BYO GCP Folder
What does BYO GCP Folder mean?
BYO (Bring Your Own) GCP (Google Cloud Platform) Folder is a Runway feature that allows you to deploy your Runway workloads to your own GCP folder. By default, Runway will deploy to gitlab-runway-<environment>
and these projects live in the GitLab.com organization, however you can also configure Runway to deploy to your own GCP folder, which may live in a different organization.
Process
-
Ensure the role
roles/billing.user
is granted to the provisioner SA on the billing accountYou need to ensure the provisioner SA (
[email protected]
) has the roleroles/billing.user
for thebilling_account
that you will define ininventory.yml
. -
Create GCP folder where Runway will create projects
You need to create the folder(s) where you would like Runway to create projects. In Terraform, it would look like this:
-
Grant necessary roles to the provisioner at the GCP folder level
For the folder(s) you created in the previous step, ensure the roles
roles/resourcemanager.projectCreator
androles/billing.projectManager
have been granted to the provisioner ([email protected]
).In Terraform, it would look like this:
-
Ensure Cloud Run services can allow unauthenticated requests
For each Runway service, we define an IAM policy that allows
allUsers
access to theroles/run.invoker
role. Terraform will fail to apply this policy if you have DRS (Domain Restricted Sharing) enabled with an error similar to:There are a few ways to fix this, but the way we recommend is to conditionally enforce DRS as follows:
- Add a tag binding to the Runway GCP folder (example)
- Update your DRS organizational policy such that it will exclude resources with specified tags from DRS (part of the MR above)
- Bind
roles/resourcemanager.tagAdmin
to the SA applying Terraform. This allows it to create new tags (example). - Bind
roles/resourcemanager.tagUser
to the SA applying Terraform. This allows it to bind tags (example).
See this blog post for more info on this approach.
-
Configure
gcp_project_groups
in provisioner’sinventory.yml
You are now ready to configure the provisioner. Find the
gcp_project_groups
key in theinventory.yml
file and add the following:Go ahead and merge this change and wait for it to be provisioned. Ensure you get a clean pipeline run with no errors.
If the
exporter_sa_email
field is empty ininventory.yml
, the default exporter SA (runway-exporter-k8s@gitlab-{production/staging-1}.iam.gserviceaccount.com
) will be granted theroles/monitoring.viewer
role for the GCP project. Next, update runway-exporter to include the new GCP project id in the list of--google.project-id
for runway-exporter to scrape stackdriver metrics.Alternatively, you may provide your own
exporter_sa_email
if you want to scrape metrics using a different set of runway-exporters. -
Create your Runway workload
You should now be able to add your workload to the
inventory.yml
. It is very similar to how you would add any other workload with the addition ofgcp_project_group
:
Limitations
-
We have VPC peering set-up between
gitlab-production
andgitlab-runway-production
(and similarly for staging), which allows Rails to reach internal-only facing Runway workloads. By deploying to your own GCP folder, if you need to access your workloads via an internal-only load balancer, you will need to configure VPC peering yourself. Runway does support creating VPC + subnetworks for internal load balancers. See the schema for more info. -
Deleting an entry from
gcp_project_groups
, applying it and attempting to add it again (with the same name) will not work. This is because once you apply the MR to delete the GCP project group, it will destroy all its resources including its IAM workload identity pool. These pools can be undeleted for up to 30 days before they are permanently deleted. Until then, you cannot reuse the name, so you cannot simply recreate the same GCP project group. You can either pick a newname
OR you can manually undelete the workload identity pool and import the resources (example).