Setting up a tenant organization¶

This guide is used when setting up a new tenant. This is typically done by the NAIS team, together with the tenants administrators.

graph TD
A[Google Tenant] --> B[NAIS Folder]
B --> C[management]
B --> D[dev]
B --> E[prod]

Prereq¶

Google Cloud Tenant admin
GitHub Organization

Required settings¶

Required permissions¶

On the user that will run the following commands, the following IAM roles are required on an organization level.

Owner
Organization Administrator
Folder Creator
Organization Policy Administrator

Create the NAIS folder¶

Everything related to NAIS is contained within this folder.

export NAAS_ORG_NAME=my-org # (1)
export NAAS_ORG_ID=$(gcloud organizations list --filter $NAAS_ORG_NAME | tail -n1 | awk '{print $2}')

gcloud resource-manager folders create --display-name=nais --organization=$NAAS_ORG_ID
export NAAS_GOOGLE_FOLDERID=$(gcloud resource-manager folders list --organization=$NAAS_ORG_ID | grep nais | awk '{print $3}')

Change this to the name of your Google Organization

Grant access to the NAIS team and the terraform user¶

To allow the NAIS team the required permissions to operate nais, IAM policies must be added to the NAIS folder.

Bug

Find correct roles for the following users:

nais-viewers
nais-admins

Copy and run this command

cat <<EOF > naas-google-org-policy.json
{
  "bindings": [
    {
      "members": [
        "serviceAccount:nais-tf-__TENANTNAME__@nais-io.iam.gserviceaccount.com"
      ],
      "role": "roles/artifactregistry.admin"
    },
    {
      "members": [
        "serviceAccount:nais-tf-__TENANTNAME__@nais-io.iam.gserviceaccount.com"
      ],
      "role": "roles/compute.admin"
    },
    {
      "members": [
        "serviceAccount:nais-tf-__TENANTNAME__@nais-io.iam.gserviceaccount.com"
      ],
      "role": "roles/container.admin"
    },
    {
      "members": [
        "serviceAccount:nais-tf-__TENANTNAME__@nais-io.iam.gserviceaccount.com"
      ],
      "role": "roles/dns.admin"
    },
    {
      "members": [
        "serviceAccount:nais-tf-__TENANTNAME__@nais-io.iam.gserviceaccount.com"
      ],
      "role": "roles/logging.admin"
    },
    {
      "members": [
        "serviceAccount:nais-tf-__TENANTNAME__@nais-io.iam.gserviceaccount.com"
      ],
      "role": "roles/resourcemanager.folderCreator"
    },
    {
      "members": [
        "serviceAccount:nais-tf-__TENANTNAME__@nais-io.iam.gserviceaccount.com"
      ],
      "role": "roles/resourcemanager.folderIamAdmin"
    },
    {
      "members": [
        "serviceAccount:nais-tf-__TENANTNAME__@nais-io.iam.gserviceaccount.com"
      ],
      "role": "roles/resourcemanager.projectCreator"
    },
    {
      "members": [
        "serviceAccount:nais-tf-__TENANTNAME__@nais-io.iam.gserviceaccount.com"
      ],
      "role": "roles/serviceusage.serviceUsageAdmin"
    }
  ]
}
EOF
read -p "Enter NaaS Tenant Name [$NAAS_TENANTNAME]: " TENANTNAME && \
export NAAS_TENANTNAME="${TENANTNAME:-$NAAS_TENANTNAME}" && \
sed -ie "s/__TENANTNAME__/$NAAS_TENANTNAME/g" naas-google-org-policy.json && \
echo "gcloud resource-manager folders set-iam-policy $NAAS_GOOGLE_FOLDERID naas-google-org-policy.json"

Teams (part 1)¶

nais/teams-backend manages teams and configures groups and access in other systems.

teams needs a dedicated user account in the Google directory. This user must be manually created in the Google Admin console. The user must be granted the Groups Admin role to be able to create and maintain groups for the teams:

Go to https://admin.google.com/ac/users
Click on Add new user
Enter nais-teams as first name, and user as last name
Enter nais-teams as the primary email
Click Add new user to add the user account
Click on the created user and then on Assign roles under the Admin roles and privileges section
Assign the Groups Admin role and click Save

Teams admins¶

teams automatically syncs users from the Google Workspace to its own database. Tenants can control which users that should be assigned the admin role in teams by creating a group called teams-admins@<tenant-domain>, and then add the necessary users to this group. When teams runs the user sync it will look for this group, and make sure that the users in the group are granted the admin role. Whenever a user is removed from the group, teams will revoke the admin role from the user on the next sync.

Users with the admin role in teams have access to some parts of teams that regular users does not. Some of these features are:

Configure / enable / disable reconcilers
Grant / revoke roles
Manipulate reconciler states for teams

Kubernetes group¶

In Google Admin create a group named gke-security-groups. This group is used to manage access to the kubernetes clusters, and will be managed by teams. Make sure the group has the View Members permission selected for Group Members.

Highly recommended settings¶

Log location¶

Every project created in GCP will have a default log location for all logs. The default is Global. In order to keep your logs in europe, we strongly recommend setting the default log location to europe using the following command

gcloud alpha logging settings update --organization=<your org ID> --storage-location=europe-north1

Organization policy for location¶

Although all resources created by NAIS is located within the EU, teams are still able to create resources anywhere unless an organizational constraint is in place.

Click to see file content

constraint: constraints/gcp.resourceLocations
etag: BwVUSr8Q7Ng=
listPolicy:
  allowedValues:
  - in:eu-locations

gcloud beta resource-manager org-policies set-policy --organization=<your org ID> <file name>.yaml

Run nais-terraform-modules¶

Before doing the following step, run the terraform setup.

Teams (part 2)¶

Set up an OAuth client for teams.

Go to https://console.cloud.google.com
Choose project -> nais-management -> nais-management
Go to APIs ans Service -> OAuth consent screen
Internal -> create
1. App name: nais management
2. User support email: admin@<tenant-domain>
3. Developer Contact email: admin@<tenant-domain>
Save and continue (x2)
Go to APIs ans Service -> Credentials
Click Create Credentials -> OAuth client ID
Select type Web Application
1. Name: teams
2. Authorized redirect URI: http://teams.<tenant-name>.cloud.nais.io/oauth2/callback
Set Name and Authorized redirect URIs
Create
Copy client id and secret and give to NAIS-team

Domain-wide Delegation¶

teams performs some operations on behalf of the teams user mentioned above. For this to work the teams service account needs domain-wide delegation with some scopes. This must be manually set up in the Google Admin console:

Go to https://admin.google.com/ac/owl/domainwidedelegation
Click on Add new to add a new Client ID
Enter the ID of the teams service account (provided by the NAIS team)
Add the following scopes:
https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.user.readonly
Click on Authorize

After this is done you should see something like the following:

Screenshot of the Domain-wide Delegation screen in the Google Admin console

Github Actions secrets¶

If you are using Github Actions to deploy your applications, you may want to add the following variable and secret to your organization's Github Actions secrets:

Open https://github.com/organizations/[ORG_NAME]/settings/secrets/actions

Name	Type
`NAIS_MANAGEMENT_PROJECT_ID`	`Variable`
`NAIS_WORKLOAD_IDENTITY_PROVIDER`	`Secret`

These may also be set in the repository's secrets, but it is recommended to set them in the organization's secrets as they are shared between all teams.

The NAIS team will provide the values.