFIG_CONTROLLER_SA}" \
    --flatten="bindings[].members" \
    --format="table(bindings.role)"
gcloud projects get-iam-policy $HOST_PROJECT_ID \
    --filter="bindings.members:${CONFIG_CONTROLLER_SA}" \
    --flatten="bindings[].members" \
    --format="table(bindings.role)"
gcloud resource-manager folders get-iam-policy $FOLDER_OR_ORG_ID \
    --filter="bindings.members:${CONFIG_CONTROLLER_SA}" \
    --flatten="bindings[].members" \
    --format="table(bindings.role)"
gcloud organizations get-iam-policy $FOLDER_OR_ORG_ID \
    --filter="bindings.members:${CONFIG_CONTROLLER_SA}" \
    --flatten="bindings[].members" \
    --format="table(bindings.role)"