### Install Dependencies and Start Demo Site Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/docs/reference-architectures/cloud_deploy_flow/index.html Install necessary Node.js packages and start the local demo site server. ```bash npm install ``` ```bash node index.js ``` -------------------------------- ### Install Python Libraries for Sandbox CLI Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/docs/reference-architectures/sandboxes/examples/gcp-sandboxes/index.html Before creating a sandbox, change to the example command-line tool directory and install the necessary Python libraries using pip. ```bash cd "${SANDBOXES_DIR}" pip install -r requirements.txt ``` -------------------------------- ### Clone Repository and Navigate Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/docs/reference-architectures/cloud_deploy_flow/CloudFunctions/cloudDeployInteractions/index.html Clone the project repository and navigate into the project folder to begin setup. ```bash git clone cd ``` -------------------------------- ### Clone Repository and Navigate Directory Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/backstage/backstage-quickstart/README.md Clone the platform-engineering repository and change the directory to the Backstage quickstart. ```bash git clone https://github.com/GoogleCloudPlatform/platform-engineering && \ cd platform-engineering/reference-architectures/backstage/backstage-quickstart ``` -------------------------------- ### Configure Shared VPC Host and Service Projects with Simplified IAM Grants Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/sandboxes/fabric-modules/project/README.md This example shows a Shared VPC setup using a simplified IAM binding approach. It leverages the `service_iam_grants` attribute, which uses a predefined list of roles for services, making configuration less verbose. This is suitable when adhering to standard role assignments for services. ```hcl module "host-project" { source = "./fabric/modules/project" billing_account = var.billing_account_id name = "host" parent = var.folder_id prefix = var.prefix shared_vpc_host_config = { enabled = true } } module "service-project" { source = "./fabric/modules/project" billing_account = var.billing_account_id name = "service" parent = var.folder_id prefix = var.prefix services = [ "container.googleapis.com", ] shared_vpc_service_config = { host_project = module.host-project.project_id # reuse the list of services from the module's outputs service_iam_grants = module.service-project.services } } ``` -------------------------------- ### Open Terraform Example in Cloud Shell Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/github-runners-gke/README.md Click this button to automatically clone the Terraform module repository into Cloud Shell, navigate to the example directory, and open the `main.tf` file for configuration. ```html Open in Cloud Shell ``` -------------------------------- ### Initialize and Apply Terraform Configuration Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/docs/reference-architectures/sandboxes/examples/gcp-sandboxes/index.html Navigate to the Terraform example directory, initialize Terraform, and apply the configuration to deploy the reference architecture. Review the proposed resources before confirming. ```bash cd "${SANDBOXES_DIR}" terraform init ``` ```bash terraform apply ``` -------------------------------- ### Set Backstage Quickstart Base Directory Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/backstage/backstage-quickstart/README.md Set the BACKSTAGE_QS_BASE_DIR environment variable and persist it in .bashrc. ```bash export BACKSTAGE_QS_BASE_DIR=$(pwd) && \ sed -n -i -e '/^export BACKSTAGE_QS_BASE_DIR=/!p' -i -e '$aexport \ BACKSTAGE_QS_BASE_DIR="'"${BACKSTAGE_QS_BASE_DIR}"'"' ${HOME}/.bashrc ``` -------------------------------- ### Navigate to Terraform Example Directory Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/docs/reference-architectures/github-runners-gke/index.html Change directory into the specific Terraform example for GKE runners. This is a prerequisite before applying or destroying the infrastructure. ```bash cd terraform-google-github-actions-runners/examples/gh-runner-gke-simple/ ``` -------------------------------- ### Initial Kubernetes Deployment Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/docs/reference-architectures/backstage/backstage-quickstart/index.html Navigate to the Kubernetes manifests directory, substitute the container image path in the deployment YAML, get Kubernetes credentials, and apply the manifests. ```bash cd ../k8s && \ sed -i "s%CONTAINER_IMAGE%${IMAGE_PATH}%g" deployment.yaml && \ gcloud container clusters get-credentials backstage-qs --region us-central1 --dns-endpoint && \ kubectl apply -f . ``` -------------------------------- ### Set Backstage Quickstart Base Directory Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/docs/reference-architectures/backstage/backstage-quickstart/index.html Set the BACKSTAGE_QS_BASE_DIR environment variable to the current directory and append it to your .bashrc file for persistence. ```bash export BACKSTAGE_QS_BASE_DIR=$(pwd) && \ sed -n -i -e '/^export BACKSTAGE_QS_BASE_DIR=/!p' -i -e '$aexport \ BACKSTAGE_QS_BASE_DIR החדש "'"${BACKSTAGE_QS_BASE_DIR}"'"' ${HOME}/.bashrc ``` -------------------------------- ### Configure Multiple Organization Policies Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/sandboxes/fabric-modules/project/README.md This example demonstrates how to configure various organization policies for a project, including disabling guest attributes access, skipping default network creation, and managing service account key creation and upload. ```hcl module "project" { source = "./fabric/modules/project" billing_account = var.billing_account_id name = "project" parent = var.folder_id prefix = var.prefix org_policies = { "compute.disableGuestAttributesAccess" = { rules = [{ enforce = true }] } "compute.skipDefaultNetworkCreation" = { rules = [{ enforce = true }] } "iam.disableServiceAccountKeyCreation" = { rules = [{ enforce = true }] } "iam.disableServiceAccountKeyUpload" = { rules = [ { condition = { expression = "resource.matchTagId('tagKeys/1234', 'tagValues/1234')" title = "condition" description = "test condition" location = "somewhere" } enforce = true }, { enforce = false } ] } "iam.allowedPolicyMemberDomains" = { rules = [{ allow = { values = ["C0xxxxxxx", "C0yyyyyyy"] } }] } "compute.trustedImageProjects" = { rules = [{ allow = { values = ["projects/my-project"] } }] } "compute.vmExternalIpAccess" = { rules = [{ deny = { all = true } }] } } } ``` -------------------------------- ### Configure Shared VPC Host and Service Projects Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/sandboxes/fabric-modules/project/README.md This example demonstrates setting up a host project for Shared VPC and a service project that consumes it. The service project is configured with network users and restricted subnet access via organization policies. ```hcl module "host-project" { source = "./fabric/modules/project" billing_account = var.billing_account_id name = "host" parent = var.folder_id prefix = var.prefix shared_vpc_host_config = { enabled = true } } module "service-project" { source = "./fabric/modules/project" billing_account = var.billing_account_id name = "service" parent = var.folder_id prefix = var.prefix org_policies = { "compute.restrictSharedVpcSubnetworks" = { rules = [{ allow = { values = ["projects/host/regions/europe-west1/subnetworks/prod-default-ew1"] } }] } } services = [ "container.googleapis.com", ] shared_vpc_service_config = { host_project = module.host-project.project_id network_users = ["group:${var.group_email}"] # reuse the list of services from the module's outputs service_iam_grants = module.service-project.services } } ``` -------------------------------- ### Configure Project Tags and Tag Bindings Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/sandboxes/fabric-modules/project/README.md Define and apply tags to a project. This example sets up an 'environment' tag with different values for 'dev' and 'prod', including IAM policies and tag bindings. ```hcl module "project" { source = "./fabric/modules/project" billing_account = var.billing_account_id name = "project" prefix = var.prefix parent = var.folder_id services = [ "compute.googleapis.com", ] tags = { environment = { description = "Environment specification." iam = { "roles/resourcemanager.tagAdmin" = ["group:${var.group_email}"] } iam_bindings = { viewer = { role = "roles/resourcemanager.tagViewer" members = ["group:gcp-support@example.org"] } } iam_bindings_additive = { user_app1 = { role = "roles/resourcemanager.tagUser" member = "group:app1-team@example.org" } } values = { dev = { iam_bindings_additive = { user_app2 = { role = "roles/resourcemanager.tagUser" member = "group:app2-team@example.org" } } } prod = { description = "Environment: production." iam = { "roles/resourcemanager.tagViewer" = ["group:app1-team@example.org"] } iam_bindings = { admin = { role = "roles/resourcemanager.tagAdmin" members = ["group:gcp-support@example.org"] condition = { title = "gcp_support" expression = <<-END request.time.getHours("Europe/Berlin") <= 9 && request.time.getHours("Europe/Berlin") >= 17 END } } } } } } } tag_bindings = { env-prod = module.project.tag_values["environment/prod"].id } } ``` -------------------------------- ### Configure Shared VPC Host and Service Projects with Explicit IAM Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/sandboxes/fabric-modules/project/README.md This example demonstrates setting up a Shared VPC host project and a service project. It explicitly defines IAM bindings for service agents using specific roles and service agent names. Use this when granular control over IAM roles is required. ```hcl module "host-project" { source = "./fabric/modules/project" billing_account = var.billing_account_id name = "host" parent = var.folder_id prefix = var.prefix shared_vpc_host_config = { enabled = true } } module "service-project" { source = "./fabric/modules/project" billing_account = var.billing_account_id name = "service" parent = var.folder_id prefix = var.prefix services = [ "container.googleapis.com", "run.googleapis.com" ] shared_vpc_service_config = { host_project = module.host-project.project_id service_agent_iam = { "roles/compute.networkUser" = [ "cloudservices", "container-engine" ] "roles/vpcaccess.user" = [ "cloudrun" ] "roles/container.hostServiceAgentUser" = [ "container-engine" ] } } } # tftest modules=2 resources=15 inventory=shared-vpc.yaml e2e ``` -------------------------------- ### Configure Tags for Organization and Folder Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/sandboxes/fabric-modules/folder/README.md Define tags at the organization level and then bind them to a specific folder. This example shows setting up an 'environment' tag with 'dev' and 'prod' values. ```hcl module "org" { source = "./fabric/modules/organization" organization_id = var.organization_id tags = { environment = { description = "Environment specification." values = { dev = {} prod = {} } } } } module "folder" { source = "./fabric/modules/folder" name = "Folder name" parent = var.folder_id tag_bindings = { env-prod = module.org.tag_values["environment/prod"].id } } # tftest modules=2 resources=5 inventory=tags.yaml e2e serial ``` -------------------------------- ### Configure Billing Account Log Sinks Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/sandboxes/fabric-modules/billing-account/README.md Set up log sinks for a billing account, directing logs to a specified logging bucket. This example demonstrates integration with a logging bucket module. ```hcl module "log-bucket-all" { source = "./fabric/modules/logging-bucket" parent_type = "project" parent = "myprj" id = "billing-account-all" } module "billing-account" { source = "./fabric/modules/billing-account" id = "012345-ABCDEF-012345" logging_sinks = { all = { destination = module.log-bucket-all.id type = "logging" } } } # tftest modules=2 resources=3 inventory=logging.yaml ``` -------------------------------- ### Get Quota Information using gcloud Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/sandboxes/fabric-modules/project/README.md Example command to retrieve quota information for a specific service within a project using `gcloud` and `curl`. ```bash curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "X-Goog-User-Project: ${PROJECT_ID}" \ "https://cloudquotas.googleapis.com/v1/projects/${PROJECT_ID}/locations/global/services/compute.googleapis.com/quotaInfos?pageSize=1000" \ | grep quotaId ``` -------------------------------- ### Serve the Documentation Site Locally Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/contributing.md Run this command from the repository root to build and serve the documentation site for local preview. ```bash scripts/run-mkdocs.sh "serve" ``` -------------------------------- ### Install Python dependencies for sandbox CLI Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/sandboxes/examples/gcp-sandboxes/README.md Install the necessary Python libraries required for the sandbox command-line interface. ```sh pip install -r requirements.txt ``` -------------------------------- ### Build the Documentation Site Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/contributing.md Run this command from the repository root to build the documentation site locally. ```bash scripts/run-mkdocs.sh ``` -------------------------------- ### Navigate to Demo Site Directory Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/docs/reference-architectures/cloud_deploy_flow/index.html Change to the WebsiteDemo directory to prepare for running the demo site. ```bash cd platform-engineering/reference-architectures/cloud-deploy-flow/WebsiteDemo ``` -------------------------------- ### Initialize, Plan, and Apply Terraform Configuration Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/automated-password-rotation/README.md Download the reference architecture's Terraform code, initialize the Terraform environment, generate a plan, and apply the configuration to deploy the architecture. Ensure you replace the placeholder with your project ID. ```shell cd ~ git clone https://github.com/GoogleCloudPlatform/platform-engineering cd platform-engineering/reference-architectures/automated-password-rotation/terraform terraform init terraform plan -var "project_id=$PROJECT_ID" terraform apply -var "project_id=$PROJECT_ID" --auto-approve ``` -------------------------------- ### Terraform Variables for Cloud Deploy Setup Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/docs/reference-architectures/cloud_deploy_flow/index.html Define project, region, and GitHub details in a terraform.tfvars file for your Terraform configuration. ```hcl project_id = "your-google-cloud-project-id" region = "your-preferred-region" github_owner = "your-github-repo-owner" github_repo = "your-github-repo-name" ``` -------------------------------- ### Navigate to Deployment Directory Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/docs/reference-architectures/cloud_deploy_flow/index.html Change your directory to the specific deployment demo folder within the cloned repository. ```bash cd platform-engineering/reference-architectures/cloud_deploy_flow ``` -------------------------------- ### Authoritative IAM Configuration Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/sandboxes/fabric-modules/project/README.md Configures authoritative IAM bindings for a project. This example assigns the 'roles/container.hostServiceAgentUser' role to a specified service account. ```hcl locals { gke_service_account = "my_gke_service_account" } module "project" { source = "./fabric/modules/project" billing_account = var.billing_account_id name = "project" parent = var.folder_id prefix = var.prefix services = [ "container.googleapis.com", "stackdriver.googleapis.com" ] iam = { "roles/container.hostServiceAgentUser" = [ "serviceAccount:${local.gke_service_account}" ] } } # tftest modules=1 resources=7 inventory=iam-authoritative.yaml ``` -------------------------------- ### Delete GCP Project Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/backstage/backstage-quickstart/README.md Command to delete the Google Cloud project associated with the Backstage quickstart. Ensure all resources are cleaned up before deletion. ```bash gcloud projects delete ${PROJECT_ID} ``` -------------------------------- ### Initialize and Apply Terraform Project Creation Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/docs/reference-architectures/backstage/backstage-quickstart/index.html Initialize Terraform, generate a plan, and apply the changes to create the Google Cloud project. This sequence includes cleaning up the plan file and re-initializing Terraform with state migration. ```bash cd ${BACKSTAGE_QS_BASE_DIR}/initialize && \ terraform init && \ terraform plan -input=false -out=tfplan && \ terraform apply -input=false tfplan && \ rm tfplan && \ terraform init -force-copy -migrate-state && \ rm -rf state ``` -------------------------------- ### Custom Role Definition with Name Override (YAML) Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/sandboxes/fabric-modules/project/README.md Example of a custom role definition in YAML, overriding the default name and specifying multiple permissions. ```yaml name: projectViewer includedPermissions: - resourcemanager.projects.get - resourcemanager.projects.getIamPolicy - resourcemanager.projects.list ``` -------------------------------- ### Define Billing Budgets Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/sandboxes/fabric-modules/billing-account/README.md Configure billing budgets with specified amounts, filters, and threshold rules. This example sets a monthly budget for a specific folder. ```hcl module "billing-account" { source = "./fabric/modules/billing-account" id = "012345-ABCDEF-012345" budgets = { folder-net-month-current-100 = { display_name = "100 dollars in current spend" amount = { units = 100 } filter = { period = { calendar = "MONTH" } resource_ancestors = ["folders/1234567890"] } threshold_rules = [ { percent = 0.5 }, { percent = 0.75 } ] } } } # tftest modules=1 resources=1 inventory=budget-simple.yaml ``` -------------------------------- ### Enable Google Cloud APIs Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/docs/reference-architectures/github-runners-gke/index.html Enable the necessary Google Cloud APIs for your project. Replace `` with your actual project ID. ```bash gcloud services enable \ cloudresourcemanager.googleapis.com \ iam.googleapis.com \ container.googleapis.com \ serviceusage.googleapis.com \ --project ``` -------------------------------- ### Restore Endpoints using gcloud Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/docs/reference-architectures/backstage/backstage-quickstart/index.html Use this command to restore deleted endpoints if you are re-using a project from a previous quickstart run. Ensure BACKSTAGE_QS_BASE_DIR is set. ```bash BACKSTAGE_QS_PREFIX=$(grep environment_name ${BACKSTAGE_QS_BASE_DIR}/backstage-qs.auto.tfvars | awk -F"=" '{print $2}' | xargs) BACKSTAGE_QS_PROJECT_ID=$(grep environment_project_id ${BACKSTAGE_QS_BASE_DIR}/backstage-qs.auto.tfvars | awk -F"=" '{print $2}' | xargs) gcloud endpoints services undelete ${BACKSTAGE_QS_PREFIX}.endpoints.${BACKSTAGE_QS_PROJECT_ID}.cloud.goog \ --quiet 2>/dev/null ``` -------------------------------- ### Initialize and Apply Terraform Configuration Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/docs/reference-architectures/cloud_deploy_flow/index.html Run these commands to initialize your Terraform working directory and apply the defined infrastructure. ```bash terraform init ``` ```bash terraform apply ``` -------------------------------- ### Custom Role Definition (YAML) Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/sandboxes/fabric-modules/project/README.md Example of a custom role definition in YAML format, specifying included permissions. The role name defaults to the filename but can be overridden. ```yaml includedPermissions: - compute.globalOperations.get ``` -------------------------------- ### Basic Folder Creation with IAM Bindings Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/sandboxes/fabric-modules/folder/README.md Use this snippet to create a basic folder with IAM bindings. It supports additive and authoritative IAM configurations. ```hcl module "folder" { source = "./fabric/modules/folder" parent = var.folder_id name = "Folder name" iam_by_principals = { "group:${var.group_email}" = [ "roles/owner", "roles/resourcemanager.folderAdmin", "roles/resourcemanager.projectCreator" ] } iam = { "roles/owner" = ["serviceAccount:${var.service_account.email}"] } iam_bindings_additive = { am1-storage-admin = { member = "serviceAccount:${var.service_account.email}" role = "roles/storage.admin" } } } # tftest modules=1 resources=5 inventory=iam.yaml e2e ``` -------------------------------- ### Billing Budgets with Pub/Sub Notifications Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/sandboxes/fabric-modules/billing-account/README.md Configure billing budgets to send notifications to a Pub/Sub topic when thresholds are met. This example integrates with a separate Pub/Sub module. ```hcl module "pubsub-billing-topic" { source = "./fabric/modules/pubsub" project_id = "my-prj" name = "budget-default" } module "billing-account" { source = "./fabric/modules/billing-account" id = "012345-ABCDEF-012345" budgets = { folder-net-month-current-100 = { display_name = "100 dollars in current spend" amount = { units = 100 } filter = { period = { calendar = "MONTH" } resource_ancestors = ["folders/1234567890"] } threshold_rules = [ { percent = 0.5 }, { percent = 0.75 } ] update_rules = { default = { pubsub_topic = module.pubsub-billing-topic.id } } } } } # tftest modules=2 resources=2 inventory=budget-pubsub.yaml ``` -------------------------------- ### Export Sandbox Working Directories Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/docs/reference-architectures/sandboxes/examples/gcp-sandboxes/index.html Set environment variables to define the working directories for the gcp-sandboxes and cli examples. These variables are used in subsequent deployment steps. ```bash export SANDBOXES_DIR="$(pwd)/reference-architectures/examples/gcp-sandboxes" export SANDBOXES_CLI="$(pwd)/reference-architectures/examples/cli" ``` -------------------------------- ### Remove Environment Variables from Bashrc Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/backstage/backstage-quickstart/README.md Removes the Backstage quickstart base directory export command from the user's .bashrc file to clean up environment configurations. ```bash sed \ -i -e '/^export BACKSTAGE_QS_BASE_DIR=/d' \ ${HOME}/.bashrc ``` -------------------------------- ### Basic Project Creation Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/sandboxes/fabric-modules/project/README.md Demonstrates the basic configuration for creating a GCP project using the module. It specifies the billing account, project name, parent resource, and a list of services to enable. ```hcl module "project" { source = "./fabric/modules/project" billing_account = var.billing_account_id name = "project" parent = var.folder_id prefix = var.prefix services = [ "container.googleapis.com", "stackdriver.googleapis.com" ] } # tftest modules=1 resources=6 inventory=basic.yaml e2e ``` -------------------------------- ### Boolean Organization Policies Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/sandboxes/fabric-modules/project/README.md Defines boolean organization policies such as disabling guest attributes access and service account key creation. Includes an example with a conditional enforcement. ```yaml compute.disableGuestAttributesAccess: rules: - enforce: true compute.skipDefaultNetworkCreation: rules: - enforce: true iam.disableServiceAccountKeyCreation: rules: - enforce: true iam.disableServiceAccountKeyUpload: rules: - condition: description: test condition expression: resource.matchTagId('tagKeys/1234', 'tagValues/1234') location: somewhere title: condition enforce: true - enforce: false # tftest-file id=boolean path=configs/org-policies/boolean.yaml schema=org-policies.schema.json ``` -------------------------------- ### Initialize, Plan, and Apply Terraform Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/github-runners-gke/README.md Standard Terraform commands to initialize the project, preview changes, and apply the infrastructure to create GitHub Actions runners on GKE. ```bash terraform init terraform plan terraform apply ``` -------------------------------- ### Destroy Backstage Resources with Terraform Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/backstage/backstage-quickstart/README.md Use this command to destroy all resources managed by Terraform for the Backstage quickstart. It initializes Terraform, destroys resources, and cleans up local Terraform files. ```bash cd ${BACKSTAGE_QS_BASE_DIR} && \ terraform init && \ terraform destroy -auto-approve && \ rm -rf .terraform .terraform.lock.hcl ``` -------------------------------- ### Create a Sandbox using the CLI Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/docs/reference-architectures/sandboxes/examples/gcp-sandboxes/index.html Utilize the provided Python script to create a new sandbox. Specify the system project name and the desired project ID for the new sandbox. ```bash python ./sandbox.py create \ --system="" \ --project_id="" ``` -------------------------------- ### Configure Project and Enable APIs Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/docs/reference-architectures/automated-password-rotation/index.html Set the project ID in Cloud Shell and enable necessary Google Cloud APIs for the architecture. This includes Cloud Resource Manager and Service Usage APIs. ```bash gcloud config set project ${PROJECT_ID} gcloud services enable \ cloudresourcemanager.googleapis.com \ serviceusage.googleapis.com \ --project ${PROJECT_ID} ``` -------------------------------- ### Manual Approval Message for Cloud Deploy Source: https://github.com/googlecloudplatform/platform-engineering/blob/main/reference-architectures/cloud_deploy_flow/README.md Example of a message payload to approve a rollout in Cloud Deploy. This includes essential data like Action, Rollout, ReleaseId, and the ManualApproval flag. ```json { "message": { "data": "", "attributes": { "Action": "Required", "Rollout": "rollout-123", "ReleaseId": "release-456", "ManualApproval": "true" } } } ```