@@ -56,7 +56,7 @@ Any team member can use the self service instructions below to provision an AWS
1. Visit [https://gitlabsandbox.cloud](https://gitlabsandbox.cloud) and sign in with your Okta account.
1. Navigate to **Cloud Infrastructure** in the top navigation.
1. Click the purple **Create Individual Account** button.
1. Choose the *cloud provider* and *cloud organization unit* from the dropdown menu. **If no options are present in the dropdown list for the organization unit, your department has not been created in our database yet due to a department name change or addition in the HRIS. Please ask in `#sandbox-cloud-questions` to have it added.**
1. Choose the *cloud provider* and *cloud organization unit* from the dropdown list. **If no options are present in the dropdown list for the organization unit, your department has not been created in our database yet due to a department name change or addition in the HRIS. Please ask in `#sandbox-cloud-questions` to have it added.**
1. Click the green **Create Account** button.
1. Your account will take 2-5 minutes for the AWS API to finish the provisioning process while the AWS services are activated for your account.
1. Please refresh your browser window every ~60 seconds until you see that your user account has changed from `Provisioning` to `Active`.
@@ -86,10 +86,10 @@ Any team member can request a new AWS account or GCP project for a specific proj
Self-service creation and IAM management is not available yet for end users in HackyStack. In the meantime, we use access request style issue templates as our boring solution for security compliance reasons and the HackyStack administrators provision accounts and users using the Admin CLI.
-[Issue Template](https://gitlab.com/gitlab-com/gl-security/corp/issue-tracker/-/issues/new?issuable_template=aws_services_account_create): New AWS Group Workload (Multi-user) Account Request
-[Issue Template](https://gitlab.com/gitlab-com/gl-security/corp/issue-tracker/-/issues/new?issuable_template=aws_services_account_iam_update): Add/Remove IAM Users from AWS Group Workload Account
-[Issue Template](https://gitlab.com/gitlab-com/gl-security/corp/issue-tracker/-/issues/new?issuable_template=gcp_services_project_create): New GCP Group (Multi-user) Project Request ([Provisioner Runbook](https://gitlab.com/gitlab-com/gl-security/corp/infra/runbooks/-/blob/main/gitlab-sandbox-cloud/add-group-project-for-gcp.md))
-[Issue Template](https://gitlab.com/gitlab-com/gl-security/corp/issue-tracker/-/issues/new?issuable_template=gcp_services_project_iam_update): Add/Remove IAM Users from GCP Group Project
-[Issue Template](https://gitlab.com/gitlab-com/gl-security/corp/issue-tracker/-/issues/new?issuable_template=aws_account_create): New AWS Group Workload (Multi-user) Account Request
-[Issue Template](https://gitlab.com/gitlab-com/gl-security/corp/issue-tracker/-/issues/new?issuable_template=aws_account_iam_update): Add/Remove IAM Users from AWS Group Workload Account
-[Issue Template](https://gitlab.com/gitlab-com/gl-security/corp/issue-tracker/-/issues/new?issuable_template=gcp_project_create): New GCP Group (Multi-user) Project Request ([Provisioner Runbook](https://gitlab.com/gitlab-com/gl-security/corp/infra/runbooks/-/blob/main/gitlab-sandbox-cloud/add-group-project-for-gcp.md))
-[Issue Template](https://gitlab.com/gitlab-com/gl-security/corp/issue-tracker/-/issues/new?issuable_template=gcp_project_iam_update): Add/Remove IAM Users from GCP Group Project
#### Production Environments
@@ -119,7 +119,7 @@ Self-hosted application infrastructure is determined on a case-by-case basis and
1. You will see the `AWS Console URL`, `Username`, and `Password` that you can use to sign in to your AWS account. The 12 digit number at the beginning of the URL is your AWS Account ID/Number.
1. Create a new 1Password record in your Private vault to save these credentials.
1. You can click on the link to open the AWS console, or you can close the modal window and click the `Open AWS Web Console` button on the `Cloud Account` details page.
1. Use the provided **URL**, **Username**, and **Password** to sign in to your new AWS account. *Be careful that your browser doesn't autofill saved credentials for a different account.*
1. Use the provided **URL**, **Username**, and **Password** to sign in to your new AWS account. *Be careful that your browser doesn't automatically fill in saved credentials for a different account.*
1. After you sign in, you should navigate to IAM and add a Virtual MFA device for your user account and add a One-Time Password (OTP) to your 1Password record.
1. Your IAM user account has `AdministratorAccess` to be able to perform any action inside of your AWS account. We do not provide team members access to the `root` user account since we only use this for break glass security incidents or related administrative activity by the [Infrastructure Realm Owners](/handbook/company/infrastructure-standards/#realm-owners).
@@ -157,10 +157,10 @@ In the [HackyStack v1.11 (November 2021) release](https://gitlab.com/gitlab-com/
1. Sign into [https://gitlabsandbox.cloud](https://gitlabsandbox.cloud)
1. Create a Cloud Account in GCP (GCP Project) or navigate to an existing project.
1. Click the **Create Terraform Environment** button and fill out the form:
1. Choose your Cloud Account from the **Cloud Account** dropdown.
1. Choose the template you wish to use from the **Environment Template** dropdown. If this is your first time, use the `gcp-sandbox-environment-template-v2-########` template.
1. Choose your Cloud Account from the **Cloud Account** dropdown list.
1. Choose the template you wish to use from the **Environment Template** dropdown list. If this is your first time, use the `gcp-sandbox-environment-template-v2-########` template.
- If you are looking for a more detailed template (where you can set the version and enable a runner) use `support-resources-template-v2`.
1. Input a name for your environment in the **Environment Name (Alphadash Slug)** text field.
1. Input a name for your environment in the **Environment Name (`Alphadash` Slug)** text field.
1. After the Environment is created, click the **View Terraform Configuration** button. This is hosted on a new GitLab instance at [https://gitops.gitlabsandbox.cloud](https://gitops.gitlabsandbox.cloud). Your GitLab instance credentials can be found in the View GitOps Credentials button modal.
- You can create multiple Terraform Environments, subject to GCP resource quotas and cost considerations. Every Friday, your GCP compute instances will automatically be powered down for cost savings and security best practices.
@@ -190,7 +190,7 @@ In the [HackyStack v1.11 (November 2021) release](https://gitlab.com/gitlab-com/
1. Run a new CI pipeline. After the `Plan` job completes, trigger the `Deploy` job. (Notice how you haven't had to do any configuration).
1. Watch the `terraform apply` outputs as your new environment is spun up with a sample Ubuntu virtual machine for testing with. You can add additional Terraform resources as you see fit (see below).
1. Navigate to the GCP console using the link on [https://gitlabsandbox.cloud](https://gitlabsandbox.cloud) to view the deployed VM. Feel free to connect to the VM via SSH using the `gcloud` command or Cloud Shell.
1. Navigate to the GCP console using the link on [https://gitlabsandbox.cloud](https://gitlabsandbox.cloud) to view the deployed VM. Feel free to connect to the VM through SSH using the `gcloud` command or Cloud Shell.
1. Run the GitLab CI job for `Destroy` to clean up your resources.
1. You can update the `terraform/main.tf` file in the Git repository to add more Terraform resources or modules.
1. Simply run the `Deploy` CI pipeline job to deploy your resources.
@@ -291,7 +291,7 @@ See the issue trackers for the latest up-to-date information.
**Phase 4.5** - Migrate everyone's resources in shared accounts into respective isolated accounts and apply labels/tags for cost management and reporting. See [it-infra#86 Project Playground](https://gitlab.com/gitlab-com/gl-security/corp/infra/issue-tracker/-/issues/86) for details.
**Phase 5** - Curate centralized library of Terraform modules, Ansible roles, Packer images, Docker images, and other scripts that have best practice security standards are used for deploying common infrastructure (aka "Provide everyone a box of LEGO bricks and the tools to deploy them"). Integrate GitLab Environment Toolkit for deploying GitLab in decentralized test environments (user sandboxes, community member environments, etc). This will be open source with the community so partners and customer POCs can take advantage of what we have. This will solve Sid's request to ensuring we're all on the same page and using the same library for the millions of GitLab users.
**Phase 5** - Curate centralized library of Terraform modules, Ansible roles, Packer images, Docker images, and other scripts that have best practice security standards are used for deploying common infrastructure (aka "Provide everyone a box of LEGO bricks and the tools to deploy them"). Integrate GitLab Environment Toolkit for deploying GitLab in decentralized test environments (user sandboxes, community member environments, etc). This will be open source with the community so partners and customer proofs of concept (POCs) can take advantage of what we have. This will solve Sid's request to ensuring we're all on the same page and using the same library for the millions of GitLab users.
**Phase 6** - Create "easy button" for deploying the library of infrastructure (aka the LEGO kits) into a topology builder.
- Self Service: [Create an Individual AWS Account or GCP Project](/handbook/company/infrastructure-standards/realms/sandbox/#individual-aws-account-or-gcp-project)
- Issue Template: [Create a Service/Team/Workload AWS Account](https://gitlab.com/gitlab-com/business-technology/engineering/infrastructure/issue-tracker/-/issues/new?issuable_template=aws_group_account_create_request)
- Issue Template: [Create a Service/Team/Workload GCP Project](https://gitlab.com/gitlab-com/business-technology/engineering/infrastructure/issue-tracker/-/issues/new?issuable_template=gcp_group_account_create_request)
- Issue Template: [Add or Remove IAM Users from AWS Account](https://gitlab.com/gitlab-com/business-technology/engineering/infrastructure/issue-tracker/-/issues/new?issuable_template=aws_group_account_iam_update_request)
- Issue Template: [Add or Remove IAM Users from GCP Project](https://gitlab.com/gitlab-com/business-technology/engineering/infrastructure/issue-tracker/-/issues/new?issuable_template=gcp_group_account_iam_update_request)
- Issue Template: [Create a Service/Team/Workload AWS Account](https://gitlab.com/gitlab-com/gl-security/corp/issue-tracker/-/issues/new?issuable_template=aws_account_create)
- Issue Template: [Create a Service/Team/Workload GCP Project](https://gitlab.com/gitlab-com/gl-security/corp/issue-tracker/-/issues/new?issuable_template=gcp_project_create)
- Issue Template: [Add or Remove IAM Users from AWS Account](https://gitlab.com/gitlab-com/gl-security/corp/issue-tracker/-/issues/new?issuable_template=aws_account_iam_update)
- Issue Template: [Add or Remove IAM Users from GCP Project](https://gitlab.com/gitlab-com/gl-security/corp/issue-tracker/-/issues/new?issuable_template=gcp_project_iam_update)
-`#sandbox-cloud-questions` for non-production infrastructure questions - tag Vlad Stoianovici
