├── .gitignore ├── .gitpod.yml ├── Automation-Flow-Diagram.png ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── ISSUES.md ├── LICENSE ├── README.md ├── SETUP.md ├── cloudbuild-and-automation ├── cloudbuild.tf ├── cloudfunctions.tf ├── container_repo │ ├── alpine │ │ ├── Dockerfile │ │ ├── cloudbuild-staging.yaml │ │ └── cloudbuild-verified.yaml │ ├── centos │ │ ├── Dockerfile │ │ ├── cloudbuild-staging.yaml │ │ └── cloudbuild-verified.yaml │ ├── debian │ │ ├── Dockerfile │ │ ├── cloudbuild-staging.yaml │ │ └── cloudbuild-verified.yaml │ └── ubuntu_18_0_4 │ │ ├── Dockerfile │ │ ├── cloudbuild-staging.yaml │ │ └── cloudbuild-verified.yaml ├── container_repos.tf ├── image_repo │ └── ubuntu_18_0_4 │ │ ├── cloudbuild-staging.yaml │ │ ├── cloudbuild-verified.yaml │ │ └── packer.json ├── kms.tf ├── output.tf ├── provider.tf ├── scripts │ ├── main.py │ └── requirements.txt ├── templates │ ├── Makefile.voucher.tpl │ ├── config.toml.tpl │ └── signer.go-template ├── vars.tf ├── versions.tf └── voucher.tf ├── env.sh.tmpl ├── project-and-repos ├── artifact_registry.tf ├── deploy_keys.tf ├── output.tf ├── project.tf ├── provider.tf ├── repos.tf ├── vars.tf └── versions.tf └── setup.sh /.gitignore: -------------------------------------------------------------------------------- 1 | ancestry.json 2 | .terraform 3 | terraform.tfstate 4 | terraform.tfstate.backup 5 | creds 6 | temp 7 | env.sh 8 | cloudbuild-and-automation/scripts/index.zip 9 | */backend.tf 10 | */data.tf 11 | */terraform.tfvars 12 | backend.tf 13 | data.tf 14 | terraform.tfvars 15 | */.terraform.lock.hcl 16 | .DS_Store 17 | 18 | -------------------------------------------------------------------------------- /.gitpod.yml: -------------------------------------------------------------------------------- 1 | image: gcr.io/arctiqteam-images/gitpod-utility:v1.0.1 2 | 3 | tasks: 4 | - init: 'vault login -method=github token=${GITHUB_TOKEN} && mkdir -p ./creds && vault kv get -field="gcp-sa.json" arctiq/shared/projects/p-google-cicd-pipeline-work > creds/gcp-sa.json && mkdir -p ~/.ssh && vault kv get -field="id_rsa" arctiq/users/arctiqtim/github > /home/gitpod/.ssh/id_rsa && sudo chmod -R 0600 ~/.ssh' 5 | command: 'vault login -method=github token=${GITHUB_TOKEN} && mkdir -p ./creds && vault kv get -field="gcp-sa.json" arctiq/shared/projects/p-google-cicd-pipeline-work > creds/gcp-sa.json && mkdir -p ~/.ssh && vault kv get -field="id_rsa" arctiq/users/arctiqtim/github > /home/gitpod/.ssh/id_rsa && sudo chmod -R 0600 ~/.ssh' 6 | 7 | vscode: 8 | extensions: 9 | - hashicorp.terraform@2.4.0:D4pbtRtpOsRgGeQetwDTnA== 10 | -------------------------------------------------------------------------------- /Automation-Flow-Diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/secure-image-pipeline/07bc0bb521e5cd33c8e9d810bae2996cc78037e1/Automation-Flow-Diagram.png -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as 6 | contributors and maintainers pledge to making participation in our project and 7 | our community a harassment-free experience for everyone, regardless of age, body 8 | size, disability, ethnicity, gender identity and expression, level of 9 | experience, education, socio-economic status, nationality, personal appearance, 10 | race, religion, or sexual identity and orientation. 11 | 12 | ## Our Standards 13 | 14 | Examples of behavior that contributes to creating a positive environment 15 | include: 16 | 17 | * Using welcoming and inclusive language 18 | * Being respectful of differing viewpoints and experiences 19 | * Gracefully accepting constructive criticism 20 | * Focusing on what is best for the community 21 | * Showing empathy towards other community members 22 | 23 | Examples of unacceptable behavior by participants include: 24 | 25 | * The use of sexualized language or imagery and unwelcome sexual attention or 26 | advances 27 | * Trolling, insulting/derogatory comments, and personal or political attacks 28 | * Public or private harassment 29 | * Publishing others' private information, such as a physical or electronic 30 | address, without explicit permission 31 | * Other conduct which could reasonably be considered inappropriate in a 32 | professional setting 33 | 34 | ## Our Responsibilities 35 | 36 | Project maintainers are responsible for clarifying the standards of acceptable 37 | behavior and are expected to take appropriate and fair corrective action in 38 | response to any instances of unacceptable behavior. 39 | 40 | Project maintainers have the right and responsibility to remove, edit, or reject 41 | comments, commits, code, wiki edits, issues, and other contributions that are 42 | not aligned to this Code of Conduct, or to ban temporarily or permanently any 43 | contributor for other behaviors that they deem inappropriate, threatening, 44 | offensive, or harmful. 45 | 46 | ## Scope 47 | 48 | This Code of Conduct applies both within project spaces and in public spaces 49 | when an individual is representing the project or its community. Examples of 50 | representing a project or community include using an official project e-mail 51 | address, posting via an official social media account, or acting as an appointed 52 | representative at an online or offline event. Representation of a project may be 53 | further defined and clarified by project maintainers. 54 | 55 | This Code of Conduct also applies outside the project spaces when the Project 56 | Steward has a reasonable belief that an individual's behavior may have a 57 | negative impact on the project or its community. 58 | 59 | ## Conflict Resolution 60 | 61 | We do not believe that all conflict is bad; healthy debate and disagreement 62 | often yield positive results. However, it is never okay to be disrespectful or 63 | to engage in behavior that violates the project’s code of conduct. 64 | 65 | If you see someone violating the code of conduct, you are encouraged to address 66 | the behavior directly with those involved. Many issues can be resolved quickly 67 | and easily, and this gives people more control over the outcome of their 68 | dispute. If you are unable to resolve the matter for any reason, or if the 69 | behavior is threatening or harassing, report it. We are dedicated to providing 70 | an environment where participants feel welcome and safe. 71 | 72 | Reports should be directed to Dina Graves Portman dinagraves@google.com and 73 | Don McCasland donmccasland@google.com, the 74 | Project Steward(s) for Four Keys. It is the Project Steward’s duty to 75 | receive and address reported violations of the code of conduct. They will then 76 | work with a committee consisting of representatives from the Open Source 77 | Programs Office and the Google Open Source Strategy team. If for any reason you 78 | are uncomfortable reaching out to the Project Steward, please email 79 | opensource@google.com. 80 | 81 | We will investigate every complaint, but you may not receive a direct response. 82 | We will use our discretion in determining when and how to follow up on reported 83 | incidents, which may range from not taking action to permanent expulsion from 84 | the project and project-sponsored spaces. We will notify the accused of the 85 | report and provide them an opportunity to discuss it before any action is taken. 86 | The identity of the reporter will be omitted from the details of the report 87 | supplied to the accused. In potentially harmful situations, such as ongoing 88 | harassment or threats to anyone's safety, we may take action without notice. 89 | 90 | ## Attribution 91 | 92 | This Code of Conduct is adapted from the Contributor Covenant, version 1.4, 93 | available at 94 | https://www.contributor-covenant.org/version/1/4/code-of-conduct.html 95 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # How to Contribute 2 | 3 | We'd love to accept your patches and contributions to this project. There are 4 | just a few small guidelines you need to follow. 5 | 6 | ## Contributor License Agreement 7 | 8 | Contributions to this project must be accompanied by a Contributor License 9 | Agreement (CLA). You (or your employer) retain the copyright to your 10 | contribution; this simply gives us permission to use and redistribute your 11 | contributions as part of the project. Head over to 12 | to see your current agreements on file or 13 | to sign a new one. 14 | 15 | You generally only need to submit a CLA once, so if you've already submitted one 16 | (even if it was for a different project), you probably don't need to do it 17 | again. 18 | 19 | ## Code reviews 20 | 21 | All submissions, including submissions by project members, require review. We 22 | use GitHub pull requests for this purpose. Consult 23 | [GitHub Help](https://help.github.com/articles/about-pull-requests/) for more 24 | information on using pull requests. 25 | 26 | ## Community Guidelines 27 | 28 | This project follows 29 | [Google's Open Source Community Guidelines](https://opensource.google/conduct/). 30 | 31 | -------------------------------------------------------------------------------- /ISSUES.md: -------------------------------------------------------------------------------- 1 | https://github.com/integrations/terraform-provider-github/issues/625 ... can't setup default branches currently for private repos 2 | 3 | 4 | https://github.com/hashicorp/terraform-provider-google/issues/7138 ... can't connect GitHub repo 5 | 6 | * Org Admin PAT required 7 | * Export GITHUB_TOKEN env var 8 | 9 | * GitHub Provider 4.3.0 or higher does not currently have support for the new Apple M1 Silicon Chips ... https://github.com/integrations/terraform-provider-github/issues/695 10 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | 204 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## p-google-cicd-pipeline-work 2 | 3 | # Table of Contents 4 | - [Overview](#overview) 5 | - [Build Walkthrough](#build-walkthrough) 6 | * [Prerequisites](#prerequisites) 7 | + [CLI Tools](#cli-tools) 8 | + [GCP Credentials](#gcp-credentials) 9 | + [Github Credentials](#github-credentials) 10 | * [Seed Project](#seed-project) 11 | * [Terraform Deployment](#terraform-deployment) 12 | * [Projects and Repos](#projects-and-repos) 13 | * [Link GitHub Repos to Cloud Build](#link-github-repos-to-cloud-build) 14 | * [Cloud Build and Automation](#cloud-build-and-automation) 15 | 16 | # Overview 17 | 18 | This repository contains Terraform automation code that deploys resources to Google Cloud Platform (GCP) and GitHub (GH). The resources are created for a GCP consumer to create an image build "factory." The purpose of this image build factory is to set up a framework of GCP projects, GitHub repositories, and Cloud Build configurations that are used to create and maintain a series of customized base images. The base images will be consumed in GCP as either container images or virtual machine images. 19 | 20 | For the GCP components, the automation rolls out the following: 21 | 22 | * Builder GCP project - pipelines, service accounts, and voucher server to support the image building and releasing 23 | * Staging GCP project - storage for "staging" images for verification by the consumer before a release into the next stage 24 | * Verified GCP project - storage for "verified" images, intended to be a second stage beyond staging for images 25 | * Voucher server - deployed in Cloud Run and used by the container image pipeline to interact with the container scanning API and attest images that pass the validation 26 | * Cloud Build Triggers - triggers on Pull Requests for the image and VM repositories (targetting the staging pipeline), and on merge to "main" (targetting the verified pipeline) 27 | 28 | For the GitHub components, the automation rolls out the following: 29 | 30 | * Container repository - hosts the source code for the container image builds and pipelines 31 | * VM Image repository - hosts the source code for the VM image builds and pipelines 32 | * Deploy keys - separate write-access deploy keys for each of the repositories 33 | 34 | ![Base Image Factory](Automation-Flow-Diagram.png) 35 | 36 | The workflow design is all source code will be in GitHub. When users want to make edits to the base images (in either the container or VM image repo), they will branch off the "Main" branch, make their changes and then issue a Pull Request when ready. When the pull request is created, the appropriate Cloud Build pipeline is triggered (based on what path file changes are detected in the branch) to build the container image(s) run any tests required (scan for vulnerabilities and attest the image if it is a container image) and then push the container image to the staging project. Once a team or team member has tested and verified that the staging image is good and working, they will approve and merge the PR, which will trigger the verified pipeline file (based on the changes detected in the branch) to copy the images to the verified project. 37 | 38 | # Build Walkthrough 39 | 40 | ## Prerequisites 41 | 42 | ### CLI Tools 43 | * [Google Cloud SDK](https://cloud.google.com/sdk/docs/install) 44 | 45 | * [Terraform 0.14.10](https://releases.hashicorp.com/terraform/0.14.10/) 46 | 47 | Terraform 0.15.0 was recently released, but the project has not been refactored to work with 0.15.0. To install Terraform 0.14.10, run the following command. 48 | 49 | TF_VERSION="0.14.10" 50 | 51 | wget https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_$ {TF_VERSION}_linux_amd64.zip && \ 52 | unzip terraform_${TF_VERSION}_linux_amd64.zip && \ 53 | mv terraform /usr/local/bin && \ 54 | rm terraform_${TF_VERSION}_linux_amd64.zip 55 | 56 | ### GCP Credentials 57 | 58 | The GCP account executing `./setup.sh` requires the following roles to be assigned. 59 | 60 | - Organization Administrator 61 | - Grants access to set roles at the org level. 62 | - Prerequisite for assigning the `roles/billing.admin` `roles/billing.user` roles. 63 | 64 | - Billing Admin (Organization) 65 | - Prerequisite for assigning the role `roles/billing.user` to a service account. 66 | 67 | ### Github Credentials 68 | 69 | The first step in the setup is a prompt asking for GitHub credentials to create the container and VM image repositories in Github. 70 | 71 | For Terraform to create the repositories using the supplied credentials, a Personal Access Token in GitHub must be configured with *Full control of private repositories* permission. 72 | 73 | To Create a Personal Access Token, go to ***Settings > Developer Settings > Personal Access Tokens.*** 74 | 75 | Create an environment variable on the host machine using the following command if you're using macOS or Linux. 76 | 77 | ```sh 78 | export GITHUB_TOKEN="" 79 | ``` 80 | 81 | *NOTE: At the moment, a GitHub user account associated with an Organization is required. User org deployments are not currently supported.* 82 | 83 | ## Seed Project 84 | 85 | Upon supplying the GitHub credentials, the setup creates the seed project, enables all APIs, and creates a service account with the following permissions: 86 | 87 | - Browser (Folder Level) 88 | - Grants access to browse the hierarchy for a project, including the folder. 89 | 90 | - Folder Viewer (Folder Level)) 91 | - Grants the service account access to view all projects within the folder. 92 | 93 | - Project Creator (Folder Level) 94 | - Grants Terraform access to create the additional projects within a folder. 95 | 96 | ***This configuration is currently set to assign the Project Creator at the org level in the main branch but was modified to allow project creation at the folder level in this branch. Review required.*** 97 | 98 | - Billing User (Org level) 99 | - Grants Terraform the ability to enable billing on the Build, Staging, and Verified Projects. 100 | 101 | - Storage Object Admin (Project Level) 102 | - Grants Terraform access to configure the remote backend on GCS. 103 | 104 | ## Terraform Deployment 105 | 106 | The automation is divided into two distinct Terraform plans intended to be run in sequence with a manual step in between. The first automation creates the [Projects and Repos](#projects-and-repos), and the second step deploys the [CLoud Build and Automation](#cloud-build-and-automation). The manual step between the two automation components is to [Link the Repos](#link-github-repos-to-cloud-build) to the GCP projects to install the GitHub App for Cloud Build. 107 | 108 | At the root of the project, two folders contain all the necessary Terraform configuration in separate folders. Two separate Terraform configurations mean two separate state files will get created in separate GCS Buckets within the seed project. 109 | ```s 110 | ├─ cloud-build-and-automation 111 | │ ├─ Cloud-build.tf 112 | │ ├─ cloudfunctions.tf 113 | │ ├─ container_repo 114 | │ ├─ container_repos.tf 115 | │ ├─ image_repo 116 | │ ├─ image_repos.tf 117 | │ ├─ kms.tf 118 | │ ├─ output.tf 119 | │ ├─ packer.tf 120 | │ ├─ provider.tf 121 | │ ├─ scripts 122 | │ ├─ vars.tf 123 | │ ├─ versions.tf 124 | │ └─ voucher.tf 125 | ├─ project-and-repos 126 | │ ├─ artifact_registry.tf 127 | │ ├─ deploy_keys.tf 128 | │ ├─ output.tf 129 | │ ├─ project.tf 130 | │ ├─ provider.tf 131 | │ ├─ repos.tf 132 | │ ├─ vars.tf 133 | │ └─ versions.tf 134 | └─ setup.sh 135 | ``` 136 | ## Projects and Repos 137 | 138 | The following steps are performed when `./setup.sh` executes the `apply_projectrepos_tf` function. 139 | 140 | - Create projects. 141 | - Enable billing and APIs. 142 | - KMS Keyring is created. 143 | - Create GitHub repositories. 144 | - Create and Upload two public keys, one for each repository. 145 | - Create an artifact registry for the staging and verified project. 146 | 147 | ## Link GitHub Repos to Cloud Build 148 | 149 | *NOTE: If the organization already has all repos linked to CloudBuild, you can skip this step, and you can hit enter to continue setup.* 150 | 151 | When the [Projects and Repos](#projects-and-repos) step completes, a web page will open, and you will need to authenticate to Github using your credentials. You will be redirected to a page to add the **baseimg-XXXXXX-vm** and **baseimg-XXXXXX-container** repositories. Ensure both repos are linked to Cloud Build and hit enter to continue the build. 152 | 153 | ## Cloud Build and Automation 154 | 155 | The following steps are performed when `./setup.sh` executes the `apply_cloudbuild_tf` function. 156 | 157 | - Initialize Image Repo 158 | - Copy `./image_repo` to `/temp/baseimgfct-XXXXXX-images` 159 | - Download the submodule [cloud-builders-community](https://github.com/GoogleCloudPlatform/cloud-builders-community.git) into `/temp` (Packer) 160 | - Archive `/temp` 161 | - Push files 162 | 163 | - Initialize Container Repo 164 | - Copy `./container_repo` to `/temp/baseimgfct-XXXXXX-containers` 165 | - Download the submodule [voucher](https://github.com/grafeas/voucher.git) to `/temp` (Voucher Service) 166 | - Archive `/temp` 167 | - Push files 168 | - Execute an initial Cloud Build run for all container images in both the Staging and Verified projects 169 | - The following variables are passed to the build run 170 | - `_VOUCHER_SERVICE_URL` 171 | - `_VOUCHER_SERVICE_ACCOUNT` 172 | - `_IMG` 173 | - `_SHORT_SHA` 174 | 175 | - Cloud Build Triggers (Builder Project) 176 | - All triggers are created in the builder project. 177 | - Triggers are executed when either a **pull request** or **merge** is made against the **main** branch. 178 | - A pull request will build images in the staging project. 179 | - A merge will build images in the verified project. 180 | - When triggered, the docker files for each image are built. 181 | 182 | - Pub/Sub Topics (Staging Project) 183 | - Used to trigger the container scanning Cloud Function. 184 | - Executes the Cloud Function when a message is sent to the Pub/Sub topic. 185 | 186 | - Cloud Functions (Staging Project) 187 | - Cloud Function for each image in the staging project. 188 | - A Python function is created using the `./scripts` folder that is first zipped and uploaded to a GCS bucket. The function is then created from the zip file on the GCS bucket. 189 | - Used to trigger container builds based on CVE fixes found. 190 | - Executes a Cloud Build run to build the images with the fixes. 191 | 192 | - Voucher Service (Staging Project) 193 | - Created after dependencies are downloaded into `/temp.` 194 | - A voucher config is created from `./templates/config.toml.tpl` 195 | - Voucher is built from `/temp/tutorials/cloudrun/cloudbuild-server.yaml` using CloudBuild. 196 | - A Cloud Run service is created from the image built using Vouchers `cloudbuild-server.yaml.` 197 | - Every time a container is built in the staging project; a post request is sent to the Voucher service URL with details about the image. 198 | - Voucher will fail any image builds if there have critical security vulnerabilities. 199 | - If no critical security vulnerabilities are found, the image is passed and built. 200 | 201 | 202 | 203 | 204 | 205 | -------------------------------------------------------------------------------- /SETUP.md: -------------------------------------------------------------------------------- 1 | # Setup for the automation 2 | 3 | ## The easy path 4 | ```shell 5 | ./setup.sh 6 | ``` 7 | 8 | ## What's happening 9 | 10 | The setup.sh script needs you to have permissions to administer your GCP Organization's IAM policies, 11 | and create projects. It will use your current project to find information about your parent 12 | Organization and Billing Account info, and then use that to create a new project, enable APIs, 13 | enable billing, and create IAM policies for the terraform work ahead. 14 | 15 | ### Manual setup 16 | If the set up script is not working for you, you can customize the instructions below: 17 | 18 | ```shell 19 | export PROJECT= 20 | gcloud config set account tim.fairweather@arctiq.ca 21 | gcloud services enable cloudbilling.googleapis.com --project ${PROJECT} 22 | gcloud services enable cloudresourcemanager.googleapis.com --project ${PROJECT} 23 | gcloud services enable cloudbuild.googleapis.com --project ${PROJECT} 24 | gcloud services enable cloudkms.googleapis.com --project ${PROJECT} 25 | gcloud services enable containeranalysis.googleapis.com --project ${PROJECT} 26 | 27 | 28 | gsutil mb -p ${PROJECT} -l northamerica-northeast1 gs://${PROJECT}-pipeline-work/ 29 | gcloud iam service-accounts create terraform-project-automation --project ${PROJECT} 30 | gcloud organizations add-iam-policy-binding 725616416277 \ 31 | --member serviceAccount:terraform-project-automation@${PROJECT}.iam.gserviceaccount.com --role roles/browser 32 | gcloud organizations add-iam-policy-binding 725616416277 \ 33 | --member serviceAccount:terraform-project-automation@${PROJECT}.iam.gserviceaccount.com --role roles/billing.user 34 | gcloud organizations add-iam-policy-binding 725616416277 \ 35 | --member serviceAccount:terraform-project-automation@${PROJECT}.iam.gserviceaccount.com --role roles/billing.viewer 36 | gcloud organizations add-iam-policy-binding 725616416277 \ 37 | --member serviceAccount:terraform-project-automation@${PROJECT}.iam.gserviceaccount.com --role roles/resourcemanager.projectCreator 38 | gcloud organizations add-iam-policy-binding 725616416277 \ 39 | --member serviceAccount:terraform-project-automation@${PROJECT}.iam.gserviceaccount.com --role roles/resourcemanager.folderViewer 40 | gcloud projects add-iam-policy-binding ${PROJECT} \ 41 | --member serviceAccount:terraform-project-automation@${PROJECT}.iam.gserviceaccount.com --role roles/storage.objectAdmin 42 | gcloud iam service-accounts keys create ~/key.json \ 43 | --iam-account terraform-project-automation@${PROJECT}.iam.gserviceaccount.com 44 | mv ~/key.json ./creds/gcp-sa.json 45 | ``` 46 | 47 | ## GitHub Personal Account Token Setup 48 | ```shell 49 | 50 | ``` 51 | 52 | ## Fetch json key from Vault 53 | ```shell 54 | vault kv get -field="gcp-sa.json" arctiq/shared/projects/p-google-cicd-pipeline-work > creds/gcp-sa.json 55 | ``` 56 | -------------------------------------------------------------------------------- /cloudbuild-and-automation/cloudbuild.tf: -------------------------------------------------------------------------------- 1 | resource "google_cloudbuild_trigger" "staging_pr" { 2 | depends_on = [ null_resource.init_repos ] 3 | for_each = toset(var.container_images) 4 | provider = google-beta 5 | project = data.terraform_remote_state.projects_and_repos.outputs.google_project_builder.project_id 6 | description = "Pull Request on ${each.value} Containers - Staging" 7 | github { 8 | owner = data.terraform_remote_state.projects_and_repos.outputs.gh_organization 9 | name = data.terraform_remote_state.projects_and_repos.outputs.github_repository_containers.id 10 | // push { 11 | // branch = data.terraform_remote_state.projects_and_repos.outputs.github_branch_containers_staging.branch 12 | // } 13 | pull_request { 14 | branch = "main" 15 | comment_control = "COMMENTS_ENABLED" 16 | } 17 | } 18 | 19 | substitutions = { 20 | _IMG = each.value 21 | _SERVICE_URL = google_cloud_run_service.voucher.status[0].url 22 | _SERVICE_ACCOUNT = google_service_account.voucher_invoker.email 23 | ## GCR-based 24 | _IMG_DEST = "gcr.io/${data.terraform_remote_state.projects_and_repos.outputs.google_project_staging.project_id}/${each.value}" 25 | ## Artifact Registry-based 26 | # _IMG_DEST = "${data.terraform_remote_state.projects_and_repos.outputs.google_artifact_registry_repository_staging.location}-docker.pkg.dev/${data.terraform_remote_state.projects_and_repos.outputs.google_project_staging.project_id}/${data.terraform_remote_state.projects_and_repos.outputs.google_artifact_registry_repository_staging.name}/${each.value}" 27 | } 28 | 29 | filename = "${each.value}/cloudbuild-staging.yaml" 30 | 31 | included_files = [ "${each.value}/**" ] 32 | } 33 | 34 | resource "google_cloudbuild_trigger" "staging_fixfound" { 35 | depends_on = [ null_resource.init_repos ] 36 | for_each = toset(var.container_images) 37 | provider = google-beta 38 | project = data.terraform_remote_state.projects_and_repos.outputs.google_project_builder.project_id 39 | description = "Fix Found on ${each.value} Containers - Staging" 40 | github { 41 | owner = data.terraform_remote_state.projects_and_repos.outputs.gh_organization 42 | name = data.terraform_remote_state.projects_and_repos.outputs.github_repository_containers.id 43 | pull_request { 44 | branch = "main" 45 | comment_control = "COMMENTS_ENABLED" 46 | } 47 | } 48 | 49 | substitutions = { 50 | _IMG = each.value 51 | _SERVICE_URL = google_cloud_run_service.voucher.status[0].url 52 | _SERVICE_ACCOUNT = google_service_account.voucher_invoker.email 53 | ## GCR-based 54 | _IMG_DEST = "gcr.io/${data.terraform_remote_state.projects_and_repos.outputs.google_project_staging.project_id}/${each.value}" 55 | ## Artifact Registry-based 56 | # _IMG_DEST = "${data.terraform_remote_state.projects_and_repos.outputs.google_artifact_registry_repository_staging.location}-docker.pkg.dev/${data.terraform_remote_state.projects_and_repos.outputs.google_project_staging.project_id}/${data.terraform_remote_state.projects_and_repos.outputs.google_artifact_registry_repository_staging.name}/${each.value}" 57 | } 58 | 59 | filename = "${each.value}/cloudbuild-staging.yaml" 60 | 61 | included_files = [ "${each.value}/**" ] 62 | } 63 | 64 | resource "google_cloudbuild_trigger" "verified" { 65 | depends_on = [ null_resource.init_repos ] 66 | for_each = toset(var.container_images) 67 | provider = google-beta 68 | project = data.terraform_remote_state.projects_and_repos.outputs.google_project_builder.project_id 69 | description = "Merge to main for ${each.value} Containers - Verified" 70 | github { 71 | owner = data.terraform_remote_state.projects_and_repos.outputs.gh_organization 72 | name = data.terraform_remote_state.projects_and_repos.outputs.github_repository_containers.id 73 | push { 74 | branch = "main" 75 | } 76 | } 77 | 78 | substitutions = { 79 | ## GCR-based 80 | _STAGING_IMG = "gcr.io/${data.terraform_remote_state.projects_and_repos.outputs.google_project_staging.project_id}/${each.value}" 81 | _VERIFIED_IMG = "gcr.io/${data.terraform_remote_state.projects_and_repos.outputs.google_project_verified.project_id}/${each.value}" 82 | ## Artifact Registry-based 83 | # _STAGING_IMG = "${data.terraform_remote_state.projects_and_repos.outputs.google_artifact_registry_repository_staging.location}-docker.pkg.dev/${data.terraform_remote_state.projects_and_repos.outputs.google_project_staging.project_id}/${data.terraform_remote_state.projects_and_repos.outputs.google_artifact_registry_repository_staging.name}/${each.value}" 84 | # _VERIFIED_IMG = "${data.terraform_remote_state.projects_and_repos.outputs.google_artifact_registry_repository_verified.location}-docker.pkg.dev/${data.terraform_remote_state.projects_and_repos.outputs.google_project_verified.project_id}/${data.terraform_remote_state.projects_and_repos.outputs.google_artifact_registry_repository_verified.name}/${each.value}" 85 | } 86 | 87 | filename = "${each.value}/cloudbuild-verified.yaml" 88 | 89 | included_files = [ "${each.value}/**" ] 90 | } 91 | 92 | # northamerica-northeast1-docker.pkg.dev 93 | -------------------------------------------------------------------------------- /cloudbuild-and-automation/cloudfunctions.tf: -------------------------------------------------------------------------------- 1 | data "google_pubsub_topic" "container_scanning" { 2 | project = data.terraform_remote_state.projects_and_repos.outputs.google_project_staging.project_id 3 | name = "container-analysis-occurrences-v1" 4 | depends_on = [ null_resource.submit_builds_gcr ] 5 | } 6 | 7 | resource "random_id" "bucket_ids" { 8 | byte_length = 4 9 | } 10 | 11 | resource "google_storage_bucket" "functions" { 12 | project = data.terraform_remote_state.projects_and_repos.outputs.google_project_staging.project_id 13 | name = "container-functions-${random_id.bucket_ids.dec}" 14 | location = data.terraform_remote_state.projects_and_repos.outputs.region 15 | } 16 | 17 | resource "google_storage_bucket_iam_member" "member" { 18 | bucket = google_storage_bucket.functions.name 19 | role = "roles/storage.objectViewer" 20 | member = "allUsers" 21 | } 22 | data "archive_file" "function_zip" { 23 | type = "zip" 24 | source_dir = "${path.module}/scripts/" 25 | output_path ="${path.module}/scripts/index.zip" 26 | } 27 | resource "google_storage_bucket_object" "functions" { 28 | name = "index.zip" 29 | bucket = google_storage_bucket.functions.name 30 | source = data.archive_file.function_zip.output_path 31 | } 32 | 33 | 34 | resource "google_cloudfunctions_function" "function" { 35 | for_each = google_cloudbuild_trigger.staging_fixfound 36 | depends_on = [ google_storage_bucket_iam_member.member, google_cloudbuild_trigger.staging_fixfound ] 37 | project = data.terraform_remote_state.projects_and_repos.outputs.google_project_staging.project_id 38 | name = "container-scanning-function-${each.key}" 39 | description = "Function to trigger container builds based off of CVE fixes found" 40 | runtime = "python37" 41 | 42 | available_memory_mb = 128 43 | source_archive_bucket = google_storage_bucket.functions.name 44 | source_archive_object = google_storage_bucket_object.functions.name 45 | event_trigger { 46 | event_type = "google.pubsub.topic.publish" 47 | resource = data.google_pubsub_topic.container_scanning.name 48 | } 49 | timeout = 60 50 | entry_point = "cve_trigger" 51 | environment_variables = { 52 | staging_project_id = data.terraform_remote_state.projects_and_repos.outputs.google_project_staging.project_id 53 | builder_project_id = data.terraform_remote_state.projects_and_repos.outputs.google_project_builder.project_id 54 | trigger_id = each.value.trigger_id 55 | registry = "${data.terraform_remote_state.projects_and_repos.outputs.google_project_staging.project_id}/${each.key}" 56 | } 57 | } 58 | 59 | -------------------------------------------------------------------------------- /cloudbuild-and-automation/container_repo/alpine/Dockerfile: -------------------------------------------------------------------------------- 1 | # Replace latest with a pinned version tag from https://hub.docker.com/_/alpine 2 | # 3 | # We suggest using the major.minor tag, not major.minor.patch. 4 | FROM alpine:latest 5 | 6 | # Non-root user for security purposes. 7 | # 8 | # UIDs below 10,000 are a security risk, as a container breakout could result 9 | # in the container being ran as a more privileged user on the host kernel with 10 | # the same UID. 11 | # 12 | # Static GID/UID is also useful for chown'ing files outside the container where 13 | # such a user does not exist. 14 | RUN addgroup -g 10001 -S nonroot && adduser -u 10000 -S -G nonroot -h /home/nonroot nonroot 15 | 16 | # Install packages here with `apk add --no-cache`, copy your binary 17 | # into /sbin/, etc. 18 | 19 | # Tini allows us to avoid several Docker edge cases, see https://github.com/krallin/tini. 20 | # RUN apk add --no-cache tini 21 | # ENTRYPOINT ["/sbin/tini", "--", "myapp"] 22 | # Replace "myapp" above with your binary 23 | 24 | # bind-tools is needed for DNS resolution to work in *some* Docker networks, but not all. 25 | # This applies to nslookup, Go binaries, etc. If you want your Docker image to work even 26 | # in more obscure Docker environments, use this. 27 | RUN apk add --no-cache bind-tools 28 | 29 | # Use the non-root user to run our application 30 | USER nonroot 31 | 32 | # Default arguments for your app (remove if you have none): 33 | CMD ["bash"] -------------------------------------------------------------------------------- /cloudbuild-and-automation/container_repo/alpine/cloudbuild-staging.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | steps: 16 | - name: 'gcr.io/cloud-builders/docker' 17 | args: 18 | - 'build' 19 | - '-t' 20 | - '${_IMG_DEST}:$SHORT_SHA' 21 | - '-f' 22 | - './${_IMG}/Dockerfile' 23 | - './${_IMG}' 24 | id: build 25 | 26 | - name: 'gcr.io/cloud-builders/docker' 27 | args: 28 | - 'push' 29 | - '${_IMG_DEST}:$SHORT_SHA' 30 | id: push 31 | 32 | - name: 'gcr.io/cloud-builders/docker' 33 | entrypoint: /bin/bash 34 | args: 35 | - -c 36 | - | 37 | docker image inspect ${_IMG_DEST}:$SHORT_SHA --format '{{index .RepoDigests 0}}' > image-digest.txt && 38 | cat image-digest.txt 39 | id: inspect 40 | 41 | - name: gcr.io/cloud-builders/gcloud 42 | entrypoint: "bash" 43 | args: 44 | - -c 45 | - | 46 | itoken=$(curl -X POST -H "content-type: application/json" \ 47 | -H "Authorization: Bearer $(gcloud auth print-access-token)" \ 48 | -d '{"audience": "${_SERVICE_URL}"}' \ 49 | https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${_SERVICE_ACCOUNT}:generateIdToken) && \ 50 | curl -X POST \ 51 | -H "Authorization: Bearer $(echo $itoken | awk -F'\"' '{print $4}')" \ 52 | -H "Content-Type: application/json" \ 53 | -d "{\"image_url\": \"$(cat image-digest.txt)\"}" \ 54 | ${_SERVICE_URL}/all 55 | waitFor: ["inspect"] 56 | id: vulnsign 57 | 58 | - name: 'gcr.io/cloud-builders/docker' 59 | args: 60 | - 'tag' 61 | - '${_IMG_DEST}:$SHORT_SHA' 62 | - '${_IMG_DEST}:latest' 63 | waitFor: ["build"] 64 | 65 | images: 66 | - '${_IMG_DEST}:latest' 67 | - '${_IMG_DEST}:$SHORT_SHA' 68 | -------------------------------------------------------------------------------- /cloudbuild-and-automation/container_repo/alpine/cloudbuild-verified.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | steps: 16 | - name: 'gcr.io/cloud-builders/docker' 17 | args: 18 | - 'pull' 19 | - '${_STAGING_IMG}:latest' 20 | 21 | - name: 'gcr.io/cloud-builders/docker' 22 | args: 23 | - 'tag' 24 | - '${_STAGING_IMG}:latest' 25 | - '${_VERIFIED_IMG}:$SHORT_SHA' 26 | 27 | - name: 'gcr.io/cloud-builders/docker' 28 | args: 29 | - 'tag' 30 | - '${_VERIFIED_IMG}:$SHORT_SHA' 31 | - '${_VERIFIED_IMG}:latest' 32 | 33 | images: 34 | - '${_VERIFIED_IMG}:latest' 35 | - '${_VERIFIED_IMG}:$SHORT_SHA' 36 | -------------------------------------------------------------------------------- /cloudbuild-and-automation/container_repo/centos/Dockerfile: -------------------------------------------------------------------------------- 1 | 2 | # Base CentOS 7 with a few perks 3 | # Includes epel repo for local build 4 | 5 | FROM gcr.io/gcp-runtimes/centos7 6 | 7 | 8 | 9 | 10 | # Non-root user for security purposes. 11 | # 12 | # UIDs below 10,000 are a security risk, as a container breakout could result 13 | # in the container being ran as a more privileged user on the host kernel with 14 | # the same UID. 15 | # 16 | # Static GID/UID is also useful for chown'ing files outside the container where 17 | # such a user does not exist. 18 | RUN groupadd nonroot -g 10001 && useradd -u 10000 -g nonroot -d /home/nonroot nonroot 19 | 20 | RUN yum update -y && yum clean all 21 | 22 | # Use the non-root user to run our application 23 | USER nonroot 24 | 25 | # Default arguments for your app (remove if you have none): 26 | CMD ["bash"] -------------------------------------------------------------------------------- /cloudbuild-and-automation/container_repo/centos/cloudbuild-staging.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | steps: 16 | - name: 'gcr.io/cloud-builders/docker' 17 | args: 18 | - 'build' 19 | - '-t' 20 | - '${_IMG_DEST}:$SHORT_SHA' 21 | - '-f' 22 | - './${_IMG}/Dockerfile' 23 | - './${_IMG}' 24 | id: build 25 | 26 | - name: 'gcr.io/cloud-builders/docker' 27 | args: 28 | - 'push' 29 | - '${_IMG_DEST}:$SHORT_SHA' 30 | id: push 31 | 32 | - name: 'gcr.io/cloud-builders/docker' 33 | entrypoint: /bin/bash 34 | args: 35 | - -c 36 | - | 37 | docker image inspect ${_IMG_DEST}:$SHORT_SHA --format '{{index .RepoDigests 0}}' > image-digest.txt && 38 | cat image-digest.txt 39 | id: inspect 40 | 41 | - name: gcr.io/cloud-builders/gcloud 42 | entrypoint: "bash" 43 | args: 44 | - -c 45 | - | 46 | itoken=$(curl -X POST -H "content-type: application/json" \ 47 | -H "Authorization: Bearer $(gcloud auth print-access-token)" \ 48 | -d '{"audience": "${_SERVICE_URL}"}' \ 49 | https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${_SERVICE_ACCOUNT}:generateIdToken) && \ 50 | curl -X POST \ 51 | -H "Authorization: Bearer $(echo $itoken | awk -F'\"' '{print $4}')" \ 52 | -H "Content-Type: application/json" \ 53 | -d "{\"image_url\": \"$(cat image-digest.txt)\"}" \ 54 | ${_SERVICE_URL}/all 55 | waitFor: ["inspect"] 56 | id: vulnsign 57 | 58 | - name: 'gcr.io/cloud-builders/docker' 59 | args: 60 | - 'tag' 61 | - '${_IMG_DEST}:$SHORT_SHA' 62 | - '${_IMG_DEST}:latest' 63 | waitFor: ["build"] 64 | 65 | images: 66 | - '${_IMG_DEST}:latest' 67 | - '${_IMG_DEST}:$SHORT_SHA' 68 | -------------------------------------------------------------------------------- /cloudbuild-and-automation/container_repo/centos/cloudbuild-verified.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | steps: 16 | - name: 'gcr.io/cloud-builders/docker' 17 | args: 18 | - 'pull' 19 | - '${_STAGING_IMG}:latest' 20 | 21 | - name: 'gcr.io/cloud-builders/docker' 22 | args: 23 | - 'tag' 24 | - '${_STAGING_IMG}:latest' 25 | - '${_VERIFIED_IMG}:$SHORT_SHA' 26 | 27 | - name: 'gcr.io/cloud-builders/docker' 28 | args: 29 | - 'tag' 30 | - '${_VERIFIED_IMG}:$SHORT_SHA' 31 | - '${_VERIFIED_IMG}:latest' 32 | 33 | images: 34 | - '${_VERIFIED_IMG}:latest' 35 | - '${_VERIFIED_IMG}:$SHORT_SHA' 36 | -------------------------------------------------------------------------------- /cloudbuild-and-automation/container_repo/debian/Dockerfile: -------------------------------------------------------------------------------- 1 | # Pull base image. 2 | FROM debian:stable-slim 3 | 4 | ARG DEBIAN_FRONTEND=noninteractive 5 | 6 | # Non-root user for security purposes. 7 | # 8 | # UIDs below 10,000 are a security risk, as a container breakout could result 9 | # in the container being ran as a more privileged user on the host kernel with 10 | # the same UID. 11 | # 12 | # Static GID/UID is also useful for chown'ing files outside the container where 13 | # such a user does not exist. 14 | RUN groupadd -r -g 10001 nonroot &&\ 15 | useradd -r -g nonroot -d /home/nonroot -s /sbin/nologin -c "Docker image user" nonroot 16 | 17 | # Packaging. 18 | # 19 | # Install relevant software etc. 20 | # RUN \ 21 | # sed -i 's/# \(.*multiverse$\)/\1/g' /etc/apt/sources.list && \ 22 | # apt-get update && \ 23 | # apt-get -y upgrade && \ 24 | # apt-get install -y build-essential && \ 25 | # apt-get install -y software-properties-common && \ 26 | # apt-get install -y byobu curl git htop man unzip vim wget && \ 27 | # rm -rf /var/lib/apt/lists/* 28 | 29 | # Add files. 30 | # ADD root/.bashrc /root/.bashrc 31 | # ADD root/.gitconfig /root/.gitconfig 32 | # ADD root/.scripts /root/.scripts 33 | 34 | # Set environment variables. 35 | ENV HOME /home/nonroot 36 | 37 | # Define working directory. 38 | WORKDIR $HOME 39 | 40 | # Change to nonroot user. 41 | USER nonroot 42 | 43 | # Define default command. 44 | CMD ["bash"] -------------------------------------------------------------------------------- /cloudbuild-and-automation/container_repo/debian/cloudbuild-staging.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | steps: 16 | - name: 'gcr.io/cloud-builders/docker' 17 | args: 18 | - 'build' 19 | - '-t' 20 | - '${_IMG_DEST}:$SHORT_SHA' 21 | - '-f' 22 | - './${_IMG}/Dockerfile' 23 | - './${_IMG}' 24 | id: build 25 | 26 | - name: 'gcr.io/cloud-builders/docker' 27 | args: 28 | - 'push' 29 | - '${_IMG_DEST}:$SHORT_SHA' 30 | id: push 31 | 32 | - name: 'gcr.io/cloud-builders/docker' 33 | entrypoint: /bin/bash 34 | args: 35 | - -c 36 | - | 37 | docker image inspect ${_IMG_DEST}:$SHORT_SHA --format '{{index .RepoDigests 0}}' > image-digest.txt && 38 | cat image-digest.txt 39 | id: inspect 40 | 41 | - name: gcr.io/cloud-builders/gcloud 42 | entrypoint: "bash" 43 | args: 44 | - -c 45 | - | 46 | itoken=$(curl -X POST -H "content-type: application/json" \ 47 | -H "Authorization: Bearer $(gcloud auth print-access-token)" \ 48 | -d '{"audience": "${_SERVICE_URL}"}' \ 49 | https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${_SERVICE_ACCOUNT}:generateIdToken) && \ 50 | curl -X POST \ 51 | -H "Authorization: Bearer $(echo $itoken | awk -F'\"' '{print $4}')" \ 52 | -H "Content-Type: application/json" \ 53 | -d "{\"image_url\": \"$(cat image-digest.txt)\"}" \ 54 | ${_SERVICE_URL}/all 55 | waitFor: ["inspect"] 56 | id: vulnsign 57 | 58 | - name: 'gcr.io/cloud-builders/docker' 59 | args: 60 | - 'tag' 61 | - '${_IMG_DEST}:$SHORT_SHA' 62 | - '${_IMG_DEST}:latest' 63 | waitFor: ["build"] 64 | 65 | images: 66 | - '${_IMG_DEST}:latest' 67 | - '${_IMG_DEST}:$SHORT_SHA' 68 | -------------------------------------------------------------------------------- /cloudbuild-and-automation/container_repo/debian/cloudbuild-verified.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | steps: 16 | - name: 'gcr.io/cloud-builders/docker' 17 | args: 18 | - 'pull' 19 | - '${_STAGING_IMG}:latest' 20 | 21 | - name: 'gcr.io/cloud-builders/docker' 22 | args: 23 | - 'tag' 24 | - '${_STAGING_IMG}:latest' 25 | - '${_VERIFIED_IMG}:$SHORT_SHA' 26 | 27 | - name: 'gcr.io/cloud-builders/docker' 28 | args: 29 | - 'tag' 30 | - '${_VERIFIED_IMG}:$SHORT_SHA' 31 | - '${_VERIFIED_IMG}:latest' 32 | 33 | images: 34 | - '${_VERIFIED_IMG}:latest' 35 | - '${_VERIFIED_IMG}:$SHORT_SHA' 36 | -------------------------------------------------------------------------------- /cloudbuild-and-automation/container_repo/ubuntu_18_0_4/Dockerfile: -------------------------------------------------------------------------------- 1 | # Pull base image. 2 | FROM gcr.io/gcp-runtimes/ubuntu_18_0_4 3 | 4 | # Non-root user for security purposes. 5 | # 6 | # UIDs below 10,000 are a security risk, as a container breakout could result 7 | # in the container being ran as a more privileged user on the host kernel with 8 | # the same UID. 9 | # 10 | # Static GID/UID is also useful for chown'ing files outside the container where 11 | # such a user does not exist. 12 | RUN groupadd -r -g 10001 nonroot &&\ 13 | useradd -r -g nonroot -d /home/nonroot -s /sbin/nologin -c "Docker image user" nonroot 14 | 15 | # Packaging. 16 | # 17 | # Install relevant software etc. 18 | # RUN \ 19 | # sed -i 's/# \(.*multiverse$\)/\1/g' /etc/apt/sources.list && \ 20 | # apt-get update && \ 21 | # apt-get -y upgrade && \ 22 | # apt-get install -y build-essential && \ 23 | # apt-get install -y software-properties-common && \ 24 | # apt-get install -y byobu curl git htop man unzip vim wget && \ 25 | # rm -rf /var/lib/apt/lists/* 26 | 27 | # Add files. 28 | # ADD root/.bashrc /root/.bashrc 29 | # ADD root/.gitconfig /root/.gitconfig 30 | # ADD root/.scripts /root/.scripts 31 | 32 | # Set environment variables. 33 | ENV HOME /home/nonroot 34 | 35 | # Define working directory. 36 | WORKDIR $HOME 37 | 38 | # Change to nonroot user. 39 | USER nonroot 40 | 41 | # Define default command. 42 | CMD ["bash"] -------------------------------------------------------------------------------- /cloudbuild-and-automation/container_repo/ubuntu_18_0_4/cloudbuild-staging.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | steps: 16 | - name: 'gcr.io/cloud-builders/docker' 17 | args: 18 | - 'build' 19 | - '-t' 20 | - '${_IMG_DEST}:$SHORT_SHA' 21 | - '-f' 22 | - './${_IMG}/Dockerfile' 23 | - './${_IMG}' 24 | id: build 25 | 26 | - name: 'gcr.io/cloud-builders/docker' 27 | args: 28 | - 'push' 29 | - '${_IMG_DEST}:$SHORT_SHA' 30 | id: push 31 | 32 | - name: 'gcr.io/cloud-builders/docker' 33 | entrypoint: /bin/bash 34 | args: 35 | - -c 36 | - | 37 | docker image inspect ${_IMG_DEST}:$SHORT_SHA --format '{{index .RepoDigests 0}}' > image-digest.txt && 38 | cat image-digest.txt 39 | id: inspect 40 | 41 | - name: gcr.io/cloud-builders/gcloud 42 | entrypoint: "bash" 43 | args: 44 | - -c 45 | - | 46 | itoken=$(curl -X POST -H "content-type: application/json" \ 47 | -H "Authorization: Bearer $(gcloud auth print-access-token)" \ 48 | -d '{"audience": "${_SERVICE_URL}"}' \ 49 | https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${_SERVICE_ACCOUNT}:generateIdToken) && \ 50 | curl -X POST \ 51 | -H "Authorization: Bearer $(echo $itoken | awk -F'\"' '{print $4}')" \ 52 | -H "Content-Type: application/json" \ 53 | -d "{\"image_url\": \"$(cat image-digest.txt)\"}" \ 54 | ${_SERVICE_URL}/all 55 | waitFor: ["inspect"] 56 | id: vulnsign 57 | 58 | - name: 'gcr.io/cloud-builders/docker' 59 | args: 60 | - 'tag' 61 | - '${_IMG_DEST}:$SHORT_SHA' 62 | - '${_IMG_DEST}:latest' 63 | waitFor: ["build"] 64 | 65 | images: 66 | - '${_IMG_DEST}:latest' 67 | - '${_IMG_DEST}:$SHORT_SHA' 68 | -------------------------------------------------------------------------------- /cloudbuild-and-automation/container_repo/ubuntu_18_0_4/cloudbuild-verified.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | steps: 16 | - name: 'gcr.io/cloud-builders/docker' 17 | args: 18 | - 'pull' 19 | - '${_STAGING_IMG}:latest' 20 | 21 | - name: 'gcr.io/cloud-builders/docker' 22 | args: 23 | - 'tag' 24 | - '${_STAGING_IMG}:latest' 25 | - '${_VERIFIED_IMG}:$SHORT_SHA' 26 | 27 | - name: 'gcr.io/cloud-builders/docker' 28 | args: 29 | - 'tag' 30 | - '${_VERIFIED_IMG}:$SHORT_SHA' 31 | - '${_VERIFIED_IMG}:latest' 32 | 33 | images: 34 | - '${_VERIFIED_IMG}:latest' 35 | - '${_VERIFIED_IMG}:$SHORT_SHA' 36 | -------------------------------------------------------------------------------- /cloudbuild-and-automation/container_repos.tf: -------------------------------------------------------------------------------- 1 | data "archive_file" "init" { 2 | depends_on = [ null_resource.copy_folders ] 3 | type = "zip" 4 | source_dir = "${path.module}/temp/${data.terraform_remote_state.projects_and_repos.outputs.github_repository_containers.id}" 5 | output_path = "${path.module}/temp/init.zip" 6 | } 7 | 8 | resource "null_resource" "init_local_folder" { 9 | provisioner "local-exec" { 10 | command = <=version 3 | google-auth 4 | google-cloud-containeranalysis 5 | google-cloud-build 6 | envs 7 | -------------------------------------------------------------------------------- /cloudbuild-and-automation/templates/Makefile.voucher.tpl: -------------------------------------------------------------------------------- 1 | # Go parameters 2 | GOCMD=cd v2 && go 3 | GORELEASER=goreleaser 4 | GOLANGCI-LINT=cd v2 && golangci-lint 5 | DOCKER=docker 6 | GOPATH?=`echo $$GOPATH` 7 | GOBUILD=$(GOCMD) build 8 | GOCLEAN=$(GOCMD) clean 9 | PACKAGES := voucher_server voucher_subscriber voucher_client 10 | CODE=./cmd/ 11 | SERVER_NAME=voucher_server 12 | SUBSCRIBER_NAME=voucher_subscriber 13 | CLIENT_NAME=voucher_client 14 | IMAGE_NAME?=voucher 15 | 16 | export GO111MODULE=on 17 | 18 | .PHONY: clean ensure-deps update-deps system-deps \ 19 | test show-coverage \ 20 | build release snapshot container mocks \ 21 | $(PACKAGES) 22 | 23 | all: clean ensure-deps build 24 | 25 | # System Dependencies 26 | system-deps: 27 | ifeq ($(shell $(GOCMD) version 2> /dev/null) , "") 28 | $(error "go is not installed") 29 | endif 30 | ifeq ($(shell $(DOCKER) -v dot 2> /dev/null) , "") 31 | $(error "docker is not installed") 32 | endif 33 | ifeq ($(shell $(GOLANGCI-LINT) version 2> /dev/null) , "") 34 | $(error "golangci-lint is not installed") 35 | endif 36 | ifeq ($(shell $(GORELEASER) --version dot 2> /dev/null) , "") 37 | $(error "goreleaser is not installed") 38 | endif 39 | $(info "No missing dependencies") 40 | 41 | show-coverage: test 42 | $(GOCMD) tool cover -html=coverage.txt 43 | 44 | test: 45 | $(GOCMD) test ./... -race -coverprofile=coverage.txt -covermode=atomic 46 | 47 | lint: 48 | $(GOLANGCI-LINT) run 49 | 50 | lint-new: 51 | $(GOLANGCI-LINT) run --new-from-rev main 52 | 53 | clean: 54 | $(GOCLEAN) 55 | @for PACKAGE in $(PACKAGES); do \ 56 | rm -vrf build/$$PACKAGE; \ 57 | done 58 | 59 | ensure-deps: 60 | $(GOCMD) mod download 61 | $(GOCMD) mod verify 62 | 63 | update-deps: 64 | $(GOCMD) get -u -t all 65 | $(GOCMD) mod tidy 66 | 67 | build: $(PACKAGES) 68 | 69 | voucher_client: 70 | $(GOBUILD) -o ../build/$(CLIENT_NAME) -v $(CODE)$(CLIENT_NAME) 71 | 72 | voucher_subscriber: 73 | $(GOBUILD) -o ../build/$(SUBSCRIBER_NAME) -v $(CODE)$(SUBSCRIBER_NAME) 74 | 75 | voucher_server: 76 | $(GOBUILD) -o ../build/$(SERVER_NAME) -v $(CODE)$(SERVER_NAME) 77 | 78 | container: 79 | $(DOCKER) build -t $(IMAGE_NAME) . 80 | 81 | release: 82 | $(GORELEASER) 83 | 84 | snapshot: 85 | $(GORELEASER) --snapshot 86 | 87 | mocks: 88 | mockgen -source=grafeas/grafeas_service.go -destination=grafeas/mocks/grafeas_service_mock.go package=mocks 89 | 90 | test-in-docker: 91 | docker run -v $(PWD):/go/src/github.com/grafeas/voucher -w /go/src/github.com/grafeas/voucher -e CGO_ENABLED=0 -it golang:1.15.6-alpine go test ./... 92 | -------------------------------------------------------------------------------- /cloudbuild-and-automation/templates/config.toml.tpl: -------------------------------------------------------------------------------- 1 | dryrun = false 2 | scanner = "metadata" 3 | failon = "critical" 4 | metadata_client = "containeranalysis" 5 | image_project = "${project_id}" 6 | binauth_project = "${project_id}" 7 | signer = "kms" 8 | valid_repos = [ 9 | "gcr.io/path/to/my/project", 10 | ] 11 | 12 | trusted_builder-identities = [ 13 | "email@example.com", 14 | "idcloudbuild.gserviceaccount.com" 15 | ] 16 | 17 | trusted_projects = [ 18 | "trusted-builds" 19 | ] 20 | 21 | [checks] 22 | diy = false 23 | nobody = false 24 | provenance = false 25 | snakeoil = true 26 | 27 | [server] 28 | port = 8080 29 | require_auth = false 30 | username = "username here" 31 | password = "bcrypt hash of your password" 32 | 33 | [ejson] 34 | dir = "/key" 35 | secrets = "/etc/voucher/secrets.production.ejson" 36 | 37 | [clair] 38 | address = "localhost:6060" 39 | 40 | [statsd] 41 | addr = "localhost:8125" 42 | sample_rate = 0.1 43 | tags = [] 44 | 45 | [repository.grafeas] 46 | org-url = "https://github.com/grafeas" 47 | 48 | [[kms_keys]] 49 | check = "snakeoil" 50 | path = "${kms_key_name}" 51 | algo = "SHA512" -------------------------------------------------------------------------------- /cloudbuild-and-automation/templates/signer.go-template: -------------------------------------------------------------------------------- 1 | package kms 2 | 3 | import ( 4 | "context" 5 | "crypto/sha256" 6 | "crypto/sha512" 7 | "fmt" 8 | "hash" 9 | 10 | apiv1 "cloud.google.com/go/kms/apiv1" 11 | "github.com/grafeas/voucher/v2/signer" 12 | kms_pb "google.golang.org/genproto/googleapis/cloud/kms/v1" 13 | ) 14 | 15 | const ( 16 | AlgoSHA256 = "SHA256" 17 | AlgoSHA384 = "SHA384" 18 | AlgoSHA512 = "SHA512" 19 | APIPath = "//cloudkms.googleapis.com/v1" 20 | ) 21 | 22 | type Key struct { 23 | Path string 24 | Algo string 25 | } 26 | 27 | // Signer is an AttestationSigner that uses Google's Cloud KMS to sign attestations 28 | // Only supports SHA512 digests. 29 | type Signer struct { 30 | keys map[string]Key 31 | client *apiv1.KeyManagementClient 32 | } 33 | 34 | func NewSigner(keys map[string]Key) (*Signer, error) { 35 | client, err := apiv1.NewKeyManagementClient(context.Background()) 36 | if err != nil { 37 | return nil, err 38 | } 39 | 40 | for checkName, key := range keys { 41 | if key.Algo != AlgoSHA256 && key.Algo != AlgoSHA384 && key.Algo != AlgoSHA512 { 42 | return nil, fmt.Errorf("Unsupported digest algorithm %v for check %v", key.Algo, checkName) 43 | } 44 | } 45 | 46 | return &Signer{ 47 | keys: keys, 48 | client: client, 49 | }, nil 50 | } 51 | 52 | func (s *Signer) Sign(checkName, body string) (string, string, error) { 53 | fmt.Printf("Sign checkName, body: %s, %s\n", checkName, body) 54 | key, ok := s.keys[checkName] 55 | if !ok { 56 | return "", "", signer.ErrNoKeyForCheck 57 | } 58 | 59 | var digest hash.Hash 60 | bodybytes := []byte(body) 61 | digest = sha256.New() 62 | 63 | 64 | fmt.Printf("Sign bodybytes: %s\n", bodybytes) 65 | if _, err := digest.Write(bodybytes); err != nil { 66 | return "", "", err 67 | } 68 | 69 | var d kms_pb.Digest 70 | switch key.Algo { 71 | case AlgoSHA256: 72 | digest = sha256.New() 73 | d.Digest = &kms_pb.Digest_Sha256{ 74 | Sha256: digest.Sum(nil), 75 | } 76 | case AlgoSHA384: 77 | digest = sha512.New384() 78 | d.Digest = &kms_pb.Digest_Sha384{ 79 | Sha384: digest.Sum(nil), 80 | } 81 | case AlgoSHA512: 82 | digest = sha512.New() 83 | d.Digest = &kms_pb.Digest_Sha512{ 84 | Sha512: digest.Sum(nil), 85 | } 86 | default: 87 | return "", "", fmt.Errorf("Unsupported digest algorithm %v", key.Algo) 88 | } 89 | 90 | resp, err := s.client.AsymmetricSign(context.Background(), &kms_pb.AsymmetricSignRequest{ 91 | Name: key.Path, 92 | Digest: &d, 93 | }) 94 | 95 | if err != nil { 96 | return "", "", err 97 | } 98 | 99 | return string(resp.Signature), fmt.Sprintf(APIPath+"/%v", key.Path), nil 100 | } 101 | 102 | // Close closes the KMS signer's connections. 103 | func (s *Signer) Close() error { 104 | return s.client.Close() 105 | } 106 | -------------------------------------------------------------------------------- /cloudbuild-and-automation/vars.tf: -------------------------------------------------------------------------------- 1 | variable "container_images" { 2 | type = list 3 | } 4 | 5 | variable "fail_on" { 6 | type = string 7 | } 8 | 9 | locals { 10 | services = toset(var.activate_apis) 11 | } 12 | variable "activate_apis" { 13 | description = "The list of apis to activate within the project" 14 | type = list(string) 15 | default = ["cloudfunctions.googleapis.com", "containerregistry.googleapis.com", "containeranalysis.googleapis.com", "containerscanning.googleapis.com", "run.googleapis.com", "cloudkms.googleapis.com", "compute.googleapis.com", "cloudbuild.googleapis.com", "stackdriver.googleapis.com", "artifactregistry.googleapis.com", "cloudapis.googleapis.com", "iam.googleapis.com", "cloudresourcemanager.googleapis.com", "iamcredentials.googleapis.com", "servicemanagement.googleapis.com", "serviceusage.googleapis.com", "storage-api.googleapis.com", "storage-component.googleapis.com", "sourcerepo.googleapis.com"] 16 | } 17 | -------------------------------------------------------------------------------- /cloudbuild-and-automation/versions.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/secure-image-pipeline/07bc0bb521e5cd33c8e9d810bae2996cc78037e1/cloudbuild-and-automation/versions.tf -------------------------------------------------------------------------------- /cloudbuild-and-automation/voucher.tf: -------------------------------------------------------------------------------- 1 | resource "google_cloud_run_service" "voucher" { 2 | depends_on = [ null_resource.voucher_build ] 3 | name = "voucher-server" 4 | location = data.terraform_remote_state.projects_and_repos.outputs.region 5 | project = data.terraform_remote_state.projects_and_repos.outputs.google_project_builder.project_id 6 | 7 | template { 8 | metadata { 9 | labels = { 10 | config-version = local_file.voucher_config.id 11 | } 12 | } 13 | spec { 14 | containers { 15 | image = "gcr.io/${data.terraform_remote_state.projects_and_repos.outputs.google_project_builder.project_id}/voucher-server:latest" 16 | } 17 | } 18 | } 19 | 20 | traffic { 21 | percent = 100 22 | latest_revision = true 23 | } 24 | } 25 | 26 | resource "local_file" "voucher_config" { 27 | depends_on = [ null_resource.init_local_folder ] 28 | content = templatefile("${path.module}/templates/config.toml.tpl", 29 | { 30 | fail_on = var.fail_on 31 | project_id = data.terraform_remote_state.projects_and_repos.outputs.google_project_builder.project_id, 32 | kms_key_name = "projects/${data.terraform_remote_state.projects_and_repos.outputs.google_project_builder.project_id}/locations/global/keyRings/${google_kms_key_ring.pipeline_keyring.name}/cryptoKeys/${google_kms_crypto_key.pipeline_key.name}/cryptoKeyVersions/1" 33 | } 34 | ) 35 | filename = "${path.module}/temp/${data.terraform_remote_state.projects_and_repos.outputs.github_repository_containers.id}/voucher/tutorials/cloudrun/config.toml" 36 | } 37 | 38 | resource "null_resource" "voucher_build" { 39 | depends_on = [ null_resource.init_repos ] 40 | triggers = { 41 | config = local_file.voucher_config.id 42 | } 43 | provisioner "local-exec" { 44 | command = < /tmp/note_payload.json << EOM 107 | # { 108 | # "name": "${NOTE_URI}", 109 | # "attestation": { 110 | # "hint": { 111 | # "human_readable_name": "voucher note for snakeoil check" 112 | # } 113 | # } 114 | # } 115 | # EOM 116 | 117 | # curl -X POST \ 118 | # -H "Content-Type: application/json" \ 119 | # -H "Authorization: Bearer $(gcloud --project ${PROJECT_ID} auth print-access-token)" \ 120 | # -H "x-goog-user-project: ${PROJECT_ID}" \ 121 | # --data-binary @/tmp/note_payload.json \ 122 | # "https://containeranalysis.googleapis.com/v1/projects/${PROJECT_ID}/notes/?noteId=${NOTE_ID}" 123 | -------------------------------------------------------------------------------- /env.sh.tmpl: -------------------------------------------------------------------------------- 1 | export BASEIMGFCT_PROJECT= 2 | export BASEIMGFCT_BUCKET= 3 | export BASEIMGFCT_REGION=us-central1 4 | export BILLING_ACCOUNT= 5 | export PARENT_ORGANIZATION= 6 | export GITHUB_TOKEN= 7 | -------------------------------------------------------------------------------- /project-and-repos/artifact_registry.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | resource "google_artifact_registry_repository" "staging" { 16 | depends_on = [google_project_service.staging] 17 | provider = google-beta 18 | project = google_project.staging.project_id 19 | location = var.region 20 | repository_id = "staging-images" 21 | description = "Container Image Repository - Staging" 22 | format = "DOCKER" 23 | } 24 | 25 | resource "google_artifact_registry_repository" "verified" { 26 | depends_on = [google_project_service.verified] 27 | provider = google-beta 28 | project = google_project.verified.project_id 29 | location = var.region 30 | repository_id = "verified-images" 31 | description = "Container Image Repository - Verified" 32 | format = "DOCKER" 33 | } 34 | 35 | resource "google_artifact_registry_repository_iam_member" "staging" { 36 | provider = google-beta 37 | project = google_project.staging.project_id 38 | location = var.region 39 | repository = google_artifact_registry_repository.staging.name 40 | role = "roles/artifactregistry.writer" 41 | member = "serviceAccount:${google_project.builder.number}@cloudbuild.gserviceaccount.com" 42 | } 43 | 44 | resource "google_artifact_registry_repository_iam_member" "verified" { 45 | provider = google-beta 46 | project = google_project.verified.project_id 47 | location = var.region 48 | repository = google_artifact_registry_repository.verified.name 49 | role = "roles/artifactregistry.writer" 50 | member = "serviceAccount:${google_project.builder.number}@cloudbuild.gserviceaccount.com" 51 | } 52 | 53 | resource "google_container_registry" "staging" { 54 | depends_on = [google_project_service.staging] 55 | project = google_project.staging.project_id 56 | } 57 | 58 | resource "google_container_registry" "verified" { 59 | depends_on = [google_project_service.verified] 60 | project = google_project.verified.project_id 61 | } 62 | 63 | resource "google_storage_bucket_iam_member" "staging" { 64 | depends_on = [google_project_service.staging] 65 | bucket = google_container_registry.staging.id 66 | role = "roles/storage.admin" 67 | member = "serviceAccount:${google_project.builder.number}@cloudbuild.gserviceaccount.com" 68 | } 69 | 70 | resource "google_storage_bucket_iam_member" "verified" { 71 | depends_on = [google_project_service.verified] 72 | bucket = google_container_registry.verified.id 73 | role = "roles/storage.admin" 74 | member = "serviceAccount:${google_project.builder.number}@cloudbuild.gserviceaccount.com" 75 | } 76 | 77 | resource "google_project_iam_member" "staging_analysis" { 78 | depends_on = [google_project_service.staging] 79 | project = google_project.staging.project_id 80 | role = "roles/containeranalysis.occurrences.viewer" 81 | member = "serviceAccount:${google_project.builder.number}-compute@developer.gserviceaccount.com" 82 | } 83 | 84 | resource "google_project_iam_member" "verified_analysis" { 85 | depends_on = [google_project_service.verified] 86 | project = google_project.verified.project_id 87 | role = "roles/containeranalysis.occurrences.viewer" 88 | member = "serviceAccount:${google_project.builder.number}-compute@developer.gserviceaccount.com" 89 | } 90 | -------------------------------------------------------------------------------- /project-and-repos/deploy_keys.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | resource "tls_private_key" "containers" { 16 | algorithm = "RSA" 17 | } 18 | 19 | resource "tls_private_key" "vm" { 20 | algorithm = "RSA" 21 | } 22 | 23 | resource "github_repository_deploy_key" "containers" { 24 | title = "${var.project_name} key" 25 | repository = github_repository.containers.id 26 | key = tls_private_key.containers.public_key_openssh 27 | read_only = "false" 28 | } 29 | 30 | resource "local_file" "containers_ssh" { 31 | filename = "../creds/github_containers_ssh" 32 | content = tls_private_key.containers.private_key_pem 33 | file_permission = "0600" 34 | } 35 | -------------------------------------------------------------------------------- /project-and-repos/output.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | 16 | # project_id for builder project 17 | # github repo id for containers and vm 18 | # github branch staging for containers and vm 19 | # github repo ssh clone url for containers and vm 20 | # var output for gh_email, gh_username, region 21 | # deploy_key filename for containers and vm 22 | 23 | output "google_project_builder" { 24 | value = google_project.builder 25 | } 26 | 27 | output "google_project_staging" { 28 | value = google_project.staging 29 | } 30 | 31 | output "google_project_verified" { 32 | value = google_project.verified 33 | } 34 | 35 | output "github_repository_containers" { 36 | value = github_repository.containers 37 | } 38 | 39 | output "google_artifact_registry_repository_staging" { 40 | value = google_artifact_registry_repository.staging 41 | } 42 | 43 | output "google_artifact_registry_repository_verified" { 44 | value = google_artifact_registry_repository.verified 45 | } 46 | 47 | output "gh_email" { 48 | value = var.gh_email 49 | } 50 | 51 | output "gh_username" { 52 | value = var.gh_username 53 | } 54 | 55 | output "gh_organization" { 56 | value = var.gh_organization 57 | } 58 | 59 | output "region" { 60 | value = var.region 61 | } 62 | 63 | output "zone" { 64 | value = var.zone 65 | } 66 | 67 | output "deploy_key_containers_ssh" { 68 | value = local_file.containers_ssh.filename 69 | } 70 | -------------------------------------------------------------------------------- /project-and-repos/project.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | /******************************************* 16 | Project creation 17 | *******************************************/ 18 | resource "random_id" "project_ids" { 19 | byte_length = 1 20 | } 21 | 22 | resource "google_project" "builder" { 23 | name = "${var.project_name}-builder" 24 | project_id = "${lower(replace(var.project_name, " ", "-"))}-builder-${random_id.project_ids.dec}" 25 | org_id = var.project_org_id 26 | billing_account = var.billing_account 27 | auto_create_network = true 28 | 29 | labels = var.labels 30 | } 31 | 32 | resource "google_project" "staging" { 33 | name = "${var.project_name}-staging" 34 | project_id = "${lower(replace(var.project_name, " ", "-"))}-staging-${random_id.project_ids.dec}" 35 | org_id = var.project_org_id 36 | billing_account = var.billing_account 37 | auto_create_network = true 38 | 39 | labels = var.labels 40 | } 41 | 42 | resource "google_project" "verified" { 43 | name = "${var.project_name}-verified" 44 | project_id = "${lower(replace(var.project_name, " ", "-"))}-verified-${random_id.project_ids.dec}" 45 | org_id = var.project_org_id 46 | billing_account = var.billing_account 47 | auto_create_network = true 48 | 49 | labels = var.labels 50 | } 51 | 52 | /******************************************* 53 | API enablement 54 | *******************************************/ 55 | 56 | resource "google_project_service" "builder" { 57 | for_each = local.services 58 | project = google_project.builder.project_id 59 | service = each.value 60 | disable_on_destroy = false 61 | disable_dependent_services = false 62 | } 63 | 64 | resource "google_project_service" "staging" { 65 | for_each = local.services 66 | project = google_project.staging.project_id 67 | service = each.value 68 | disable_on_destroy = false 69 | disable_dependent_services = false 70 | } 71 | 72 | resource "google_project_service" "verified" { 73 | for_each = local.services 74 | project = google_project.verified.project_id 75 | service = each.value 76 | disable_on_destroy = false 77 | disable_dependent_services = false 78 | } 79 | 80 | # Permissions for Packer to manage disk images 81 | resource "google_project_iam_member" "vm_staging" { 82 | depends_on = [ google_project_service.staging ] 83 | project = google_project.staging.project_id 84 | role = "roles/editor" 85 | member = "serviceAccount:${google_project.builder.number}@cloudbuild.gserviceaccount.com" 86 | } 87 | 88 | resource "google_project_iam_member" "vm_verified" { 89 | depends_on = [ google_project_service.verified ] 90 | project = google_project.verified.project_id 91 | role = "roles/editor" 92 | member = "serviceAccount:${google_project.builder.number}@cloudbuild.gserviceaccount.com" 93 | } 94 | -------------------------------------------------------------------------------- /project-and-repos/provider.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | terraform { 16 | required_providers { 17 | github = { 18 | source = "integrations/github" 19 | version = "4.3.0" 20 | } 21 | } 22 | } 23 | 24 | provider "google" { 25 | region = var.region 26 | credentials = file("../creds/gcp-sa.json") 27 | } 28 | 29 | provider "google-beta" { 30 | region = var.region 31 | credentials = file("../creds/gcp-sa.json") 32 | } 33 | 34 | provider "github" { 35 | organization = var.gh_organization 36 | } 37 | -------------------------------------------------------------------------------- /project-and-repos/repos.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | resource "github_repository" "containers" { 16 | name = "${var.project_name}-containers" 17 | description = "GCP Base Image Factory - Containers" 18 | 19 | visibility = var.repos_visibility 20 | auto_init = true 21 | } 22 | -------------------------------------------------------------------------------- /project-and-repos/vars.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | locals { 16 | services = toset(var.activate_apis) 17 | } 18 | 19 | variable "region" { 20 | description = "GCP Region" 21 | } 22 | 23 | variable "zone" { 24 | description = "GCP Zone" 25 | } 26 | 27 | variable "activate_apis" { 28 | description = "The list of apis to activate within the project" 29 | type = list(string) 30 | default = ["cloudfunctions.googleapis.com", "containerregistry.googleapis.com", "containeranalysis.googleapis.com", "containerscanning.googleapis.com", "run.googleapis.com", "cloudkms.googleapis.com", "compute.googleapis.com", "cloudbuild.googleapis.com", "stackdriver.googleapis.com", "artifactregistry.googleapis.com", "cloudapis.googleapis.com", "iam.googleapis.com", "cloudresourcemanager.googleapis.com", "iamcredentials.googleapis.com", "servicemanagement.googleapis.com", "serviceusage.googleapis.com", "storage-api.googleapis.com", "storage-component.googleapis.com", "sourcerepo.googleapis.com"] 31 | } 32 | 33 | variable "project_org_id" { 34 | description = "The organization ID." 35 | type = string 36 | } 37 | 38 | variable "project_name" { 39 | description = "The name for the project" 40 | type = string 41 | default = "base-image" 42 | } 43 | 44 | variable "billing_account" { 45 | description = "The ID of the billing account to associate this project with" 46 | type = string 47 | } 48 | 49 | variable "project_folder_id" { 50 | description = "The ID of a folder to host this project" 51 | type = string 52 | default = "" 53 | } 54 | 55 | variable "labels" { 56 | description = "Map of labels for project" 57 | type = map(string) 58 | default = {} 59 | } 60 | 61 | variable "repos_visibility" { 62 | default = "private" 63 | } 64 | 65 | variable "gh_organization" { 66 | description = "GitHub Organization" 67 | } 68 | 69 | variable "gh_email" { 70 | description = "GitHub Email Addresss" 71 | } 72 | 73 | variable "gh_username" { 74 | description = "GitHub Username" 75 | } 76 | -------------------------------------------------------------------------------- /project-and-repos/versions.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/secure-image-pipeline/07bc0bb521e5cd33c8e9d810bae2996cc78037e1/project-and-repos/versions.tf -------------------------------------------------------------------------------- /setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # Bash safeties: exit on error, no unset variables, pipelines can't hide errors 17 | set -o errexit 18 | set -o pipefail 19 | 20 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" 21 | 22 | getancestry () { 23 | curl -X POST -H "Authorization: Bearer \"$(gcloud auth application-default print-access-token)\"" \ 24 | -H "Content-Type: application/json; charset=utf-8" \ 25 | https://cloudresourcemanager.googleapis.com/v1/projects/$1:getAncestry > ancestry.json 26 | } 27 | 28 | environment () { 29 | if [[ -f "$DIR/env.sh" ]]; then 30 | echo "Importing environment from $DIR/env.sh..." && . $DIR/env.sh 31 | export PARENT_FOLDER=${PARENT_ORGANIZATION} 32 | else 33 | echo "Please copy env.sh.tmpl into env.sh and edit..." 34 | exit 1 35 | fi 36 | } 37 | 38 | create_new_project(){ 39 | echo "Creating new project for Base Image Factory..." 40 | # if [ "${PARENT_TYPE}" == "organization" ]; then 41 | gcloud projects create ${BASEIMGFCT_PROJECT} --organization=${PARENT_FOLDER} > /dev/null 42 | # else 43 | # gcloud projects create ${BASEIMGFCT_PROJECT} --folder=${PARENT_FOLDER} > /dev/null 44 | # fi 45 | gcloud beta billing projects link ${BASEIMGFCT_PROJECT} --billing-account=${BILLING_ACCOUNT} > /dev/null 46 | } 47 | 48 | 49 | get_project_number(){ 50 | # There is sometimes a delay in the API and the gcloud command 51 | # Run the gcloud command until it returns a value 52 | continue=1 53 | while [[ ${continue} -gt 0 ]] 54 | do 55 | 56 | export BASEIMGFCT_PROJECTNUM=$(gcloud projects describe ${BASEIMGFCT_PROJECT} --format='value(projectNumber)') 57 | if [[ ${BASEIMGFCT_PROJECTNUM} ]] 58 | then continue=0 59 | fi 60 | 61 | done 62 | } 63 | 64 | baseimgfct_project_setup (){ 65 | # Check that the Base Image Factorry Project has a billing account 66 | export BILLING_ACCOUNT=$(gcloud beta billing projects describe ${BASEIMGFCT_PROJECT} --format="value(billingAccountName)" | sed -e 's/.*\///g') 67 | 68 | if [[ ! ${BILLING_ACCOUNT} ]] 69 | then echo "Please enable billing account on ${BASEIMGFCT_PROJECT}" 70 | exit 71 | fi 72 | 73 | export BASEIMGFCT_REGION=northamerica-northeast1 74 | 75 | echo "Setting up project for Base Image Factory..." 76 | get_project_number 77 | gcloud config set project ${BASEIMGFCT_PROJECT}; 78 | 79 | gcloud services enable cloudbilling.googleapis.com --project ${BASEIMGFCT_PROJECT} > /dev/null 80 | gcloud services enable cloudresourcemanager.googleapis.com --project ${BASEIMGFCT_PROJECT} > /dev/null 81 | gcloud services enable cloudbuild.googleapis.com --project ${BASEIMGFCT_PROJECT} > /dev/null 82 | gcloud services enable cloudkms.googleapis.com --project ${BASEIMGFCT_PROJECT} > /dev/null 83 | gcloud services enable containeranalysis.googleapis.com --project ${BASEIMGFCT_PROJECT} > /dev/null 84 | gcloud services enable iam.googleapis.com --project ${BASEIMGFCT_PROJECT} > /dev/null 85 | 86 | set +e 87 | gsutil ls gs://${BASEIMGFCT_BUCKET} 2>&1 > /dev/null 88 | 89 | if [ "$?" == "1" ]; then 90 | set -e 91 | gsutil mb -p ${BASEIMGFCT_PROJECT} -l ${BASEIMGFCT_REGION} gs://${BASEIMGFCT_BUCKET}/ 92 | gcloud iam service-accounts create terraform-project-automation --project ${BASEIMGFCT_PROJECT} > /dev/null 93 | 94 | gcloud organizations add-iam-policy-binding ${PARENT_ORGANIZATION} \ 95 | --member serviceAccount:terraform-project-automation@${BASEIMGFCT_PROJECT}.iam.gserviceaccount.com --role roles/browser > /dev/null 96 | 97 | gcloud organizations add-iam-policy-binding ${PARENT_ORGANIZATION} \ 98 | --member serviceAccount:terraform-project-automation@${BASEIMGFCT_PROJECT}.iam.gserviceaccount.com --role roles/billing.user > /dev/null 99 | 100 | gcloud organizations add-iam-policy-binding ${PARENT_ORGANIZATION} \ 101 | --member serviceAccount:terraform-project-automation@${BASEIMGFCT_PROJECT}.iam.gserviceaccount.com --role roles/resourcemanager.folderViewer > /dev/null 102 | 103 | gcloud projects add-iam-policy-binding ${BASEIMGFCT_PROJECT} \ 104 | --member serviceAccount:terraform-project-automation@${BASEIMGFCT_PROJECT}.iam.gserviceaccount.com --role roles/storage.objectAdmin > /dev/null 105 | 106 | gcloud organizations add-iam-policy-binding ${PARENT_ORGANIZATION} \ 107 | --member serviceAccount:terraform-project-automation@${BASEIMGFCT_PROJECT}.iam.gserviceaccount.com --role roles/billing.projectManager > /dev/null 108 | 109 | gcloud organizations add-iam-policy-binding ${PARENT_ORGANIZATION} \ 110 | --member serviceAccount:terraform-project-automation@${BASEIMGFCT_PROJECT}.iam.gserviceaccount.com --role roles/resourcemanager.projectCreator 111 | 112 | gcloud iam service-accounts keys create ~/key.json \ 113 | --iam-account terraform-project-automation@${BASEIMGFCT_PROJECT}.iam.gserviceaccount.com > /dev/null 114 | mkdir -p ./creds 115 | mv ~/key.json ./creds/gcp-sa.json 116 | fi 117 | set -e 118 | } 119 | 120 | project_prompt(){ 121 | # Confirm project is the correct one to use for base images 122 | continue=1 123 | while [[ ${continue} -gt 0 ]] 124 | do 125 | 126 | # Prompt until project-id is correct 127 | if [[ ${BASEIMGFCT_PROJECT} ]] 128 | then read -p "Would you like to use ${BASEIMGFCT_PROJECT} to deploy a new base image factory? (y/n) :" yesno 129 | fi 130 | 131 | if [[ ${yesno} == "y" ]] 132 | then continue=0 133 | else read -p "Input project_id: " projectid 134 | export BASEIMGFCT_PROJECT=${projectid} 135 | fi 136 | 137 | done 138 | } 139 | 140 | github_prompt(){ 141 | # Prompt until GitHub ORG is correct 142 | if [[ -z ${GH_ORG} ]]; then 143 | read -p "Input your GitHub Organization: " gh_org 144 | export GH_ORG=${gh_org} 145 | fi 146 | 147 | if [[ -z ${GH_EMAIL} ]];then 148 | read -p "Input your GitHub email address: " gh_email 149 | export GH_EMAIL=${gh_email} 150 | fi 151 | 152 | if [[ -z ${GH_USER} ]]; then 153 | read -p "Input your GitHub username: " gh_user 154 | export GH_USER=${gh_user} 155 | fi 156 | 157 | } 158 | 159 | write_tfvars(){ 160 | cat > ${DIR}/project-and-repos/terraform.tfvars << EOF 161 | project_org_id = "${PARENT_ORGANIZATION}" 162 | region = "${BASEIMGFCT_REGION}" 163 | zone = "${BASEIMGFCT_REGION}-a" 164 | project_folder_id = "${PARENT_FOLDER}" 165 | project_name = "${BASEIMGFCT_PROJECT}" 166 | billing_account = "${BILLING_ACCOUNT}" 167 | 168 | gh_organization = "${GH_ORG}" 169 | gh_email = "${GH_EMAIL}" 170 | gh_username = "${GH_USER}" 171 | EOF 172 | 173 | cat > ${DIR}/cloudbuild-and-automation/terraform.tfvars << EOF 174 | fail_on = "critical" 175 | container_images = ["ubuntu_18_0_4","alpine","centos","debian"] 176 | 177 | vm_images = { 178 | "ubuntu_18_0_4" = "ubuntu-1804-bionic-v20210211" 179 | } 180 | EOF 181 | } 182 | 183 | write_backend(){ 184 | cat > ${DIR}/project-and-repos/backend.tf << EOF 185 | terraform { 186 | backend "gcs" { 187 | bucket = "${BASEIMGFCT_BUCKET}" 188 | prefix = "projects-and-repos/" 189 | credentials = "../creds/gcp-sa.json" 190 | } 191 | } 192 | EOF 193 | cat > ${DIR}/cloudbuild-and-automation/backend.tf << EOF 194 | terraform { 195 | backend "gcs" { 196 | bucket = "${BASEIMGFCT_BUCKET}" 197 | prefix = "cloudbuild-and-automation/" 198 | credentials = "../creds/gcp-sa.json" 199 | } 200 | } 201 | EOF 202 | } 203 | 204 | write_data_source(){ 205 | cat > $DIR/cloudbuild-and-automation/data.tf << EOF 206 | data "terraform_remote_state" "projects_and_repos" { 207 | backend = "gcs" 208 | 209 | config = { 210 | bucket = "${BASEIMGFCT_BUCKET}" 211 | prefix = "projects-and-repos/" 212 | credentials = "../creds/gcp-sa.json" 213 | } 214 | } 215 | EOF 216 | } 217 | 218 | apply_projectrepos_tf(){ 219 | cd ${DIR}/project-and-repos 220 | terraform init -reconfigure 221 | terraform apply -auto-approve 222 | } 223 | 224 | apply_cloudbuild_tf(){ 225 | cd ${DIR}/cloudbuild-and-automation 226 | terraform init -reconfigure 227 | terraform apply -auto-approve 228 | } 229 | pause(){ 230 | read -n1 -rsp $'Link your Github Repositories and press any key to continue or Ctrl+C to exit...\n' 231 | } 232 | 233 | link_gh_repos(){ 234 | GH_REPO_INIT_URL="https://console.cloud.google.com/gcb-github-registration" 235 | python3 -m webbrowser ${GH_REPO_INIT_URL} 236 | pause 237 | } 238 | 239 | 240 | # # Main 241 | github_prompt 242 | 243 | echo "Setting up the environment..." 244 | environment 245 | 246 | read -p "Would you like to create a new Google Cloud Project for the base image factory? (y/n):" new_yesno 247 | if [[ ${new_yesno} == "y" ]] 248 | then 249 | create_new_project 250 | else 251 | project_prompt 252 | fi 253 | 254 | baseimgfct_project_setup 255 | 256 | 257 | ##Setup DataSources, Backend + Terraform Variables 258 | write_backend 259 | write_data_source 260 | write_tfvars 261 | # Build Projects 262 | apply_projectrepos_tf 263 | ## Wait for Github/Cloudbuild Link 264 | link_gh_repos 265 | ## Setup Cloudbuild + Cloud Functions 266 | apply_cloudbuild_tf 267 | 268 | echo "" 269 | echo "Setup complete. Your new base images will get staged here: ...." 270 | --------------------------------------------------------------------------------