├── .dockerignore ├── .github ├── CODEOWNERS ├── conventional-commit-lint.yaml ├── release-please.yml ├── renovate.json ├── trusted-contribution.yml └── workflows │ ├── lint.yaml │ └── stale.yml ├── .gitignore ├── .pre-commit-config.yaml ├── CHANGELOG.md ├── CODEOWNERS ├── CONTRIBUTING.md ├── LICENSE ├── Makefile ├── README.md ├── build ├── int.cloudbuild.yaml └── lint.cloudbuild.yaml ├── docs ├── upgrading_to_v10.0.md ├── upgrading_to_v5.0.md ├── upgrading_to_v6.0.md └── upgrading_to_v9.0.md ├── examples ├── cloudbuild_enabled │ ├── README.md │ ├── cloudbuild-tf-apply.yaml │ ├── cloudbuild-tf-plan.yaml │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── cloudbuild_repo_connection_github │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── cloudbuild_repo_connection_gitlab │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── im_cloudbuild_workspace_github │ ├── README.md │ ├── apis.tf │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── im_cloudbuild_workspace_gitlab │ ├── README.md │ ├── apis.tf │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── simple-folder │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── simple │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── tf_cloudbuild_builder_simple │ ├── Dockerfile │ ├── README.md │ ├── apis.tf │ ├── main.tf │ ├── outputs.tf │ ├── scripts │ │ └── push-to-repo.sh │ └── variables.tf ├── tf_cloudbuild_builder_simple_github │ ├── Dockerfile │ ├── README.md │ ├── apis.tf │ ├── main.tf │ ├── outputs.tf │ ├── scripts │ │ └── push-to-repo.sh │ └── variables.tf ├── tf_cloudbuild_builder_simple_gitlab │ ├── Dockerfile │ ├── README.md │ ├── apis.tf │ ├── main.tf │ ├── outputs.tf │ ├── scripts │ │ └── push-to-repo.sh │ └── variables.tf ├── tf_cloudbuild_source_simple │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── tf_cloudbuild_workspace_simple │ ├── README.md │ ├── apis.tf │ ├── files │ │ ├── .gitignore │ │ ├── backend.tf │ │ ├── main.tf │ │ └── variables.tf │ ├── main.tf │ ├── outputs.tf │ ├── scripts │ │ └── push-to-repo.sh │ └── variables.tf ├── tf_cloudbuild_workspace_simple_github │ ├── README.md │ ├── apis.tf │ ├── files │ │ ├── .gitignore │ │ ├── backend.tf │ │ ├── main.tf │ │ └── variables.tf │ ├── main.tf │ ├── outputs.tf │ ├── scripts │ │ └── push-to-repo.sh │ └── variables.tf └── tf_cloudbuild_workspace_simple_gitlab │ ├── README.md │ ├── apis.tf │ ├── files │ ├── .gitignore │ ├── backend.tf │ ├── main.tf │ └── variables.tf │ ├── main.tf │ ├── outputs.tf │ ├── scripts │ └── push-to-repo.sh │ └── variables.tf ├── kitchen.yml ├── main.tf ├── modules ├── cloudbuild │ ├── README.md │ ├── cloudbuild_builder │ │ ├── Dockerfile │ │ ├── README.md │ │ ├── cloudbuild.yaml │ │ └── entrypoint.bash │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── cloudbuild_repo_connection │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── im_cloudbuild_workspace │ ├── README.md │ ├── assets │ │ └── arch.png │ ├── cb.tf │ ├── github.tf │ ├── gitlab.tf │ ├── outputs.tf │ ├── repo.tf │ ├── sa.tf │ ├── templates │ │ └── create-preview.sh.tftpl │ ├── variables.tf │ └── versions.tf ├── tf_cloudbuild_builder │ ├── README.md │ ├── assets │ │ └── arch.png │ ├── cb.tf │ ├── gar.tf │ ├── outputs.tf │ ├── templates │ │ └── workflow.yaml.tftpl │ ├── variables.tf │ ├── versions.tf │ └── workflow.tf ├── tf_cloudbuild_source │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf └── tf_cloudbuild_workspace │ ├── README.md │ ├── assets │ └── arch.png │ ├── buckets.tf │ ├── cb.tf │ ├── outputs.tf │ ├── sa.tf │ ├── variables.tf │ └── versions.tf ├── outputs.tf ├── terraform.example.tfvars ├── test ├── .gitignore ├── fixtures │ ├── cloudbuild_enabled │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf │ ├── cloudbuild_repo_connection_github │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf │ ├── cloudbuild_repo_connection_gitlab │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf │ ├── simple-folder │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf │ ├── simple │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf │ ├── tf_cloudbuild_builder_simple_github │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf │ ├── tf_cloudbuild_builder_simple_gitlab │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf │ ├── tf_cloudbuild_workspace_simple_github │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf │ └── tf_cloudbuild_workspace_simple_gitlab │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf ├── integration │ ├── cloudbuild_enabled │ │ ├── controls │ │ │ ├── gcloud.rb │ │ │ └── gcp.rb │ │ └── inspec.yml │ ├── cloudbuild_repo_connection_github │ │ └── cloudbuild_repo_connection_github_test.go │ ├── cloudbuild_repo_connection_gitlab │ │ └── cloudbuild_repo_connection_gitlab_test.go │ ├── discover_test.go │ ├── go.mod │ ├── go.sum │ ├── im_cloudbuild_workspace_github │ │ ├── files │ │ │ └── main.tf │ │ └── im_cloudbuild_workspace_github_test.go │ ├── im_cloudbuild_workspace_gitlab │ │ ├── files │ │ │ └── main.tf │ │ └── im_cloudbuild_workspace_gitlab_test.go │ ├── simple-folder │ │ ├── controls │ │ │ └── gcp.rb │ │ └── inspec.yml │ ├── simple │ │ ├── controls │ │ │ └── gcp.rb │ │ └── inspec.yml │ ├── tf_cloudbuild_builder_simple │ │ └── tf_cloudbuild_builder_simple_test.go │ ├── tf_cloudbuild_builder_simple_github │ │ └── tf_cloudbuild_builder_simple_github_test.go │ ├── tf_cloudbuild_builder_simple_gitlab │ │ └── tf_cloudbuild_builder_simple_gitlab_test.go │ ├── tf_cloudbuild_source_simple │ │ └── tf_cloudbuild_source_simple_test.go │ ├── tf_cloudbuild_workspace_simple │ │ └── tf_cloudbuild_workspace_simple_test.go │ ├── tf_cloudbuild_workspace_simple_github │ │ └── tf_cloudbuild_workspace_simple_github_test.go │ ├── tf_cloudbuild_workspace_simple_gitlab │ │ └── tf_cloudbuild_workspace_simple_gitlab_test.go │ └── utils │ │ ├── github_client.go │ │ ├── gitlab_client.go │ │ └── utils.go └── setup │ ├── .gitignore │ ├── iam.tf │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── variables.tf └── versions.tf /.dockerignore: -------------------------------------------------------------------------------- 1 | .git 2 | .terraform 3 | .terraform.d 4 | .kitchen 5 | terraform.tfstate.d 6 | test/fixtures/*/.terraform 7 | test/fixtures/*/terraform.tfstate.d 8 | examples/.kitchen 9 | examples/*/.terraform 10 | examples/*/terraform.tfstate.d 11 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @terraform-google-modules/cft-admins 2 | -------------------------------------------------------------------------------- /.github/conventional-commit-lint.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022-2025 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # NOTE: This file is automatically generated from: 16 | # https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/github 17 | 18 | enabled: true 19 | always_check_pr_title: true 20 | -------------------------------------------------------------------------------- /.github/release-please.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | releaseType: terraform-module 16 | handleGHRelease: true 17 | -------------------------------------------------------------------------------- /.github/renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": ["github>GoogleCloudPlatform/cloud-foundation-toolkit//infra/terraform/test-org/github/resources/renovate"] 4 | } 5 | -------------------------------------------------------------------------------- /.github/trusted-contribution.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023-2025 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # NOTE: This file is automatically generated from: 16 | # https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/github 17 | 18 | annotations: 19 | - type: comment 20 | text: "/gcbrun" 21 | trustedContributors: 22 | - release-please[bot] 23 | - renovate[bot] 24 | - renovate-bot 25 | - forking-renovate[bot] 26 | - dependabot[bot] 27 | -------------------------------------------------------------------------------- /.github/workflows/lint.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2023-2025 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # NOTE: This file is automatically generated from values at: 16 | # https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/org/locals.tf 17 | 18 | name: 'lint' 19 | 20 | on: 21 | workflow_dispatch: 22 | pull_request: 23 | branches: 24 | - main 25 | 26 | concurrency: 27 | group: '${{ github.workflow }}-${{ github.head_ref || github.ref }}' 28 | cancel-in-progress: true 29 | 30 | jobs: 31 | lint: 32 | name: 'lint' 33 | runs-on: 'ubuntu-latest' 34 | steps: 35 | - uses: 'actions/checkout@v4' 36 | - id: variables 37 | run: | 38 | MAKEFILE=$(find . -name Makefile -print -quit) 39 | if [ -z "$MAKEFILE" ]; then 40 | echo dev-tools=gcr.io/cloud-foundation-cicd/cft/developer-tools:1 >> "$GITHUB_OUTPUT" 41 | else 42 | VERSION=$(grep "DOCKER_TAG_VERSION_DEVELOPER_TOOLS := " $MAKEFILE | cut -d\ -f3) 43 | IMAGE=$(grep "DOCKER_IMAGE_DEVELOPER_TOOLS := " $MAKEFILE | cut -d\ -f3) 44 | REGISTRY=$(grep "REGISTRY_URL := " $MAKEFILE | cut -d\ -f3) 45 | echo dev-tools=${REGISTRY}/${IMAGE}:${VERSION} >> "$GITHUB_OUTPUT" 46 | fi 47 | - run: docker run --rm -v ${{ github.workspace }}:/workspace ${{ steps.variables.outputs.dev-tools }} module-swapper 48 | - run: docker run --rm -v ${{ github.workspace }}:/workspace ${{ steps.variables.outputs.dev-tools }} /usr/local/bin/test_lint.sh 49 | -------------------------------------------------------------------------------- /.github/workflows/stale.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2022-2025 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # NOTE: This file is automatically generated from: 16 | # https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/github 17 | 18 | name: "Close stale issues" 19 | on: 20 | schedule: 21 | - cron: "0 23 * * *" 22 | 23 | jobs: 24 | stale: 25 | if: github.repository_owner == 'GoogleCloudPlatform' || github.repository_owner == 'terraform-google-modules' 26 | runs-on: ubuntu-latest 27 | steps: 28 | - uses: actions/stale@v9 29 | with: 30 | repo-token: ${{ secrets.GITHUB_TOKEN }} 31 | stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days' 32 | stale-pr-message: 'This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days' 33 | exempt-issue-labels: 'triaged' 34 | exempt-pr-labels: 'dependencies,autorelease: pending' 35 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # OSX leaves these everywhere on SMB shares 2 | ._* 3 | 4 | # OSX trash 5 | .DS_Store 6 | 7 | # Python 8 | *.pyc 9 | 10 | # Emacs save files 11 | *~ 12 | \#*\# 13 | .\#* 14 | 15 | # Vim-related files 16 | [._]*.s[a-w][a-z] 17 | [._]s[a-w][a-z] 18 | *.un~ 19 | Session.vim 20 | .netrwhist 21 | 22 | ### https://raw.github.com/github/gitignore/90f149de451a5433aebd94d02d11b0e28843a1af/Terraform.gitignore 23 | 24 | # Local .terraform directories 25 | **/.terraform* 26 | 27 | # .tfstate files 28 | *.tfstate 29 | *.tfstate.* 30 | 31 | # Crash log files 32 | crash.log 33 | 34 | # Kitchen files 35 | **/inspec.lock 36 | **/.kitchen 37 | **/kitchen.local.yml 38 | **/Gemfile.lock 39 | 40 | # Ignore any .tfvars files that are generated automatically for each Terraform run. Most 41 | # .tfvars files are managed as part of configuration and so should be included in 42 | # version control. 43 | **/*.tfvars 44 | 45 | credentials.json 46 | 47 | override.tf 48 | override.tf.json 49 | *_override.tf 50 | *_override.tf.json 51 | .idea/ 52 | 53 | setup-tests.sh 54 | 55 | # tf lock file 56 | .terraform.lock.hcl 57 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | repos: 16 | - repo: git://github.com/antonbabenko/pre-commit-terraform 17 | rev: v1.21.0 18 | hooks: 19 | - id: terraform_fmt 20 | # - id: terraform_docs 21 | - repo: git://github.com/pre-commit/pre-commit-hooks 22 | rev: v2.2.3 23 | hooks: 24 | - id: check-executables-have-shebangs 25 | - id: check-json 26 | - id: check-merge-conflict 27 | - id: check-xml 28 | - id: check-yaml 29 | - id: detect-private-key 30 | - id: pretty-format-json 31 | args: [--autofix] 32 | - id: sort-simple-yaml 33 | - id: trailing-whitespace 34 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | # NOTE: This file is automatically generated from values at: 2 | # https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/org/locals.tf 3 | 4 | * @terraform-google-modules/cft-admins @josephdt12 5 | 6 | # NOTE: GitHub CODEOWNERS locations: 7 | # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-and-branch-protection 8 | 9 | CODEOWNERS @terraform-google-modules/cft-admins 10 | .github/CODEOWNERS @terraform-google-modules/cft-admins 11 | docs/CODEOWNERS @terraform-google-modules/cft-admins 12 | 13 | -------------------------------------------------------------------------------- /build/lint.cloudbuild.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | steps: 16 | - name: 'gcr.io/cloud-foundation-cicd/cft/developer-tools:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' 17 | id: 'lint' 18 | args: ['/usr/local/bin/test_lint.sh'] 19 | tags: 20 | - 'ci' 21 | - 'lint' 22 | substitutions: 23 | _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' 24 | _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.25' 25 | -------------------------------------------------------------------------------- /docs/upgrading_to_v10.0.md: -------------------------------------------------------------------------------- 1 | # Upgrading to v10.0 2 | 3 | The v10.0 release of *bootstrap* is a backwards incompatible release. 4 | 5 | ## Google Cloud Provider Workflow deletion protection 6 | 7 | The field `deletion_protection` was added to the [google_workflows_workflow](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/workflows_workflow) resource with default value of `true` in Google Cloud Platform Provider v6+. 8 | 9 | To maintain the old behavior in the module [Cloud Build Builder](../modules/tf_cloudbuild_builder/README.md), which creates a workflow, set the new variable `workflow_deletion_protection` to `false`. 10 | 11 | 12 | ```diff 13 | module "tf_cloudbuild_builder" { 14 | source = "terraform-google-modules/bootstrap/google//modules/tf_cloudbuild_builder" 15 | - version = "~> 9.0" 16 | + version = "~> 10.0" 17 | 18 | + workflow_deletion_protection = false 19 | ``` 20 | -------------------------------------------------------------------------------- /docs/upgrading_to_v5.0.md: -------------------------------------------------------------------------------- 1 | # Upgrading to v5.0 2 | 3 | The v5.0 release of *bootstrap* is a backwards incompatible release. 4 | 5 | ## Terraform Validator < `v0.6.0` no longer supported 6 | 7 | TFV versions older than `v0.6.0` are no longer supported. New default version is `v0.6.0`. 8 | 9 | ## KMS Resources in CloudBuild sub-module have been removed 10 | 11 | [KMS Resources](https://github.com/terraform-google-modules/terraform-google-bootstrap/blob/2b9bf2cdfa99ef098b4816a941733d34b023e45b/modules/cloudbuild/main.tf#L85-L128) in the CloudBuild sub-module have been removed. To preserve these resources, add the resources out of band from the module and [move resource addresses](https://www.terraform.io/cli/commands/state/mv) in the TF state. 12 | 13 | For instance, to preserve the `google_kms_key_ring` resource if you have instantiated the module as below: 14 | 15 | ```tf 16 | module "cloudbuild_bootstrap" { 17 | source = "terraform-google-modules/bootstrap/google//modules/cloudbuild" 18 | version = "~> 4.0" 19 | default_region = var.default_region 20 | ... 21 | } 22 | ``` 23 | 24 | You can add this resource in your root configuration alongside the new version of the module. 25 | 26 | ```diff 27 | module "cloudbuild_bootstrap" { 28 | source = "terraform-google-modules/bootstrap/google//modules/cloudbuild" 29 | - version = "~> 4.0" 30 | + version = "~> 5.0" 31 | default_region = var.default_region 32 | ... 33 | } 34 | 35 | +resource "google_kms_key_ring" "tf_keyring" { 36 | + project = module.cloudbuild_bootstrap.cloudbuild_project_id 37 | + name = "tf-keyring" 38 | + location = var.default_region 39 | } 40 | ``` 41 | 42 | Now you can migrate this resource from the module to the newly added `google_kms_key_ring` config. 43 | 44 | ```bash 45 | tf state mv module.cloudbuild_bootstrap.google_kms_key_ring.tf_keyring google_kms_key_ring.tf_keyring 46 | ``` 47 | 48 | This will need to be repeated for each resource like `google_kms_crypto_key` and `google_kms_crypto_key_iam_binding`. 49 | -------------------------------------------------------------------------------- /docs/upgrading_to_v6.0.md: -------------------------------------------------------------------------------- 1 | # Upgrading to v6.0 2 | 3 | ## Terraform Validator is migrated to gcloud terraform-tools component 4 | 5 | terraform-validator is migrated to `gcloud beta terraform vet`[https://cloud.google.com/docs/terraform/policy-validation]. 6 | -------------------------------------------------------------------------------- /examples/cloudbuild_enabled/cloudbuild-tf-apply.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | timeout: 1200s 16 | steps: 17 | # terraform init -input=false 18 | - name: gcr.io/$PROJECT_ID/terraform 19 | args: 20 | - init 21 | - -input=false 22 | # terraform validate 23 | - name: gcr.io/$PROJECT_ID/terraform 24 | args: 25 | - validate 26 | # terraform plan -input=false -out=tfplan 27 | - name: gcr.io/$PROJECT_ID/terraform 28 | args: 29 | - plan 30 | - -input=false 31 | - -out=tfplan 32 | # terraform apply -auto-approve -input=false tfplan 33 | - name: gcr.io/$PROJECT_ID/terraform 34 | args: 35 | - apply 36 | - -auto-approve 37 | - -input=false 38 | - tfplan 39 | artifacts: 40 | objects: 41 | location: 'gs://${_ARTIFACT_BUCKET_NAME}/terraform/cloudbuild/apply/$BUILD_ID' 42 | paths: ['cloudbuild-tf-apply.yaml', 'tfplan'] 43 | -------------------------------------------------------------------------------- /examples/cloudbuild_enabled/cloudbuild-tf-plan.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | timeout: 1200s 16 | steps: 17 | # terraform init -input=false 18 | - name: gcr.io/$PROJECT_ID/terraform 19 | args: 20 | - init 21 | - -input=false 22 | # terraform validate 23 | - name: gcr.io/$PROJECT_ID/terraform 24 | args: 25 | - validate 26 | # terraform plan -input=false -out=tfplan 27 | - name: gcr.io/$PROJECT_ID/terraform 28 | args: 29 | - plan 30 | - -input=false 31 | - -out=tfplan 32 | artifacts: 33 | objects: 34 | location: 'gs://${_ARTIFACT_BUCKET_NAME}/terraform/cloudbuild/plan/$BUILD_ID' 35 | paths: ['cloudbuild-tf-plan.yaml', 'tfplan'] 36 | -------------------------------------------------------------------------------- /examples/cloudbuild_enabled/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /************************************************* 18 | Bootstrap GCP Organization. 19 | *************************************************/ 20 | 21 | module "seed_bootstrap" { 22 | source = "terraform-google-modules/bootstrap/google" 23 | version = "~> 11.0" 24 | 25 | org_id = var.org_id 26 | billing_account = var.billing_account 27 | group_org_admins = var.group_org_admins 28 | group_billing_admins = var.group_billing_admins 29 | default_region = var.default_region 30 | org_project_creators = var.org_project_creators 31 | sa_enable_impersonation = true 32 | project_prefix = var.project_prefix 33 | force_destroy = var.force_destroy 34 | project_deletion_policy = var.project_deletion_policy 35 | } 36 | 37 | module "cloudbuild_bootstrap" { 38 | source = "terraform-google-modules/bootstrap/google//modules/cloudbuild" 39 | version = "~> 11.0" 40 | 41 | org_id = var.org_id 42 | billing_account = var.billing_account 43 | group_org_admins = var.group_org_admins 44 | default_region = var.default_region 45 | sa_enable_impersonation = true 46 | terraform_sa_email = module.seed_bootstrap.terraform_sa_email 47 | terraform_sa_name = module.seed_bootstrap.terraform_sa_name 48 | terraform_state_bucket = module.seed_bootstrap.gcs_bucket_tfstate 49 | project_prefix = var.project_prefix 50 | force_destroy = var.force_destroy 51 | project_deletion_policy = var.project_deletion_policy 52 | } 53 | -------------------------------------------------------------------------------- /examples/cloudbuild_enabled/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "org_id" { 18 | description = "GCP Organization ID" 19 | type = string 20 | } 21 | 22 | variable "billing_account" { 23 | description = "The ID of the billing account to associate projects with." 24 | type = string 25 | } 26 | 27 | variable "group_org_admins" { 28 | description = "Google Group for GCP Organization Administrators" 29 | type = string 30 | } 31 | 32 | variable "group_billing_admins" { 33 | description = "Google Group for GCP Billing Administrators" 34 | type = string 35 | } 36 | 37 | variable "default_region" { 38 | description = "Default region to create resources where applicable." 39 | type = string 40 | default = "us-central1" 41 | } 42 | 43 | variable "org_project_creators" { 44 | description = "Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required." 45 | type = list(string) 46 | default = [] 47 | } 48 | 49 | variable "project_prefix" { 50 | description = "Name prefix to use for projects created." 51 | default = "cft" 52 | type = string 53 | } 54 | 55 | variable "force_destroy" { 56 | description = "If supplied, the logs and artifacts buckets will be deleted even while containing objects." 57 | type = bool 58 | default = false 59 | } 60 | 61 | variable "project_deletion_policy" { 62 | description = "The deletion policy for the project created." 63 | type = string 64 | default = "PREVENT" 65 | } 66 | -------------------------------------------------------------------------------- /examples/cloudbuild_repo_connection_github/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "git_repo_connection" { 18 | source = "terraform-google-modules/bootstrap/google//modules/cloudbuild_repo_connection" 19 | version = "~> 11.0" 20 | 21 | project_id = var.project_id 22 | connection_config = { 23 | connection_type = "GITHUBv2" 24 | github_secret_id = var.github_pat_secret_id 25 | github_app_id_secret_id = var.github_app_id_secret_id 26 | } 27 | 28 | cloud_build_repositories = { 29 | "test_repo" = { 30 | repository_name = var.repository_name 31 | repository_url = var.repository_url 32 | }, 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /examples/cloudbuild_repo_connection_github/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "cloud_build_repositories_2nd_gen_connection" { 18 | description = "Cloudbuild connection created." 19 | value = module.git_repo_connection.cloud_build_repositories_2nd_gen_connection 20 | } 21 | 22 | output "cloud_build_repositories_2nd_gen_repositories" { 23 | description = "Created repositories." 24 | value = module.git_repo_connection.cloud_build_repositories_2nd_gen_repositories 25 | } 26 | 27 | -------------------------------------------------------------------------------- /examples/cloudbuild_repo_connection_github/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources." 19 | type = string 20 | } 21 | 22 | variable "github_pat_secret_id" { 23 | description = "The secret ID for the personal access token for authenticating with GitHub." 24 | type = string 25 | } 26 | 27 | variable "github_app_id_secret_id" { 28 | description = "The secret ID for the application ID for the Cloudbuild GitHub app." 29 | type = string 30 | } 31 | 32 | variable "repository_url" { 33 | description = "The HTTPS clone URL of the repository, ending with .git." 34 | type = string 35 | } 36 | 37 | variable "repository_name" { 38 | description = "The name of the test repository." 39 | type = string 40 | } 41 | -------------------------------------------------------------------------------- /examples/cloudbuild_repo_connection_gitlab/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "git_repo_connection" { 18 | source = "terraform-google-modules/bootstrap/google//modules/cloudbuild_repo_connection" 19 | version = "~> 11.0" 20 | 21 | project_id = var.project_id 22 | connection_config = { 23 | connection_type = "GITLABv2" 24 | gitlab_authorizer_credential_secret_id = var.gitlab_authorizer_secret_id 25 | gitlab_read_authorizer_credential_secret_id = var.gitlab_read_authorizer_secret_id 26 | gitlab_webhook_secret_id = var.gitlab_webhook_secret_id 27 | } 28 | 29 | cloud_build_repositories = { 30 | "test_repo" = { 31 | repository_name = var.repository_name 32 | repository_url = var.repository_url 33 | }, 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /examples/cloudbuild_repo_connection_gitlab/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "cloud_build_repositories_2nd_gen_connection" { 18 | description = "Cloudbuild connection created." 19 | value = module.git_repo_connection.cloud_build_repositories_2nd_gen_connection 20 | } 21 | 22 | output "cloud_build_repositories_2nd_gen_repositories" { 23 | description = "Created repositories." 24 | value = module.git_repo_connection.cloud_build_repositories_2nd_gen_repositories 25 | } 26 | -------------------------------------------------------------------------------- /examples/cloudbuild_repo_connection_gitlab/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources." 19 | type = string 20 | } 21 | 22 | variable "repository_url" { 23 | description = "The HTTPS clone URL of the repository, ending with .git." 24 | type = string 25 | } 26 | 27 | variable "repository_name" { 28 | description = "The name of the test repository." 29 | type = string 30 | } 31 | 32 | variable "gitlab_authorizer_secret_id" { 33 | description = "The secret ID for the credential for GitLab authorizer" 34 | type = string 35 | } 36 | 37 | variable "gitlab_read_authorizer_secret_id" { 38 | description = "The secret ID for the credential for GitLab read authorizer" 39 | type = string 40 | } 41 | 42 | variable "gitlab_webhook_secret_id" { 43 | description = "The secret ID for the WebHook for GitLab" 44 | type = string 45 | } 46 | -------------------------------------------------------------------------------- /examples/im_cloudbuild_workspace_github/README.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | This example demonstrates the simplest usage of the [im_cloudbuild_workspace](../../modules/im_cloudbuild_workspace/) module. 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | im\_github\_pat | GitHub personal access token. | `string` | n/a | yes | 11 | | project\_id | The ID of the project in which to provision resources. | `string` | n/a | yes | 12 | | repository\_url | The URI of the repo where the Terraform configs are stored. | `string` | n/a | yes | 13 | 14 | ## Outputs 15 | 16 | | Name | Description | 17 | |------|-------------| 18 | | cloudbuild\_apply\_trigger\_id | Trigger used for running IM apply | 19 | | cloudbuild\_preview\_trigger\_id | Trigger used for creating IM previews | 20 | | cloudbuild\_sa | Service account used by the Cloud Build triggers | 21 | | github\_secret\_id | The secret ID for the GitHub secret containing the personal access token. | 22 | | infra\_manager\_sa | Service account used by Infrastructure Manager | 23 | | project\_id | n/a | 24 | 25 | 26 | -------------------------------------------------------------------------------- /examples/im_cloudbuild_workspace_github/apis.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "enabled_google_apis" { 18 | source = "terraform-google-modules/project-factory/google//modules/project_services" 19 | version = "~> 18.0" 20 | 21 | project_id = var.project_id 22 | disable_services_on_destroy = false 23 | 24 | activate_apis = [ 25 | "iam.googleapis.com", 26 | "secretmanager.googleapis.com", 27 | "compute.googleapis.com", 28 | "cloudbuild.googleapis.com", 29 | "config.googleapis.com", 30 | ] 31 | } 32 | -------------------------------------------------------------------------------- /examples/im_cloudbuild_workspace_github/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "im_workspace" { 18 | source = "terraform-google-modules/bootstrap/google//modules/im_cloudbuild_workspace" 19 | version = "~> 11.0" 20 | 21 | project_id = var.project_id 22 | deployment_id = "im-example-github-deployment" 23 | 24 | tf_repo_type = "GITHUB" 25 | im_deployment_repo_uri = var.repository_url 26 | im_deployment_ref = "main" 27 | im_tf_variables = "project_id=${var.project_id}" 28 | infra_manager_sa_roles = ["roles/compute.networkAdmin"] 29 | tf_version = "1.5.7" 30 | 31 | // Found in the URL of your Cloud Build GitHub app configuration settings 32 | // https://cloud.google.com/build/docs/automating-builds/github/connect-repo-github?generation=2nd-gen#connecting_a_github_host_programmatically 33 | github_app_installation_id = "47590865" 34 | github_personal_access_token = var.im_github_pat 35 | } 36 | -------------------------------------------------------------------------------- /examples/im_cloudbuild_workspace_github/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "project_id" { 18 | value = var.project_id 19 | } 20 | 21 | output "cloudbuild_preview_trigger_id" { 22 | description = "Trigger used for creating IM previews" 23 | value = module.im_workspace.cloudbuild_preview_trigger_id 24 | } 25 | 26 | output "cloudbuild_apply_trigger_id" { 27 | description = "Trigger used for running IM apply" 28 | value = module.im_workspace.cloudbuild_apply_trigger_id 29 | } 30 | 31 | output "cloudbuild_sa" { 32 | description = "Service account used by the Cloud Build triggers" 33 | value = module.im_workspace.cloudbuild_sa 34 | } 35 | 36 | output "infra_manager_sa" { 37 | description = "Service account used by Infrastructure Manager" 38 | value = module.im_workspace.infra_manager_sa 39 | } 40 | 41 | output "github_secret_id" { 42 | description = "The secret ID for the GitHub secret containing the personal access token." 43 | value = module.im_workspace.github_secret_id 44 | sensitive = true 45 | } 46 | -------------------------------------------------------------------------------- /examples/im_cloudbuild_workspace_github/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources." 19 | type = string 20 | } 21 | 22 | variable "repository_url" { 23 | description = "The URI of the repo where the Terraform configs are stored." 24 | type = string 25 | } 26 | 27 | variable "im_github_pat" { 28 | description = "GitHub personal access token." 29 | type = string 30 | sensitive = true 31 | } 32 | -------------------------------------------------------------------------------- /examples/im_cloudbuild_workspace_gitlab/README.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | This example demonstrates the simplest usage of the [im_cloudbuild_workspace](../../modules/im_cloudbuild_workspace/) module. 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | im\_gitlab\_pat | GitLab personal access token. | `string` | n/a | yes | 11 | | project\_id | The ID of the project in which to provision resources. | `string` | n/a | yes | 12 | | repository\_url | The URI of the repo where the Terraform configs are stored. | `string` | n/a | yes | 13 | 14 | ## Outputs 15 | 16 | | Name | Description | 17 | |------|-------------| 18 | | cloudbuild\_apply\_trigger\_id | Trigger used for running IM apply | 19 | | cloudbuild\_preview\_trigger\_id | Trigger used for creating IM previews | 20 | | cloudbuild\_sa | Service account used by the Cloud Build triggers | 21 | | gitlab\_api\_secret\_id | The secret ID for the secret containing the GitLab api access token. | 22 | | gitlab\_read\_api\_secret\_id | The secret ID for the secret containing the GitLab read api access token. | 23 | | infra\_manager\_sa | Service account used by Infrastructure Manager | 24 | | project\_id | n/a | 25 | 26 | 27 | -------------------------------------------------------------------------------- /examples/im_cloudbuild_workspace_gitlab/apis.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "enabled_google_apis" { 18 | source = "terraform-google-modules/project-factory/google//modules/project_services" 19 | version = "~> 18.0" 20 | 21 | project_id = var.project_id 22 | disable_services_on_destroy = false 23 | 24 | activate_apis = [ 25 | "iam.googleapis.com", 26 | "compute.googleapis.com", 27 | "cloudbuild.googleapis.com", 28 | "config.googleapis.com", 29 | ] 30 | } 31 | -------------------------------------------------------------------------------- /examples/im_cloudbuild_workspace_gitlab/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "im_workspace" { 18 | source = "terraform-google-modules/bootstrap/google//modules/im_cloudbuild_workspace" 19 | version = "~> 11.0" 20 | 21 | project_id = var.project_id 22 | deployment_id = "im-example-gitlab-deployment" 23 | 24 | tf_repo_type = "GITLAB" 25 | im_deployment_repo_uri = var.repository_url 26 | im_deployment_ref = "main" 27 | im_tf_variables = "project_id=${var.project_id}" 28 | infra_manager_sa_roles = ["roles/compute.networkAdmin"] 29 | tf_version = "1.5.7" 30 | 31 | gitlab_api_access_token = var.im_gitlab_pat 32 | gitlab_read_api_access_token = var.im_gitlab_pat 33 | } 34 | -------------------------------------------------------------------------------- /examples/im_cloudbuild_workspace_gitlab/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "project_id" { 18 | value = var.project_id 19 | } 20 | 21 | output "cloudbuild_preview_trigger_id" { 22 | description = "Trigger used for creating IM previews" 23 | value = module.im_workspace.cloudbuild_preview_trigger_id 24 | } 25 | 26 | output "cloudbuild_apply_trigger_id" { 27 | description = "Trigger used for running IM apply" 28 | value = module.im_workspace.cloudbuild_apply_trigger_id 29 | } 30 | 31 | output "cloudbuild_sa" { 32 | description = "Service account used by the Cloud Build triggers" 33 | value = module.im_workspace.cloudbuild_sa 34 | } 35 | 36 | output "infra_manager_sa" { 37 | description = "Service account used by Infrastructure Manager" 38 | value = module.im_workspace.infra_manager_sa 39 | } 40 | 41 | output "gitlab_api_secret_id" { 42 | description = "The secret ID for the secret containing the GitLab api access token." 43 | value = module.im_workspace.gitlab_api_secret_id 44 | sensitive = true 45 | } 46 | 47 | output "gitlab_read_api_secret_id" { 48 | description = "The secret ID for the secret containing the GitLab read api access token." 49 | value = module.im_workspace.gitlab_read_api_secret_id 50 | sensitive = true 51 | } 52 | -------------------------------------------------------------------------------- /examples/im_cloudbuild_workspace_gitlab/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources." 19 | type = string 20 | } 21 | 22 | variable "repository_url" { 23 | description = "The URI of the repo where the Terraform configs are stored." 24 | type = string 25 | } 26 | 27 | variable "im_gitlab_pat" { 28 | description = "GitLab personal access token." 29 | type = string 30 | sensitive = true 31 | } 32 | -------------------------------------------------------------------------------- /examples/simple-folder/README.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | This example demonstrates the simplest usage of the GCP organization bootstrap module targeting a folder. 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | billing\_account | The ID of the billing account to associate projects with. | `string` | n/a | yes | 11 | | default\_region | Default region to create resources where applicable. | `string` | `"us-central1"` | no | 12 | | group\_billing\_admins | Google Group for GCP Billing Administrators | `string` | n/a | yes | 13 | | group\_org\_admins | Google Group for GCP Organization Administrators | `string` | n/a | yes | 14 | | org\_id | GCP Organization ID | `string` | n/a | yes | 15 | | org\_project\_creators | Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. | `list(string)` | `[]` | no | 16 | | parent | GCP parent folder id of form folders/{id} | `string` | n/a | yes | 17 | | project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no | 18 | | project\_prefix | Name prefix to use for projects created. | `string` | `"cft"` | no | 19 | 20 | ## Outputs 21 | 22 | | Name | Description | 23 | |------|-------------| 24 | | gcs\_bucket\_tfstate | Bucket used for storing terraform state for foundations pipelines in seed project. | 25 | | seed\_project\_id | Project where service accounts and core APIs will be enabled. | 26 | | terraform\_sa\_email | Email for privileged service account for Terraform. | 27 | | terraform\_sa\_name | Fully qualified name for privileged service account for Terraform. | 28 | 29 | 30 | -------------------------------------------------------------------------------- /examples/simple-folder/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /************************************************* 18 | Bootstrap GCP Folder. 19 | *************************************************/ 20 | 21 | module "seed_bootstrap" { 22 | source = "terraform-google-modules/bootstrap/google" 23 | version = "~> 11.0" 24 | 25 | org_id = var.org_id 26 | parent_folder = var.parent 27 | billing_account = var.billing_account 28 | group_org_admins = var.group_org_admins 29 | group_billing_admins = var.group_billing_admins 30 | default_region = var.default_region 31 | org_project_creators = var.org_project_creators 32 | project_prefix = var.project_prefix 33 | project_deletion_policy = var.project_deletion_policy 34 | } 35 | -------------------------------------------------------------------------------- /examples/simple-folder/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "seed_project_id" { 18 | description = "Project where service accounts and core APIs will be enabled." 19 | value = module.seed_bootstrap.seed_project_id 20 | } 21 | 22 | output "terraform_sa_email" { 23 | description = "Email for privileged service account for Terraform." 24 | value = module.seed_bootstrap.terraform_sa_email 25 | } 26 | 27 | output "terraform_sa_name" { 28 | description = "Fully qualified name for privileged service account for Terraform." 29 | value = module.seed_bootstrap.terraform_sa_name 30 | } 31 | 32 | output "gcs_bucket_tfstate" { 33 | description = "Bucket used for storing terraform state for foundations pipelines in seed project." 34 | value = module.seed_bootstrap.gcs_bucket_tfstate 35 | } 36 | -------------------------------------------------------------------------------- /examples/simple-folder/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "org_id" { 18 | description = "GCP Organization ID" 19 | type = string 20 | } 21 | 22 | variable "parent" { 23 | description = "GCP parent folder id of form folders/{id}" 24 | type = string 25 | } 26 | 27 | variable "billing_account" { 28 | description = "The ID of the billing account to associate projects with." 29 | type = string 30 | } 31 | 32 | variable "group_org_admins" { 33 | description = "Google Group for GCP Organization Administrators" 34 | type = string 35 | } 36 | 37 | variable "group_billing_admins" { 38 | description = "Google Group for GCP Billing Administrators" 39 | type = string 40 | } 41 | 42 | variable "default_region" { 43 | description = "Default region to create resources where applicable." 44 | type = string 45 | default = "us-central1" 46 | } 47 | 48 | variable "org_project_creators" { 49 | description = "Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required." 50 | type = list(string) 51 | default = [] 52 | } 53 | 54 | variable "project_prefix" { 55 | description = "Name prefix to use for projects created." 56 | default = "cft" 57 | type = string 58 | } 59 | 60 | variable "project_deletion_policy" { 61 | description = "The deletion policy for the project created." 62 | type = string 63 | default = "PREVENT" 64 | } 65 | -------------------------------------------------------------------------------- /examples/simple/README.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | This example demonstrates the simplest usage of the GCP organization bootstrap module, accepting default values for the module variables. 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | billing\_account | The ID of the billing account to associate projects with. | `string` | n/a | yes | 11 | | default\_region | Default region to create resources where applicable. | `string` | `"us-central1"` | no | 12 | | group\_billing\_admins | Google Group for GCP Billing Administrators | `string` | n/a | yes | 13 | | group\_org\_admins | Google Group for GCP Organization Administrators | `string` | n/a | yes | 14 | | org\_id | GCP Organization ID | `string` | n/a | yes | 15 | | org\_project\_creators | Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. | `list(string)` | `[]` | no | 16 | | project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no | 17 | | project\_prefix | Name prefix to use for projects created. | `string` | `"cft"` | no | 18 | 19 | ## Outputs 20 | 21 | | Name | Description | 22 | |------|-------------| 23 | | gcs\_bucket\_tfstate | Bucket used for storing terraform state for foundations pipelines in seed project. | 24 | | seed\_project\_id | Project where service accounts and core APIs will be enabled. | 25 | | terraform\_sa\_email | Email for privileged service account for Terraform. | 26 | | terraform\_sa\_name | Fully qualified name for privileged service account for Terraform. | 27 | 28 | 29 | -------------------------------------------------------------------------------- /examples/simple/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /************************************************* 18 | Bootstrap GCP Organization. 19 | *************************************************/ 20 | 21 | module "seed_bootstrap" { 22 | source = "terraform-google-modules/bootstrap/google" 23 | version = "~> 11.0" 24 | 25 | org_id = var.org_id 26 | billing_account = var.billing_account 27 | group_org_admins = var.group_org_admins 28 | group_billing_admins = var.group_billing_admins 29 | default_region = var.default_region 30 | org_project_creators = var.org_project_creators 31 | project_prefix = var.project_prefix 32 | project_deletion_policy = var.project_deletion_policy 33 | } 34 | -------------------------------------------------------------------------------- /examples/simple/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "seed_project_id" { 18 | description = "Project where service accounts and core APIs will be enabled." 19 | value = module.seed_bootstrap.seed_project_id 20 | } 21 | 22 | output "terraform_sa_email" { 23 | description = "Email for privileged service account for Terraform." 24 | value = module.seed_bootstrap.terraform_sa_email 25 | } 26 | 27 | output "terraform_sa_name" { 28 | description = "Fully qualified name for privileged service account for Terraform." 29 | value = module.seed_bootstrap.terraform_sa_name 30 | } 31 | 32 | output "gcs_bucket_tfstate" { 33 | description = "Bucket used for storing terraform state for foundations pipelines in seed project." 34 | value = module.seed_bootstrap.gcs_bucket_tfstate 35 | } 36 | -------------------------------------------------------------------------------- /examples/simple/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "org_id" { 18 | description = "GCP Organization ID" 19 | type = string 20 | } 21 | 22 | variable "billing_account" { 23 | description = "The ID of the billing account to associate projects with." 24 | type = string 25 | } 26 | 27 | variable "group_org_admins" { 28 | description = "Google Group for GCP Organization Administrators" 29 | type = string 30 | } 31 | 32 | variable "group_billing_admins" { 33 | description = "Google Group for GCP Billing Administrators" 34 | type = string 35 | } 36 | 37 | variable "default_region" { 38 | description = "Default region to create resources where applicable." 39 | type = string 40 | default = "us-central1" 41 | } 42 | 43 | variable "org_project_creators" { 44 | description = "Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required." 45 | type = list(string) 46 | default = [] 47 | } 48 | 49 | variable "project_prefix" { 50 | description = "Name prefix to use for projects created." 51 | default = "cft" 52 | type = string 53 | } 54 | 55 | variable "project_deletion_policy" { 56 | description = "The deletion policy for the project created." 57 | type = string 58 | default = "PREVENT" 59 | } 60 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_builder_simple/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | FROM gcr.io/cloud-builders/gcloud-slim 16 | 17 | # Use ARG so that values can be overriden by user/cloudbuild 18 | ARG TERRAFORM_VERSION=1.1.0 19 | 20 | ENV ENV_TERRAFORM_VERSION=$TERRAFORM_VERSION 21 | 22 | RUN apt-get update && \ 23 | /builder/google-cloud-sdk/bin/gcloud -q components install alpha beta terraform-tools && \ 24 | apt-get -y install curl jq unzip git ca-certificates gnupg && \ 25 | curl https://releases.hashicorp.com/terraform/${ENV_TERRAFORM_VERSION}/terraform_${ENV_TERRAFORM_VERSION}_linux_amd64.zip --output terraform_${ENV_TERRAFORM_VERSION}_linux_amd64.zip && \ 26 | curl https://releases.hashicorp.com/terraform/${ENV_TERRAFORM_VERSION}/terraform_${ENV_TERRAFORM_VERSION}_SHA256SUMS.sig --output terraform_SHA256SUMS.sig && \ 27 | curl https://releases.hashicorp.com/terraform/${ENV_TERRAFORM_VERSION}/terraform_${ENV_TERRAFORM_VERSION}_SHA256SUMS --output terraform_SHA256SUMS && \ 28 | curl https://keybase.io/hashicorp/pgp_keys.asc --output pgp_keys.asc && \ 29 | gpg --import pgp_keys.asc && \ 30 | gpg --verify terraform_SHA256SUMS.sig terraform_SHA256SUMS && \ 31 | grep terraform_${ENV_TERRAFORM_VERSION}_linux_amd64.zip terraform_SHA256SUMS | shasum --algorithm 256 --check && \ 32 | unzip terraform_${ENV_TERRAFORM_VERSION}_linux_amd64.zip -d /builder/terraform && \ 33 | rm -f terraform_${ENV_TERRAFORM_VERSION}_linux_amd64.zip terraform_SHA256SUMS && \ 34 | apt-get --purge -y autoremove && \ 35 | apt-get clean && \ 36 | rm -rf /var/lib/apt/lists/* 37 | 38 | ENV PATH=/builder/terraform/:$PATH 39 | ENTRYPOINT ["terraform"] 40 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_builder_simple/README.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | This example demonstrates the simplest usage of the [tf_cloudbuild_builder](../../modules/tf_cloudbuild_builder/) module. 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | project\_id | n/a | `string` | `"test-builder-workflow-4"` | no | 11 | 12 | ## Outputs 13 | 14 | | Name | Description | 15 | |------|-------------| 16 | | artifact\_repo | GAR Repo created to store TF Cloud Builder images | 17 | | cloudbuild\_trigger\_id | Trigger used for building new TF Builder | 18 | | csr\_repo\_url | CSR repo for storing cloudbuilder Dockerfile | 19 | | project\_id | n/a | 20 | | scheduler\_id | Scheduler ID for periodically triggering TF Builder build Workflow | 21 | | workflow\_id | Workflow ID for triggering new TF Builder build | 22 | 23 | 24 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_builder_simple/apis.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2022 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "enabled_google_apis" { 18 | source = "terraform-google-modules/project-factory/google//modules/project_services" 19 | version = "~> 18.0" 20 | 21 | project_id = var.project_id 22 | disable_services_on_destroy = false 23 | 24 | activate_apis = [ 25 | "iam.googleapis.com", 26 | "compute.googleapis.com", 27 | "sourcerepo.googleapis.com", 28 | "workflows.googleapis.com", 29 | "artifactregistry.googleapis.com", 30 | "cloudbuild.googleapis.com", 31 | "cloudscheduler.googleapis.com" 32 | ] 33 | } 34 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_builder_simple/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2022 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "cloudbuilder" { 18 | source = "terraform-google-modules/bootstrap/google//modules/tf_cloudbuild_builder" 19 | version = "~> 11.0" 20 | 21 | project_id = module.enabled_google_apis.project_id 22 | dockerfile_repo_uri = google_sourcerepo_repository.builder_dockerfile_repo.url 23 | trigger_location = "us-central1" 24 | gar_repo_location = "us-central1" 25 | build_timeout = "1200s" 26 | # allow logs bucket to be destroyed 27 | cb_logs_bucket_force_destroy = true 28 | # allow workflow to be destroyed 29 | workflow_deletion_protection = false 30 | } 31 | 32 | # CSR for storing Dockerfile 33 | resource "google_sourcerepo_repository" "builder_dockerfile_repo" { 34 | project = module.enabled_google_apis.project_id 35 | name = "tf-cloudbuilder" 36 | } 37 | 38 | # Bootstrap CSR with Dockerfile 39 | module "bootstrap_csr_repo" { 40 | source = "terraform-google-modules/gcloud/google" 41 | version = "~> 3.1" 42 | 43 | upgrade = false 44 | module_depends_on = [module.cloudbuilder] 45 | 46 | create_cmd_entrypoint = "${path.module}/scripts/push-to-repo.sh" 47 | create_cmd_body = "${module.enabled_google_apis.project_id} ${split("/", google_sourcerepo_repository.builder_dockerfile_repo.id)[3]} ${path.module}/Dockerfile" 48 | } 49 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_builder_simple/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2022 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "artifact_repo" { 18 | description = "GAR Repo created to store TF Cloud Builder images" 19 | value = module.cloudbuilder.artifact_repo 20 | } 21 | 22 | output "workflow_id" { 23 | description = "Workflow ID for triggering new TF Builder build" 24 | value = module.cloudbuilder.workflow_id 25 | } 26 | 27 | output "scheduler_id" { 28 | description = "Scheduler ID for periodically triggering TF Builder build Workflow" 29 | value = module.cloudbuilder.scheduler_id 30 | } 31 | 32 | output "cloudbuild_trigger_id" { 33 | description = "Trigger used for building new TF Builder" 34 | value = module.cloudbuilder.cloudbuild_trigger_id 35 | } 36 | 37 | output "csr_repo_url" { 38 | description = "CSR repo for storing cloudbuilder Dockerfile" 39 | value = google_sourcerepo_repository.builder_dockerfile_repo.url 40 | } 41 | 42 | output "project_id" { 43 | value = var.project_id 44 | } 45 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_builder_simple/scripts/push-to-repo.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Copyright 2022 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | 17 | set -ex 18 | 19 | if [ "$#" -lt 3 ]; then 20 | >&2 echo "Not all expected arguments set." 21 | exit 1 22 | fi 23 | 24 | CSR_PROJECT_ID=$1 25 | CSR_NAME=$2 26 | DOCKERFILE_PATH=$3 27 | 28 | # create temp dir, cleanup at exit 29 | tmp_dir=$(mktemp -d) 30 | # # shellcheck disable=SC2064 31 | # trap "rm -rf $tmp_dir" EXIT 32 | gcloud source repos clone "${CSR_NAME}" "${tmp_dir}" --project "${CSR_PROJECT_ID}" 33 | cp "${DOCKERFILE_PATH}" "${tmp_dir}" 34 | pushd "${tmp_dir}" 35 | git config credential.helper gcloud.sh 36 | git config init.defaultBranch main 37 | git config user.email "terraform-robot@example.com" 38 | git config user.name "TF Robot" 39 | git checkout main || git checkout -b main 40 | git add Dockerfile 41 | git commit -m "init tf dockerfile" 42 | git push origin main -f 43 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_builder_simple/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2022 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | default = "test-builder-workflow-4" 19 | } 20 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_builder_simple_github/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | FROM gcr.io/cloud-builders/gcloud-slim 16 | 17 | # Use ARG so that values can be overriden by user/cloudbuild 18 | ARG TERRAFORM_VERSION=1.1.0 19 | 20 | ENV ENV_TERRAFORM_VERSION=$TERRAFORM_VERSION 21 | 22 | RUN apt-get update && \ 23 | /builder/google-cloud-sdk/bin/gcloud -q components install alpha beta terraform-tools && \ 24 | apt-get -y install curl jq unzip git ca-certificates gnupg && \ 25 | curl https://releases.hashicorp.com/terraform/${ENV_TERRAFORM_VERSION}/terraform_${ENV_TERRAFORM_VERSION}_linux_amd64.zip --output terraform_${ENV_TERRAFORM_VERSION}_linux_amd64.zip && \ 26 | curl https://releases.hashicorp.com/terraform/${ENV_TERRAFORM_VERSION}/terraform_${ENV_TERRAFORM_VERSION}_SHA256SUMS.sig --output terraform_SHA256SUMS.sig && \ 27 | curl https://releases.hashicorp.com/terraform/${ENV_TERRAFORM_VERSION}/terraform_${ENV_TERRAFORM_VERSION}_SHA256SUMS --output terraform_SHA256SUMS && \ 28 | curl https://keybase.io/hashicorp/pgp_keys.asc --output pgp_keys.asc && \ 29 | gpg --import pgp_keys.asc && \ 30 | gpg --verify terraform_SHA256SUMS.sig terraform_SHA256SUMS && \ 31 | grep terraform_${ENV_TERRAFORM_VERSION}_linux_amd64.zip terraform_SHA256SUMS | shasum --algorithm 256 --check && \ 32 | unzip terraform_${ENV_TERRAFORM_VERSION}_linux_amd64.zip -d /builder/terraform && \ 33 | rm -f terraform_${ENV_TERRAFORM_VERSION}_linux_amd64.zip terraform_SHA256SUMS && \ 34 | apt-get --purge -y autoremove && \ 35 | apt-get clean && \ 36 | rm -rf /var/lib/apt/lists/* 37 | 38 | ENV PATH=/builder/terraform/:$PATH 39 | ENTRYPOINT ["terraform"] 40 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_builder_simple_github/apis.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "enabled_google_apis" { 18 | source = "terraform-google-modules/project-factory/google//modules/project_services" 19 | version = "~> 18.0" 20 | 21 | project_id = var.project_id 22 | disable_services_on_destroy = false 23 | 24 | activate_apis = [ 25 | "iam.googleapis.com", 26 | "compute.googleapis.com", 27 | "workflows.googleapis.com", 28 | "artifactregistry.googleapis.com", 29 | "cloudbuild.googleapis.com", 30 | "cloudscheduler.googleapis.com" 31 | ] 32 | } 33 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_builder_simple_github/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "artifact_repo" { 18 | description = "GAR Repo created to store TF Cloud Builder images" 19 | value = module.cloudbuilder.artifact_repo 20 | } 21 | 22 | output "workflow_id" { 23 | description = "Workflow ID for triggering new TF Builder build" 24 | value = module.cloudbuilder.workflow_id 25 | } 26 | 27 | output "scheduler_id" { 28 | description = "Scheduler ID for periodically triggering TF Builder build Workflow" 29 | value = module.cloudbuilder.scheduler_id 30 | } 31 | 32 | output "cloudbuild_trigger_id" { 33 | description = "Trigger used for building new TF Builder" 34 | value = module.cloudbuilder.cloudbuild_trigger_id 35 | } 36 | 37 | output "repository_id" { 38 | description = "ID of the Cloud Build repositories (2nd gen) repository" 39 | value = module.git_repo_connection.cloud_build_repositories_2nd_gen_repositories["test_repo"].id 40 | } 41 | 42 | output "project_id" { 43 | description = "The ID of the project in which the resources were provisioned" 44 | value = var.project_id 45 | } 46 | 47 | output "location" { 48 | description = "The location in which the resources were provisioned" 49 | value = local.location 50 | } 51 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_builder_simple_github/scripts/push-to-repo.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Copyright 2024 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | 17 | set -ex 18 | 19 | if [ "$#" -lt 3 ]; then 20 | >&2 echo "Not all expected arguments set." 21 | exit 1 22 | fi 23 | 24 | GITHUB_TOKEN=$1 25 | REPO_URL=$2 26 | DOCKERFILE_PATH=$3 27 | 28 | # extract portion after https:// from URL 29 | IFS="/"; mapfile -t -d / URL_PARTS < <(printf "%s" "$REPO_URL") 30 | # construct the new authenticated URL 31 | AUTH_REPO_URL="https://${GITHUB_TOKEN}:@${URL_PARTS[2]}/${URL_PARTS[3]}/${URL_PARTS[4]}" 32 | 33 | # create temp dir, cleanup at exit 34 | tmp_dir=$(mktemp -d) 35 | # # shellcheck disable=SC2064 36 | # trap "rm -rf $tmp_dir" EXIT 37 | git clone "${AUTH_REPO_URL}" "${tmp_dir}" 38 | cp "${DOCKERFILE_PATH}" "${tmp_dir}" 39 | pushd "${tmp_dir}" 40 | git config credential.helper gcloud.sh 41 | git config init.defaultBranch main 42 | git config user.email "terraform-robot@example.com" 43 | git config user.name "TF Robot" 44 | git checkout main || git checkout -b main 45 | git add Dockerfile 46 | 47 | # The '-z' flag checks if the following string is empty. 48 | if [ -z "$(git status --porcelain)" ]; then 49 | # If the output is empty, the working directory is clean. 50 | echo "No changes to commit. Nothing to do." 51 | else 52 | # If there is output, changes exist, so we commit. 53 | echo "Changes detected. Attempting to commit..." 54 | git commit -m "init tf dockerfile" 55 | git push origin main -f 56 | fi 57 | 58 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_builder_simple_github/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources." 19 | type = string 20 | } 21 | 22 | variable "github_pat_secret_id" { 23 | description = "The secret ID for the personal access token for authenticating with GitHub." 24 | type = string 25 | } 26 | 27 | variable "github_app_id_secret_id" { 28 | description = "The secret ID for the application ID for the Cloudbuild GitHub app." 29 | type = string 30 | } 31 | 32 | 33 | variable "repository_uri" { 34 | description = "The URI of the GitHub repository where the Terraform configs are stored." 35 | type = string 36 | } 37 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_builder_simple_gitlab/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | FROM gcr.io/cloud-builders/gcloud-slim 16 | 17 | # Use ARG so that values can be overriden by user/cloudbuild 18 | ARG TERRAFORM_VERSION=1.1.0 19 | 20 | ENV ENV_TERRAFORM_VERSION=$TERRAFORM_VERSION 21 | 22 | RUN apt-get update && \ 23 | /builder/google-cloud-sdk/bin/gcloud -q components install alpha beta terraform-tools && \ 24 | apt-get -y install curl jq unzip git ca-certificates gnupg && \ 25 | curl https://releases.hashicorp.com/terraform/${ENV_TERRAFORM_VERSION}/terraform_${ENV_TERRAFORM_VERSION}_linux_amd64.zip --output terraform_${ENV_TERRAFORM_VERSION}_linux_amd64.zip && \ 26 | curl https://releases.hashicorp.com/terraform/${ENV_TERRAFORM_VERSION}/terraform_${ENV_TERRAFORM_VERSION}_SHA256SUMS.sig --output terraform_SHA256SUMS.sig && \ 27 | curl https://releases.hashicorp.com/terraform/${ENV_TERRAFORM_VERSION}/terraform_${ENV_TERRAFORM_VERSION}_SHA256SUMS --output terraform_SHA256SUMS && \ 28 | curl https://keybase.io/hashicorp/pgp_keys.asc --output pgp_keys.asc && \ 29 | gpg --import pgp_keys.asc && \ 30 | gpg --verify terraform_SHA256SUMS.sig terraform_SHA256SUMS && \ 31 | grep terraform_${ENV_TERRAFORM_VERSION}_linux_amd64.zip terraform_SHA256SUMS | shasum --algorithm 256 --check && \ 32 | unzip terraform_${ENV_TERRAFORM_VERSION}_linux_amd64.zip -d /builder/terraform && \ 33 | rm -f terraform_${ENV_TERRAFORM_VERSION}_linux_amd64.zip terraform_SHA256SUMS && \ 34 | apt-get --purge -y autoremove && \ 35 | apt-get clean && \ 36 | rm -rf /var/lib/apt/lists/* 37 | 38 | ENV PATH=/builder/terraform/:$PATH 39 | ENTRYPOINT ["terraform"] 40 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_builder_simple_gitlab/apis.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "enabled_google_apis" { 18 | source = "terraform-google-modules/project-factory/google//modules/project_services" 19 | version = "~> 18.0" 20 | 21 | project_id = var.project_id 22 | disable_services_on_destroy = false 23 | 24 | activate_apis = [ 25 | "iam.googleapis.com", 26 | "compute.googleapis.com", 27 | "workflows.googleapis.com", 28 | "artifactregistry.googleapis.com", 29 | "cloudbuild.googleapis.com", 30 | "cloudscheduler.googleapis.com" 31 | ] 32 | } 33 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_builder_simple_gitlab/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "artifact_repo" { 18 | description = "GAR Repo created to store TF Cloud Builder images" 19 | value = module.cloudbuilder.artifact_repo 20 | } 21 | 22 | output "workflow_id" { 23 | description = "Workflow ID for triggering new TF Builder build" 24 | value = module.cloudbuilder.workflow_id 25 | } 26 | 27 | output "scheduler_id" { 28 | description = "Scheduler ID for periodically triggering TF Builder build Workflow" 29 | value = module.cloudbuilder.scheduler_id 30 | } 31 | 32 | output "cloudbuild_trigger_id" { 33 | description = "Trigger used for building new TF Builder" 34 | value = module.cloudbuilder.cloudbuild_trigger_id 35 | } 36 | 37 | output "repository_id" { 38 | description = "ID of the Cloud Build repositories (2nd gen) repository" 39 | value = module.git_repo_connection.cloud_build_repositories_2nd_gen_repositories["test_repo"].id 40 | } 41 | 42 | output "project_id" { 43 | description = "The ID of the project in which the resources were provisioned" 44 | value = var.project_id 45 | } 46 | 47 | output "location" { 48 | description = "The location in which the resources were provisioned" 49 | value = local.location 50 | } 51 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_builder_simple_gitlab/scripts/push-to-repo.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Copyright 2024 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | 17 | set -ex 18 | 19 | if [ "$#" -lt 3 ]; then 20 | >&2 echo "Not all expected arguments set." 21 | exit 1 22 | fi 23 | 24 | GITLAB_TOKEN=$1 25 | REPO_URL=$2 26 | DOCKERFILE_PATH=$3 27 | 28 | # extract portion after https:// from URL 29 | IFS="/"; mapfile -t -d / URL_PARTS < <(printf "%s" "$REPO_URL") 30 | # construct the new authenticated URL 31 | AUTH_REPO_URL="https://gitlab-bot:${GITLAB_TOKEN}@gitlab.com/${URL_PARTS[3]}/${URL_PARTS[4]}" 32 | 33 | # create temp dir, cleanup at exit 34 | tmp_dir=$(mktemp -d) 35 | # # shellcheck disable=SC2064 36 | # trap "rm -rf $tmp_dir" EXIT 37 | git clone "${AUTH_REPO_URL}" "${tmp_dir}" 38 | cp "${DOCKERFILE_PATH}" "${tmp_dir}" 39 | pushd "${tmp_dir}" 40 | git config credential.helper gcloud.sh 41 | git config init.defaultBranch main 42 | git config user.email "terraform-robot@example.com" 43 | git config user.name "TF Robot" 44 | git checkout main || git checkout -b main 45 | git add Dockerfile 46 | 47 | # The '-z' flag checks if the following string is empty. 48 | if [ -z "$(git status --porcelain)" ]; then 49 | # If the output is empty, the working directory is clean. 50 | echo "No changes to commit. Nothing to do." 51 | else 52 | # If there is output, changes exist, so we commit. 53 | echo "Changes detected. Attempting to commit..." 54 | git commit -m "init tf dockerfile" 55 | git push origin main -f 56 | fi 57 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_builder_simple_gitlab/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources." 19 | type = string 20 | } 21 | 22 | variable "repository_uri" { 23 | description = "The URI of the GitLab repository where the Terraform configs are stored." 24 | type = string 25 | } 26 | 27 | variable "gitlab_authorizer_secret_id" { 28 | description = "The secret ID for the credential for GitLab authorizer" 29 | type = string 30 | } 31 | 32 | variable "gitlab_read_authorizer_secret_id" { 33 | description = "The secret ID for the credential for GitLab read authorizer" 34 | type = string 35 | } 36 | 37 | variable "gitlab_webhook_secret_id" { 38 | description = "The secret ID for the WebHook for GitLab" 39 | type = string 40 | } 41 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_source_simple/README.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | This example demonstrates the simplest usage of the [tf_cloudbuild_source](../../modules/tf_cloudbuild_source/) module. 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | billing\_account | The ID of the billing account to associate projects with. | `string` | n/a | yes | 11 | | group\_org\_admins | Google Group for GCP Organization Administrators | `string` | n/a | yes | 12 | | org\_id | GCP Organization ID | `string` | n/a | yes | 13 | | parent\_folder | The bootstrap parent folder | `string` | `""` | no | 14 | | project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no | 15 | 16 | ## Outputs 17 | 18 | | Name | Description | 19 | |------|-------------| 20 | | cloudbuild\_project\_id | Project where CloudBuild configuration and terraform container image will reside. | 21 | | csr\_repos | List of Cloud Source Repos created by the module. | 22 | | gcs\_cloudbuild\_default\_bucket | Bucket used to store temporary files in CloudBuild project. | 23 | 24 | 25 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_source_simple/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2022 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "tf_source" { 18 | source = "terraform-google-modules/bootstrap/google//modules/tf_cloudbuild_source" 19 | version = "~> 11.0" 20 | 21 | org_id = var.org_id 22 | folder_id = var.parent_folder 23 | billing_account = var.billing_account 24 | group_org_admins = var.group_org_admins 25 | buckets_force_destroy = true 26 | project_deletion_policy = var.project_deletion_policy 27 | } 28 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_source_simple/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2022 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "cloudbuild_project_id" { 18 | description = "Project where CloudBuild configuration and terraform container image will reside." 19 | value = module.tf_source.cloudbuild_project_id 20 | } 21 | 22 | output "csr_repos" { 23 | description = "List of Cloud Source Repos created by the module." 24 | value = module.tf_source.csr_repos 25 | } 26 | 27 | output "gcs_cloudbuild_default_bucket" { 28 | description = "Bucket used to store temporary files in CloudBuild project." 29 | value = module.tf_source.gcs_cloudbuild_default_bucket 30 | } 31 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_source_simple/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2022 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "org_id" { 18 | description = "GCP Organization ID" 19 | type = string 20 | } 21 | 22 | variable "parent_folder" { 23 | description = "The bootstrap parent folder" 24 | type = string 25 | default = "" 26 | } 27 | 28 | variable "billing_account" { 29 | description = "The ID of the billing account to associate projects with." 30 | type = string 31 | } 32 | 33 | variable "group_org_admins" { 34 | description = "Google Group for GCP Organization Administrators" 35 | type = string 36 | } 37 | 38 | variable "project_deletion_policy" { 39 | description = "The deletion policy for the project created." 40 | type = string 41 | default = "PREVENT" 42 | } 43 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple/README.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | This example demonstrates the simplest usage of the [tf_cloudbuild_workspace](../../modules/tf_cloudbuild_workspace/) module. 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | project\_id | The ID of the project in which to provision resources. | `string` | n/a | yes | 11 | 12 | ## Outputs 13 | 14 | | Name | Description | 15 | |------|-------------| 16 | | artifacts\_bucket | Bucket for storing TF plans | 17 | | cloudbuild\_apply\_trigger\_id | Trigger used for running TF apply | 18 | | cloudbuild\_plan\_trigger\_id | Trigger used for running TF plan | 19 | | cloudbuild\_sa | SA used by Cloud Build triggers | 20 | | csr\_repo\_url | CSR repo for storing TF configs | 21 | | logs\_bucket | Bucket for storing TF logs | 22 | | project\_id | n/a | 23 | | state\_bucket | Bucket for storing TF state | 24 | 25 | 26 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple/apis.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2022 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "enabled_google_apis" { 18 | source = "terraform-google-modules/project-factory/google//modules/project_services" 19 | version = "~> 18.0" 20 | 21 | project_id = var.project_id 22 | disable_services_on_destroy = false 23 | 24 | activate_apis = [ 25 | "iam.googleapis.com", 26 | "compute.googleapis.com", 27 | "sourcerepo.googleapis.com", 28 | "cloudbuild.googleapis.com", 29 | ] 30 | } 31 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple/files/.gitignore: -------------------------------------------------------------------------------- 1 | # Local .terraform directories 2 | **/.terraform* 3 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple/files/backend.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2022 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | backend "gcs" { 19 | bucket = "tf-state-prod" 20 | prefix = "terraform/csr/state" 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple/files/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2022 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "test-vpc-module" { 18 | source = "terraform-google-modules/network/google" 19 | version = "~> 10.0" 20 | 21 | project_id = var.project_id 22 | network_name = "my-custom-mode-network" 23 | mtu = 1460 24 | 25 | subnets = [ 26 | { 27 | subnet_name = "subnet-01" 28 | subnet_ip = "10.10.10.0/24" 29 | subnet_region = "us-west1" 30 | }, 31 | { 32 | subnet_name = "subnet-02" 33 | subnet_ip = "10.10.20.0/24" 34 | subnet_region = "us-west1" 35 | subnet_private_access = "true" 36 | subnet_flow_logs = "true" 37 | }, 38 | { 39 | subnet_name = "subnet-03" 40 | subnet_ip = "10.10.30.0/24" 41 | subnet_region = "us-west1" 42 | subnet_flow_logs = "true" 43 | subnet_flow_logs_interval = "INTERVAL_10_MIN" 44 | subnet_flow_logs_sampling = 0.7 45 | subnet_flow_logs_metadata = "INCLUDE_ALL_METADATA" 46 | subnet_flow_logs_filter = "false" 47 | } 48 | ] 49 | } 50 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple/files/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2022 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The project ID to host the network in" 19 | } 20 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2022 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "tf_workspace" { 18 | source = "terraform-google-modules/bootstrap/google//modules/tf_cloudbuild_workspace" 19 | version = "~> 11.0" 20 | 21 | project_id = module.enabled_google_apis.project_id 22 | tf_repo_uri = google_sourcerepo_repository.tf_config_repo.url 23 | trigger_location = "global" 24 | # allow log/state buckets to be destroyed 25 | buckets_force_destroy = true 26 | cloudbuild_sa_roles = { (module.enabled_google_apis.project_id) = { 27 | project_id = module.enabled_google_apis.project_id, 28 | roles = ["roles/compute.networkAdmin"] 29 | } 30 | } 31 | cloudbuild_env_vars = ["TF_VAR_project_id=${var.project_id}"] 32 | 33 | } 34 | 35 | # CSR for storing TF configs 36 | resource "google_sourcerepo_repository" "tf_config_repo" { 37 | project = module.enabled_google_apis.project_id 38 | name = "tf-configs" 39 | } 40 | 41 | # # Bootstrap CSR with TF configs 42 | module "bootstrap_csr_repo" { 43 | source = "terraform-google-modules/gcloud/google" 44 | version = "~> 3.1" 45 | 46 | upgrade = false 47 | 48 | create_cmd_entrypoint = "${path.module}/scripts/push-to-repo.sh" 49 | create_cmd_body = "${module.enabled_google_apis.project_id} ${split("/", google_sourcerepo_repository.tf_config_repo.id)[3]} ${path.module}/files" 50 | } 51 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple/outputs.tf: -------------------------------------------------------------------------------- 1 | # /** 2 | # * Copyright 2022 Google LLC 3 | # * 4 | # * Licensed under the Apache License, Version 2.0 (the "License"); 5 | # * you may not use this file except in compliance with the License. 6 | # * You may obtain a copy of the License at 7 | # * 8 | # * http://www.apache.org/licenses/LICENSE-2.0 9 | # * 10 | # * Unless required by applicable law or agreed to in writing, software 11 | # * distributed under the License is distributed on an "AS IS" BASIS, 12 | # * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # * See the License for the specific language governing permissions and 14 | # * limitations under the License. 15 | # */ 16 | 17 | output "cloudbuild_plan_trigger_id" { 18 | description = "Trigger used for running TF plan" 19 | value = module.tf_workspace.cloudbuild_plan_trigger_id 20 | } 21 | 22 | output "cloudbuild_apply_trigger_id" { 23 | description = "Trigger used for running TF apply" 24 | value = module.tf_workspace.cloudbuild_apply_trigger_id 25 | } 26 | 27 | output "cloudbuild_sa" { 28 | description = "SA used by Cloud Build triggers" 29 | value = module.tf_workspace.cloudbuild_sa 30 | } 31 | 32 | output "state_bucket" { 33 | description = "Bucket for storing TF state" 34 | value = module.tf_workspace.state_bucket 35 | } 36 | 37 | output "logs_bucket" { 38 | description = "Bucket for storing TF logs" 39 | value = module.tf_workspace.logs_bucket 40 | } 41 | 42 | output "artifacts_bucket" { 43 | description = "Bucket for storing TF plans" 44 | value = module.tf_workspace.artifacts_bucket 45 | } 46 | 47 | output "csr_repo_url" { 48 | description = "CSR repo for storing TF configs" 49 | value = google_sourcerepo_repository.tf_config_repo.url 50 | } 51 | 52 | output "project_id" { 53 | value = var.project_id 54 | } 55 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple/scripts/push-to-repo.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Copyright 2022 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | 17 | set -ex 18 | 19 | if [ "$#" -lt 3 ]; then 20 | >&2 echo "Not all expected arguments set." 21 | exit 1 22 | fi 23 | 24 | CSR_PROJECT_ID=$1 25 | CSR_NAME=$2 26 | TF_CONFIG_PATH=$3 27 | 28 | # create temp dir, cleanup at exit 29 | tmp_dir=$(mktemp -d) 30 | # shellcheck disable=SC2064 31 | trap "rm -rf $tmp_dir" EXIT 32 | gcloud source repos clone "${CSR_NAME}" "${tmp_dir}" --project "${CSR_PROJECT_ID}" 33 | cp -r "${TF_CONFIG_PATH}/." "${tmp_dir}" 34 | pushd "${tmp_dir}" 35 | git config credential.helper gcloud.sh 36 | git config init.defaultBranch main 37 | git config user.email "terraform-robot@example.com" 38 | git config user.name "TF Robot" 39 | git checkout plan || git checkout -b plan 40 | git add -A 41 | git commit -m "init tf configs" 42 | git push origin plan -f 43 | sleep 60 44 | git checkout main || git checkout -b main 45 | git push origin main -f 46 | sleep 120 47 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2022 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources." 19 | type = string 20 | } 21 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple_github/apis.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "enabled_google_apis" { 18 | source = "terraform-google-modules/project-factory/google//modules/project_services" 19 | version = "~> 18.0" 20 | 21 | project_id = var.project_id 22 | disable_services_on_destroy = false 23 | 24 | activate_apis = [ 25 | "iam.googleapis.com", 26 | "secretmanager.googleapis.com", 27 | "compute.googleapis.com", 28 | "cloudbuild.googleapis.com", 29 | ] 30 | } 31 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple_github/files/.gitignore: -------------------------------------------------------------------------------- 1 | # Local .terraform directories 2 | **/.terraform* 3 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple_github/files/backend.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | backend "gcs" { 19 | bucket = "tf-state-prod" 20 | prefix = "terraform/github/state" 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple_github/files/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "test-vpc-module" { 18 | source = "terraform-google-modules/network/google" 19 | version = "~> 10.0" 20 | 21 | project_id = var.project_id 22 | network_name = "my-custom-mode-network-gh" 23 | mtu = 1460 24 | 25 | subnets = [ 26 | { 27 | subnet_name = "subnet-gh-01" 28 | subnet_ip = "10.10.10.0/24" 29 | subnet_region = "us-west1" 30 | }, 31 | { 32 | subnet_name = "subnet-gh-02" 33 | subnet_ip = "10.10.20.0/24" 34 | subnet_region = "us-west1" 35 | subnet_private_access = "true" 36 | subnet_flow_logs = "true" 37 | }, 38 | { 39 | subnet_name = "subnet-gh-03" 40 | subnet_ip = "10.10.30.0/24" 41 | subnet_region = "us-west1" 42 | subnet_flow_logs = "true" 43 | subnet_flow_logs_interval = "INTERVAL_10_MIN" 44 | subnet_flow_logs_sampling = 0.7 45 | subnet_flow_logs_metadata = "INCLUDE_ALL_METADATA" 46 | subnet_flow_logs_filter = "false" 47 | } 48 | ] 49 | } 50 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple_github/files/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The project ID to host the network in" 19 | } 20 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple_github/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "cloudbuild_plan_trigger_id" { 18 | description = "Trigger used for running TF plan" 19 | value = module.tf_workspace.cloudbuild_plan_trigger_id 20 | } 21 | 22 | output "cloudbuild_apply_trigger_id" { 23 | description = "Trigger used for running TF apply" 24 | value = module.tf_workspace.cloudbuild_apply_trigger_id 25 | } 26 | 27 | output "cloudbuild_sa" { 28 | description = "SA used by Cloud Build triggers" 29 | value = module.tf_workspace.cloudbuild_sa 30 | } 31 | 32 | output "state_bucket" { 33 | description = "Bucket for storing TF state" 34 | value = module.tf_workspace.state_bucket 35 | } 36 | 37 | output "logs_bucket" { 38 | description = "Bucket for storing TF logs" 39 | value = module.tf_workspace.logs_bucket 40 | } 41 | 42 | output "artifacts_bucket" { 43 | description = "Bucket for storing TF plans" 44 | value = module.tf_workspace.artifacts_bucket 45 | } 46 | 47 | output "project_id" { 48 | description = "The ID of the project in which the resources were provisioned" 49 | value = var.project_id 50 | } 51 | 52 | output "location" { 53 | description = "The location in which the resources were provisioned" 54 | value = local.location 55 | } 56 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple_github/scripts/push-to-repo.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Copyright 2024 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | 17 | set -ex 18 | 19 | if [ "$#" -lt 3 ]; then 20 | >&2 echo "Not all expected arguments set." 21 | exit 1 22 | fi 23 | 24 | GITHUB_TOKEN=$1 25 | REPO_URL=$2 26 | TF_CONFIG_PATH=$3 27 | 28 | 29 | # extract portion after https:// from URL 30 | IFS="/"; mapfile -t -d / URL_PARTS < <(printf "%s" "$REPO_URL") 31 | # construct the new authenticated URL 32 | AUTH_REPO_URL="https://${GITHUB_TOKEN}:@${URL_PARTS[2]}/${URL_PARTS[3]}/${URL_PARTS[4]}" 33 | 34 | tmp_dir=$(mktemp -d) 35 | git clone "${AUTH_REPO_URL}" "${tmp_dir}" 36 | cp -r "${TF_CONFIG_PATH}/." "${tmp_dir}" 37 | pushd "${tmp_dir}" 38 | git config init.defaultBranch main 39 | git config user.email "terraform-robot@example.com" 40 | git config user.name "TF Robot" 41 | git checkout plan || git checkout -b plan 42 | git add -A 43 | 44 | # The '-z' flag checks if the following string is empty. 45 | if [ -z "$(git status --porcelain)" ]; then 46 | # If the output is empty, the working directory is clean. 47 | echo "No changes to commit. Nothing to do." 48 | else 49 | # If there is output, changes exist, so we commit. 50 | echo "Changes detected. Attempting to commit..." 51 | git commit -m "init tf configs" 52 | git push origin plan -f 53 | fi 54 | 55 | sleep 60 56 | git checkout main || git checkout -b main 57 | git merge plan 58 | git push origin main -f 59 | sleep 120 60 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple_github/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources." 19 | type = string 20 | } 21 | 22 | variable "github_pat_secret_id" { 23 | description = "The secret ID for the personal access token for authenticating with GitHub." 24 | type = string 25 | } 26 | 27 | variable "github_app_id_secret_id" { 28 | description = "The secret ID for the application ID for the Cloudbuild GitHub app." 29 | type = string 30 | } 31 | 32 | variable "repository_uri" { 33 | description = "The URI of the GitHub repository where the Terraform configs are stored." 34 | type = string 35 | } 36 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple_gitlab/apis.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "enabled_google_apis" { 18 | source = "terraform-google-modules/project-factory/google//modules/project_services" 19 | version = "~> 18.0" 20 | 21 | project_id = var.project_id 22 | disable_services_on_destroy = false 23 | 24 | activate_apis = [ 25 | "iam.googleapis.com", 26 | "secretmanager.googleapis.com", 27 | "compute.googleapis.com", 28 | "cloudbuild.googleapis.com", 29 | ] 30 | } 31 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple_gitlab/files/.gitignore: -------------------------------------------------------------------------------- 1 | # Local .terraform directories 2 | **/.terraform* 3 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple_gitlab/files/backend.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | backend "gcs" { 19 | bucket = "tf-state-prod" 20 | prefix = "terraform/gitlab/state" 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple_gitlab/files/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "test-vpc-module" { 18 | source = "terraform-google-modules/network/google" 19 | version = "~> 10.0" 20 | 21 | project_id = var.project_id 22 | network_name = "my-custom-mode-network-gl" 23 | mtu = 1460 24 | 25 | subnets = [ 26 | { 27 | subnet_name = "subnet-gl-01" 28 | subnet_ip = "10.10.10.0/24" 29 | subnet_region = "us-west1" 30 | }, 31 | { 32 | subnet_name = "subnet-gl-02" 33 | subnet_ip = "10.10.20.0/24" 34 | subnet_region = "us-west1" 35 | subnet_private_access = "true" 36 | subnet_flow_logs = "true" 37 | }, 38 | { 39 | subnet_name = "subnet-gl-03" 40 | subnet_ip = "10.10.30.0/24" 41 | subnet_region = "us-west1" 42 | subnet_flow_logs = "true" 43 | subnet_flow_logs_interval = "INTERVAL_10_MIN" 44 | subnet_flow_logs_sampling = 0.7 45 | subnet_flow_logs_metadata = "INCLUDE_ALL_METADATA" 46 | subnet_flow_logs_filter = "false" 47 | } 48 | ] 49 | } 50 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple_gitlab/files/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The project ID to host the network in" 19 | } 20 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple_gitlab/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "cloudbuild_plan_trigger_id" { 18 | description = "Trigger used for running TF plan" 19 | value = module.tf_workspace.cloudbuild_plan_trigger_id 20 | } 21 | 22 | output "cloudbuild_apply_trigger_id" { 23 | description = "Trigger used for running TF apply" 24 | value = module.tf_workspace.cloudbuild_apply_trigger_id 25 | } 26 | 27 | output "cloudbuild_sa" { 28 | description = "SA used by Cloud Build triggers" 29 | value = module.tf_workspace.cloudbuild_sa 30 | } 31 | 32 | output "state_bucket" { 33 | description = "Bucket for storing TF state" 34 | value = module.tf_workspace.state_bucket 35 | } 36 | 37 | output "logs_bucket" { 38 | description = "Bucket for storing TF logs" 39 | value = module.tf_workspace.logs_bucket 40 | } 41 | 42 | output "artifacts_bucket" { 43 | description = "Bucket for storing TF plans" 44 | value = module.tf_workspace.artifacts_bucket 45 | } 46 | 47 | output "project_id" { 48 | description = "The ID of the project in which the resources were provisioned" 49 | value = var.project_id 50 | } 51 | 52 | output "location" { 53 | description = "The location in which the resources were provisioned" 54 | value = local.location 55 | } 56 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple_gitlab/scripts/push-to-repo.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Copyright 2024 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | 17 | set -ex 18 | 19 | if [ "$#" -lt 3 ]; then 20 | >&2 echo "Not all expected arguments set." 21 | exit 1 22 | fi 23 | 24 | GITLAB_TOKEN=$1 25 | REPO_URL=$2 26 | TF_CONFIG_PATH=$3 27 | 28 | 29 | # extract portion after https:// from URL 30 | IFS="/"; mapfile -t -d / URL_PARTS < <(printf "%s" "$REPO_URL") 31 | # construct the new authenticated URL 32 | AUTH_REPO_URL="https://gitlab-bot:${GITLAB_TOKEN}@gitlab.com/${URL_PARTS[3]}/${URL_PARTS[4]}" 33 | 34 | tmp_dir=$(mktemp -d) 35 | git clone "${AUTH_REPO_URL}" "${tmp_dir}" 36 | cp -r "${TF_CONFIG_PATH}/." "${tmp_dir}" 37 | pushd "${tmp_dir}" 38 | git config init.defaultBranch main 39 | git config user.email "terraform-robot@example.com" 40 | git config user.name "TF Robot" 41 | git checkout plan || git checkout -b plan 42 | git add -A 43 | git commit -m "init tf configs" 44 | git push origin plan -f 45 | sleep 60 46 | git checkout main || git checkout -b main 47 | git merge plan 48 | git push origin main -f 49 | sleep 120 50 | -------------------------------------------------------------------------------- /examples/tf_cloudbuild_workspace_simple_gitlab/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources." 19 | type = string 20 | } 21 | 22 | variable "gitlab_authorizer_secret_id" { 23 | description = "The secret ID for the credential for GitLab authorizer" 24 | type = string 25 | } 26 | 27 | variable "gitlab_read_authorizer_secret_id" { 28 | description = "The secret ID for the credential for GitLab read authorizer" 29 | type = string 30 | } 31 | 32 | variable "gitlab_webhook_secret_id" { 33 | description = "The secret ID for the WebHook for GitLab" 34 | type = string 35 | } 36 | 37 | variable "repository_uri" { 38 | description = "The URI of the GitLab repository where the Terraform configs are stored." 39 | type = string 40 | } 41 | -------------------------------------------------------------------------------- /kitchen.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | --- 16 | driver: 17 | name: terraform 18 | verify_version: false 19 | command_timeout: 1200 20 | 21 | provisioner: 22 | name: terraform 23 | 24 | verifier: 25 | name: terraform 26 | 27 | platforms: 28 | - name: default 29 | 30 | suites: 31 | - name: simple 32 | driver: 33 | root_module_directory: test/fixtures/simple/ 34 | verifier: 35 | color: false 36 | systems: 37 | - name: simple gcp 38 | backend: gcp 39 | controls: 40 | - bootstrap 41 | - name: simple-folder 42 | driver: 43 | root_module_directory: test/fixtures/simple-folder/ 44 | verifier: 45 | color: false 46 | systems: 47 | - name: bootstrap-folder 48 | backend: gcp 49 | controls: 50 | - bootstrap-folder 51 | - name: cloudbuild_enabled 52 | driver: 53 | root_module_directory: test/fixtures/cloudbuild_enabled/ 54 | verifier: 55 | color: false 56 | systems: 57 | - name: cloudbuild_enabled gcp 58 | backend: gcp 59 | controls: 60 | - bootstrap 61 | - cloudbuild 62 | - name: cloudbuild_enabled gcloud 63 | backend: local 64 | controls: 65 | - gcloud 66 | -------------------------------------------------------------------------------- /modules/cloudbuild/cloudbuild_builder/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ARG GCLOUD_VERSION=slim 16 | FROM google/cloud-sdk:${GCLOUD_VERSION} 17 | 18 | # Use ARG so that values can be overriden by user/cloudbuild 19 | ARG TERRAFORM_VERSION=0.13.7 20 | ARG TERRAFORM_VERSION_SHA256SUM=4a52886e019b4fdad2439da5ff43388bbcc6cce9784fde32c53dcd0e28ca9957 21 | 22 | ENV ENV_TERRAFORM_VERSION=$TERRAFORM_VERSION 23 | ENV ENV_TERRAFORM_VERSION_SHA256SUM=$TERRAFORM_VERSION_SHA256SUM 24 | 25 | RUN apt-get update && \ 26 | apt-get -y install curl jq unzip git ca-certificates google-cloud-sdk-terraform-tools && \ 27 | curl https://releases.hashicorp.com/terraform/${ENV_TERRAFORM_VERSION}/terraform_${ENV_TERRAFORM_VERSION}_linux_amd64.zip \ 28 | > terraform_linux_amd64.zip && \ 29 | echo "${ENV_TERRAFORM_VERSION_SHA256SUM} terraform_linux_amd64.zip" > terraform_SHA256SUMS && \ 30 | sha256sum -c terraform_SHA256SUMS --status && \ 31 | mkdir -p /builder && \ 32 | unzip terraform_linux_amd64.zip -d /builder/terraform && \ 33 | rm -f terraform_linux_amd64.zip terraform_SHA256SUMS && \ 34 | apt-get --purge -y autoremove && \ 35 | apt-get clean && \ 36 | rm -rf /var/lib/apt/lists/* 37 | 38 | ENV PATH=/builder/terraform/:$PATH 39 | COPY entrypoint.bash /builder/entrypoint.bash 40 | RUN chmod +x /builder/entrypoint.bash 41 | ENTRYPOINT ["/builder/entrypoint.bash"] 42 | -------------------------------------------------------------------------------- /modules/cloudbuild/cloudbuild_builder/README.md: -------------------------------------------------------------------------------- 1 | # Terraform cloud builder 2 | 3 | This builder creates a [Terraform](https://www.terraform.io/) image for use in cloud build to run the [Cloud Foundation Toolkit](https://cloud.google.com/foundation-toolkit/) modules. 4 | 5 | ### Building this builder 6 | This builder is automatically created if you use the cloudbuild terraform submodule. If you would like to build manually, run the following command in this directory. 7 | ```sh 8 | $ gcloud builds submit --config=cloudbuild.yaml 9 | ``` 10 | -------------------------------------------------------------------------------- /modules/cloudbuild/cloudbuild_builder/cloudbuild.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # In this directory, run the following command to build this builder. 16 | # $ gcloud builds submit . --config=cloudbuild.yaml 17 | steps: 18 | - name: 'gcr.io/cloud-builders/docker' 19 | args: [ 20 | 'build', 21 | '--tag=${_REGION}-docker.pkg.dev/${PROJECT_ID}/${_REPOSITORY}/terraform', 22 | '--build-arg=GCLOUD_VERSION=${_GCLOUD_VERSION}', 23 | '--build-arg=TERRAFORM_VERSION=${_TERRAFORM_VERSION}', 24 | '--build-arg=TERRAFORM_VERSION_SHA256SUM=${_TERRAFORM_VERSION_SHA256SUM}', 25 | '.' 26 | ] 27 | - name: '${_REGION}-docker.pkg.dev/${PROJECT_ID}/${_REPOSITORY}/terraform' 28 | args: ['version'] 29 | substitutions: 30 | _TERRAFORM_VERSION: '1.0.2' # default value 31 | _TERRAFORM_VERSION_SHA256SUM: '7329f887cc5a5bda4bedaec59c439a4af7ea0465f83e3c1b0f4d04951e1181f4' # default value 32 | images: ['${_REGION}-docker.pkg.dev/${PROJECT_ID}/${_REPOSITORY}/terraform'] 33 | -------------------------------------------------------------------------------- /modules/cloudbuild/cloudbuild_builder/entrypoint.bash: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | active_account="" 5 | function get-active-account() { 6 | active_account=$(gcloud auth list --filter=status:ACTIVE --format="value(account)" 2> /dev/null) 7 | } 8 | 9 | function activate-service-key() { 10 | rootdir=/root/.config/gcloud-config 11 | mkdir -p $rootdir 12 | tmpdir=$(mktemp -d "$rootdir/servicekey.XXXXXXXX") 13 | trap "rm -rf $tmpdir" EXIT 14 | echo ${GCLOUD_SERVICE_KEY} | base64 --decode -i > ${tmpdir}/gcloud-service-key.json 15 | gcloud auth activate-service-account --key-file ${tmpdir}/gcloud-service-key.json --quiet 16 | get-active-account 17 | } 18 | 19 | function service-account-usage() { 20 | cat < 24 | EOF 25 | exit 1 26 | } 27 | 28 | function account-active-warning() { 29 | cat < { "id" : v.id, "url" : v.remote_uri } } 36 | } 37 | -------------------------------------------------------------------------------- /modules/cloudbuild_repo_connection/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | 20 | required_providers { 21 | google = { 22 | source = "hashicorp/google" 23 | # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226 24 | version = ">= 4.17, != 4.31.0, < 7" 25 | } 26 | 27 | time = { 28 | source = "hashicorp/time" 29 | version = ">= 0.12.0" 30 | } 31 | 32 | random = { 33 | source = "hashicorp/random" 34 | version = ">= 3.6.2" 35 | } 36 | 37 | google-beta = { 38 | source = "hashicorp/google-beta" 39 | # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226 40 | version = ">= 4.17, != 4.31.0, < 7" 41 | } 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /modules/im_cloudbuild_workspace/assets/arch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/terraform-google-modules/terraform-google-bootstrap/2f01d9ee18379f6448c99f41ba6e23a783d41157/modules/im_cloudbuild_workspace/assets/arch.png -------------------------------------------------------------------------------- /modules/im_cloudbuild_workspace/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "cloudbuild_preview_trigger_id" { 18 | description = "Trigger used for running infra-manager preview" 19 | value = google_cloudbuild_trigger.triggers["preview"].id 20 | } 21 | 22 | output "cloudbuild_apply_trigger_id" { 23 | description = "Trigger used for running infra-manager apply" 24 | value = google_cloudbuild_trigger.triggers["apply"].id 25 | } 26 | 27 | output "cloudbuild_sa" { 28 | description = "Service account used by the Cloud Build triggers" 29 | value = local.cloudbuild_sa 30 | } 31 | 32 | output "infra_manager_sa" { 33 | description = "Service account used by Infrastructure Manager" 34 | value = local.im_sa 35 | } 36 | 37 | output "vcs_connection_id" { 38 | description = "The Cloud Build VCS host connection ID" 39 | value = google_cloudbuildv2_connection.vcs_connection.id 40 | } 41 | 42 | output "repo_connection_id" { 43 | description = "The Cloud Build repository connection ID" 44 | value = google_cloudbuildv2_repository.repository_connection.id 45 | } 46 | 47 | output "github_secret_id" { 48 | description = "The secret ID for the GitHub secret containing the personal access token." 49 | value = local.github_secret_id 50 | sensitive = true 51 | } 52 | 53 | output "gitlab_api_secret_id" { 54 | description = "The secret ID for the GitLab secret containing the token with api access." 55 | value = local.api_secret_id 56 | sensitive = true 57 | } 58 | 59 | output "gitlab_read_api_secret_id" { 60 | description = "The secret ID for the GitLab secret containing the token with read_api access." 61 | value = local.read_api_secret_id 62 | sensitive = true 63 | } 64 | -------------------------------------------------------------------------------- /modules/im_cloudbuild_workspace/templates/create-preview.sh.tftpl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Copyright 2024 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | echo "Checking if deployment ${deployment_id} already exists" 17 | DEPLOYMENT_EXISTS=$(gcloud infra-manager deployments list --location ${location} --filter ${deployment_id} | tail -n +2 | wc -l) 18 | 19 | echo "Deleting previous preview if it already exists" 20 | gcloud infra-manager previews delete projects/${project_id}/locations/${location}/previews/preview-$SHORT_SHA --quiet 21 | 22 | CREATE_PREVIEW_CMD="gcloud infra-manager previews create projects/${project_id}/locations/${location}/previews/preview-$SHORT_SHA \ 23 | --service-account=${service_account} \ 24 | --git-source-repo=${source_repo} \ 25 | --git-source-ref=$SHORT_SHA" 26 | 27 | if [[ "${source_repo_dir}" != "" ]]; then 28 | CREATE_PREVIEW_CMD+=" --git-source-directory=${source_repo_dir}" 29 | fi 30 | 31 | if [[ "${tf_vars}" != "" ]]; then 32 | CREATE_PREVIEW_CMD+=" --input-values=${tf_vars}" 33 | fi 34 | 35 | if [[ $DEPLOYMENT_EXISTS -eq 1 ]]; then 36 | CREATE_PREVIEW_CMD+=" --deployment projects/${project_id}/locations/${location}/deployments/${deployment_id}" 37 | fi 38 | 39 | $CREATE_PREVIEW_CMD 40 | 41 | if [[ $(echo $?) -ne 0 ]]; then 42 | gcloud infra-manager previews describe projects/${project_id}/locations/${location}/previews/preview-$SHORT_SHA 43 | exit 1 44 | else 45 | exit 0 46 | fi 47 | -------------------------------------------------------------------------------- /modules/im_cloudbuild_workspace/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | 20 | required_providers { 21 | google = { 22 | source = "hashicorp/google" 23 | # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226 24 | version = ">= 4.17, != 4.31.0, < 7" 25 | } 26 | google-beta = { 27 | source = "hashicorp/google-beta" 28 | # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226 29 | version = ">= 4.17, != 4.31.0, < 7" 30 | } 31 | random = { 32 | source = "hashicorp/random" 33 | version = ">= 3.6.0" 34 | } 35 | } 36 | 37 | provider_meta "google" { 38 | module_name = "blueprints/terraform/terraform-google-bootstrap:im_cloudbuild_workspace/v11.0.0" 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /modules/tf_cloudbuild_builder/assets/arch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/terraform-google-modules/terraform-google-bootstrap/2f01d9ee18379f6448c99f41ba6e23a783d41157/modules/tf_cloudbuild_builder/assets/arch.png -------------------------------------------------------------------------------- /modules/tf_cloudbuild_builder/gar.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2022 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | locals { 18 | gar_name = split("/", google_artifact_registry_repository.tf-image-repo.name)[length(split("/", google_artifact_registry_repository.tf-image-repo.name)) - 1] 19 | } 20 | 21 | resource "google_artifact_registry_repository" "tf-image-repo" { 22 | provider = google-beta 23 | project = var.project_id 24 | 25 | location = var.gar_repo_location 26 | repository_id = var.gar_repo_name 27 | description = "Docker repository for Terraform runner images used by Cloud Build. Managed by Terraform." 28 | format = "DOCKER" 29 | } 30 | 31 | # Grant CB SA permissions to push to repo 32 | resource "google_artifact_registry_repository_iam_member" "push_images" { 33 | provider = google-beta 34 | project = var.project_id 35 | 36 | location = google_artifact_registry_repository.tf-image-repo.location 37 | repository = google_artifact_registry_repository.tf-image-repo.name 38 | role = "roles/artifactregistry.writer" 39 | member = "serviceAccount:${local.cloudbuild_sa_email}" 40 | } 41 | 42 | # Grant Workflows SA access to list images in the artifact repo 43 | resource "google_artifact_registry_repository_iam_member" "workflow_list" { 44 | provider = google-beta 45 | project = var.project_id 46 | 47 | location = google_artifact_registry_repository.tf-image-repo.location 48 | repository = google_artifact_registry_repository.tf-image-repo.name 49 | role = "roles/artifactregistry.reader" 50 | member = "serviceAccount:${local.workflow_sa}" 51 | } 52 | -------------------------------------------------------------------------------- /modules/tf_cloudbuild_builder/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2022 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "artifact_repo" { 18 | description = "GAR Repo created to store TF Cloud Builder images" 19 | value = google_artifact_registry_repository.tf-image-repo.name 20 | } 21 | 22 | output "workflow_id" { 23 | description = "Workflow ID for triggering new TF Builder build" 24 | value = google_workflows_workflow.builder.id 25 | } 26 | 27 | output "workflow_sa" { 28 | description = "SA used by Workflow for triggering new TF Builder build" 29 | value = local.workflow_sa 30 | } 31 | 32 | output "scheduler_id" { 33 | description = "Scheduler ID for periodically triggering TF Builder build Workflow" 34 | value = google_cloud_scheduler_job.trigger_workflow.id 35 | } 36 | 37 | output "cloudbuild_trigger_id" { 38 | description = "Trigger used for building new TF Builder" 39 | value = google_cloudbuild_trigger.build_trigger.id 40 | } 41 | 42 | output "cloudbuild_sa" { 43 | description = "SA used by Cloud Build trigger" 44 | value = local.cloudbuild_sa 45 | } 46 | -------------------------------------------------------------------------------- /modules/tf_cloudbuild_builder/templates/workflow.yaml.tftpl: -------------------------------------------------------------------------------- 1 | main: 2 | steps: 3 | - getLatestTFRelease: 4 | call: http.get 5 | args: 6 | url: https://api.github.com/repos/hashicorp/terraform/releases/latest 7 | result: latestTFRelease 8 | - findLatestTFReleaseVersion: 9 | assign: 10 | - latestTFReleaseVersion: $${latestTFRelease.body.name} 11 | - latestTFReleaseVersionNum: $${text.replace_all(latestTFReleaseVersion,"v","")} 12 | - latestTFReleaseSplit: $${text.split(latestTFReleaseVersionNum,".")} 13 | - latestTFReleaseMinor: $${latestTFReleaseSplit[0] + "." + latestTFReleaseSplit[1]} 14 | - latestTFReleaseMajor: $${latestTFReleaseSplit[0]} 15 | - checkIfRunnerExists: 16 | try: 17 | call: http.get 18 | args: 19 | url: $${"https://artifactregistry.googleapis.com/v1beta2/projects/${project_id}/locations/${gar_repo_location}/repositories/${gar_repo_name}/packages/terraform/tags/"+latestTFReleaseVersion} 20 | auth: 21 | type: OAuth2 22 | result: currentRunner 23 | except: 24 | as: e 25 | steps: 26 | - known_errors: 27 | switch: 28 | - condition: $${e.code == 404} 29 | next: triggerRunnerBuild 30 | - unhandled_exception: 31 | raise: $${e} 32 | - logAndExit: 33 | return: $${"Found latest runner for "+latestTFReleaseVersion+" as "+currentRunner.body.version+", skipping build."} 34 | 35 | - triggerRunnerBuild: 36 | call: http.post 37 | args: 38 | url: $${"https://cloudbuild.googleapis.com/v1/projects/${project_id}/locations/${location}/triggers/${trigger_hash}:run"} 39 | auth: 40 | type: OAuth2 41 | body: 42 | projectId: ${project_id} 43 | triggerId: ${trigger_id} 44 | source: 45 | substitutions: 46 | _TERRAFORM_FULL_VERSION: $${latestTFReleaseVersionNum} 47 | _TERRAFORM_MINOR_VERSION: $${latestTFReleaseMinor} 48 | _TERRAFORM_MAJOR_VERSION: $${latestTFReleaseMajor} 49 | -------------------------------------------------------------------------------- /modules/tf_cloudbuild_builder/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2022 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | 20 | required_providers { 21 | google = { 22 | source = "hashicorp/google" 23 | # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226 24 | version = ">= 3.50, != 4.31.0, < 7" 25 | } 26 | google-beta = { 27 | source = "hashicorp/google-beta" 28 | # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226 29 | version = ">= 3.50, != 4.31.0, < 7" 30 | } 31 | } 32 | 33 | provider_meta "google" { 34 | module_name = "blueprints/terraform/terraform-google-bootstrap:tf_cloudbuild_builder/v11.0.0" 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /modules/tf_cloudbuild_source/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2022 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "cloudbuild_project_id" { 18 | description = "Project for CloudBuild and Cloud Source Repositories." 19 | value = module.cloudbuild_project.project_id 20 | 21 | depends_on = [ 22 | google_storage_bucket_iam_member.cloudbuild_iam, 23 | google_project_iam_member.org_admins_cloudbuild_editor, 24 | google_project_iam_member.org_admins_cloudbuild_viewer, 25 | google_project_iam_member.org_admins_source_repo_admin 26 | ] 27 | } 28 | 29 | output "csr_repos" { 30 | description = "List of Cloud Source Repos created by the module." 31 | value = google_sourcerepo_repository.gcp_repo 32 | } 33 | 34 | output "gcs_cloudbuild_default_bucket" { 35 | description = "Bucket used to store temporary files in CloudBuild project." 36 | value = module.cloudbuild_bucket.bucket.name 37 | 38 | depends_on = [ 39 | google_storage_bucket_iam_member.cloudbuild_iam 40 | ] 41 | } 42 | -------------------------------------------------------------------------------- /modules/tf_cloudbuild_source/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2022 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | 20 | required_providers { 21 | google = { 22 | source = "hashicorp/google" 23 | # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226 24 | version = ">= 3.50, != 4.31.0, < 7" 25 | } 26 | google-beta = { 27 | source = "hashicorp/google-beta" 28 | # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226 29 | version = ">= 3.50, != 4.31.0, < 7" 30 | } 31 | } 32 | 33 | provider_meta "google" { 34 | module_name = "blueprints/terraform/terraform-google-bootstrap:tf_cloudbuild_source/v11.0.0" 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /modules/tf_cloudbuild_workspace/assets/arch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/terraform-google-modules/terraform-google-bootstrap/2f01d9ee18379f6448c99f41ba6e23a783d41157/modules/tf_cloudbuild_workspace/assets/arch.png -------------------------------------------------------------------------------- /modules/tf_cloudbuild_workspace/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2022 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "cloudbuild_plan_trigger_id" { 18 | description = "Trigger used for running TF plan" 19 | value = google_cloudbuild_trigger.triggers["plan"].id 20 | } 21 | 22 | output "cloudbuild_apply_trigger_id" { 23 | description = "Trigger used for running TF apply" 24 | value = google_cloudbuild_trigger.triggers["apply"].id 25 | } 26 | 27 | output "cloudbuild_sa" { 28 | description = "SA used by Cloud Build triggers" 29 | value = local.cloudbuild_sa 30 | } 31 | 32 | output "state_bucket" { 33 | description = "Bucket for storing TF state" 34 | value = local.state_bucket_self_link 35 | } 36 | 37 | output "logs_bucket" { 38 | description = "Bucket for storing TF logs" 39 | value = module.log_bucket.bucket.self_link 40 | } 41 | 42 | output "artifacts_bucket" { 43 | description = "Bucket for storing TF plans" 44 | value = module.artifacts_bucket.bucket.self_link 45 | } 46 | -------------------------------------------------------------------------------- /modules/tf_cloudbuild_workspace/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2022 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | 20 | required_providers { 21 | google = { 22 | source = "hashicorp/google" 23 | # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226 24 | version = ">= 4.17, != 4.31.0, < 7" 25 | } 26 | google-beta = { 27 | source = "hashicorp/google-beta" 28 | # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226 29 | version = ">= 4.17, != 4.31.0, < 7" 30 | } 31 | } 32 | 33 | provider_meta "google" { 34 | module_name = "blueprints/terraform/terraform-google-bootstrap:tf_cloudbuild_workspace/v11.0.0" 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /terraform.example.tfvars: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | org_id = "000000000000" 18 | 19 | billing_account = "000000-000000-000000" 20 | 21 | group_org_admins = "org-admins@example.com" 22 | 23 | group_billing_admins = "billing-admins@example.com" 24 | 25 | default_region = "australia-southeast1" 26 | -------------------------------------------------------------------------------- /test/.gitignore: -------------------------------------------------------------------------------- 1 | source.sh 2 | -------------------------------------------------------------------------------- /test/fixtures/cloudbuild_enabled/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "cloudbuild_enabled" { 18 | source = "../../../examples/cloudbuild_enabled" 19 | 20 | org_id = var.org_id 21 | billing_account = var.billing_account 22 | group_org_admins = var.group_org_admins 23 | group_billing_admins = var.group_billing_admins 24 | default_region = var.default_region 25 | project_prefix = "cft-test-cb" 26 | force_destroy = var.force_destroy 27 | project_deletion_policy = var.project_deletion_policy 28 | } 29 | 30 | -------------------------------------------------------------------------------- /test/fixtures/cloudbuild_enabled/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources." 19 | type = string 20 | } 21 | 22 | variable "org_id" { 23 | description = "The numeric organization id" 24 | type = string 25 | } 26 | 27 | variable "folder_id" { 28 | description = "The folder to deploy in" 29 | type = string 30 | } 31 | 32 | variable "billing_account" { 33 | description = "The billing account id associated with the project, e.g. XXXXXX-YYYYYY-ZZZZZZ" 34 | type = string 35 | } 36 | 37 | variable "group_org_admins" { 38 | description = "Google Group for GCP Organization Administrators" 39 | type = string 40 | } 41 | 42 | variable "group_billing_admins" { 43 | description = "Google Group for GCP Billing Administrators" 44 | type = string 45 | } 46 | 47 | variable "default_region" { 48 | description = "Default region to create resources where applicable." 49 | type = string 50 | default = "us-central1" 51 | } 52 | 53 | variable "org_project_creators" { 54 | description = "Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required." 55 | type = list(string) 56 | default = [] 57 | } 58 | 59 | variable "force_destroy" { 60 | description = "If supplied, the logs and artifacts buckets will be deleted even while containing objects." 61 | type = bool 62 | default = false 63 | } 64 | 65 | variable "project_deletion_policy" { 66 | description = "The deletion policy for the project created." 67 | type = string 68 | default = "PREVENT" 69 | } 70 | -------------------------------------------------------------------------------- /test/fixtures/cloudbuild_repo_connection_github/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | resource "random_id" "suffix" { 18 | byte_length = 4 19 | } 20 | 21 | # Github Secret 22 | resource "google_secret_manager_secret" "github_token" { 23 | project = var.project_id 24 | secret_id = "cb-github-pat-${random_id.suffix.dec}" 25 | 26 | replication { 27 | auto { 28 | 29 | } 30 | } 31 | } 32 | 33 | resource "google_secret_manager_secret_version" "github_token" { 34 | secret = google_secret_manager_secret.github_token.id 35 | secret_data = var.github_pat 36 | } 37 | 38 | resource "google_secret_manager_secret" "github_app_id" { 39 | project = var.project_id 40 | secret_id = "cb-github-app-id-${random_id.suffix.dec}" 41 | 42 | replication { 43 | auto { 44 | 45 | } 46 | } 47 | } 48 | 49 | resource "google_secret_manager_secret_version" "github_app_id" { 50 | secret = google_secret_manager_secret.github_app_id.id 51 | secret_data = var.github_app_id 52 | } 53 | 54 | resource "time_sleep" "propagation" { 55 | create_duration = "30s" 56 | 57 | depends_on = [ 58 | google_secret_manager_secret_version.github_app_id, 59 | google_secret_manager_secret_version.github_token 60 | ] 61 | } 62 | 63 | module "example" { 64 | source = "../../../examples/cloudbuild_repo_connection_github" 65 | 66 | project_id = var.project_id 67 | github_pat_secret_id = google_secret_manager_secret.github_token.id 68 | github_app_id_secret_id = google_secret_manager_secret.github_app_id.id 69 | repository_name = var.repository_name 70 | repository_url = var.repository_url 71 | 72 | depends_on = [time_sleep.propagation] 73 | } 74 | -------------------------------------------------------------------------------- /test/fixtures/cloudbuild_repo_connection_github/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "cloud_build_repositories_2nd_gen_connection" { 18 | description = "Cloudbuild connection created." 19 | value = module.example.cloud_build_repositories_2nd_gen_connection 20 | } 21 | 22 | output "cloud_build_repositories_2nd_gen_repositories" { 23 | description = "Created repositories." 24 | value = module.example.cloud_build_repositories_2nd_gen_repositories 25 | } 26 | -------------------------------------------------------------------------------- /test/fixtures/cloudbuild_repo_connection_github/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources." 19 | type = string 20 | } 21 | 22 | variable "github_pat" { 23 | description = "The personal access token for authenticating with GitHub." 24 | type = string 25 | sensitive = true 26 | } 27 | 28 | variable "github_app_id" { 29 | description = "The application ID for the Cloudbuild GitHub app." 30 | type = string 31 | sensitive = true 32 | } 33 | 34 | variable "repository_url" { 35 | description = "The HTTPS clone URL of the repository, ending with .git." 36 | type = string 37 | } 38 | 39 | variable "repository_name" { 40 | description = "The name of the test repository." 41 | type = string 42 | } 43 | -------------------------------------------------------------------------------- /test/fixtures/cloudbuild_repo_connection_gitlab/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "cloud_build_repositories_2nd_gen_connection" { 18 | description = "Cloudbuild connection created." 19 | value = module.example.cloud_build_repositories_2nd_gen_connection 20 | } 21 | 22 | output "cloud_build_repositories_2nd_gen_repositories" { 23 | description = "Created repositories." 24 | value = module.example.cloud_build_repositories_2nd_gen_repositories 25 | } 26 | -------------------------------------------------------------------------------- /test/fixtures/cloudbuild_repo_connection_gitlab/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources." 19 | type = string 20 | } 21 | 22 | variable "repository_url" { 23 | description = "The HTTPS clone URL of the repository, ending with .git." 24 | type = string 25 | } 26 | 27 | variable "repository_name" { 28 | description = "The name of the test repository." 29 | type = string 30 | } 31 | 32 | variable "gitlab_authorizer_credential" { 33 | description = "Credential for GitLab authorizer" 34 | type = string 35 | sensitive = true 36 | } 37 | 38 | variable "gitlab_read_authorizer_credential" { 39 | description = "Credential for GitLab read authorizer" 40 | type = string 41 | sensitive = true 42 | } 43 | -------------------------------------------------------------------------------- /test/fixtures/simple-folder/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "simple" { 18 | source = "../../../examples/simple-folder" 19 | 20 | org_id = var.org_id 21 | parent = var.parent_folder 22 | billing_account = var.billing_account 23 | group_org_admins = var.group_org_admins 24 | group_billing_admins = var.group_billing_admins 25 | default_region = var.default_region 26 | project_prefix = "cft-test-fldr" 27 | project_deletion_policy = var.project_deletion_policy 28 | } 29 | -------------------------------------------------------------------------------- /test/fixtures/simple-folder/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "seed_project_id" { 18 | description = "Project where service accounts and core APIs will be enabled." 19 | value = module.simple.seed_project_id 20 | } 21 | 22 | output "terraform_sa_email" { 23 | description = "Email for privileged service account for Terraform." 24 | value = module.simple.terraform_sa_email 25 | } 26 | 27 | output "terraform_sa_name" { 28 | description = "Fully qualified name for privileged service account for Terraform." 29 | value = module.simple.terraform_sa_name 30 | } 31 | 32 | output "gcs_bucket_tfstate" { 33 | description = "Bucket used for storing terraform state for foundations pipelines in seed project." 34 | value = module.simple.gcs_bucket_tfstate 35 | } 36 | 37 | output "parent_folder" { 38 | description = "Parent folder" 39 | value = var.parent_folder 40 | } 41 | 42 | output "org_id" { 43 | description = "Org id" 44 | value = var.org_id 45 | } 46 | -------------------------------------------------------------------------------- /test/fixtures/simple-folder/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources." 19 | type = string 20 | } 21 | 22 | variable "org_id" { 23 | description = "The numeric organization id" 24 | type = string 25 | } 26 | 27 | variable "folder_id" { 28 | description = "The folder to deploy in" 29 | type = string 30 | } 31 | 32 | variable "parent_folder" { 33 | description = "The bootstrap parent folder" 34 | type = string 35 | } 36 | 37 | variable "billing_account" { 38 | description = "The billing account id associated with the project, e.g. XXXXXX-YYYYYY-ZZZZZZ" 39 | type = string 40 | } 41 | 42 | variable "group_org_admins" { 43 | description = "Google Group for GCP Organization Administrators" 44 | type = string 45 | } 46 | 47 | variable "group_billing_admins" { 48 | description = "Google Group for GCP Billing Administrators" 49 | type = string 50 | } 51 | 52 | variable "default_region" { 53 | description = "Default region to create resources where applicable." 54 | type = string 55 | default = "us-central1" 56 | } 57 | 58 | variable "org_project_creators" { 59 | description = "Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required." 60 | type = list(string) 61 | default = [] 62 | } 63 | 64 | variable "project_deletion_policy" { 65 | description = "The deletion policy for the project created." 66 | type = string 67 | default = "PREVENT" 68 | } 69 | -------------------------------------------------------------------------------- /test/fixtures/simple/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "simple" { 18 | source = "../../../examples/simple" 19 | 20 | org_id = var.org_id 21 | billing_account = var.billing_account 22 | group_org_admins = var.group_org_admins 23 | group_billing_admins = var.group_billing_admins 24 | default_region = var.default_region 25 | project_prefix = "cft-test" 26 | project_deletion_policy = var.project_deletion_policy 27 | } 28 | -------------------------------------------------------------------------------- /test/fixtures/simple/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "seed_project_id" { 18 | description = "Project where service accounts and core APIs will be enabled." 19 | value = module.simple.seed_project_id 20 | } 21 | 22 | output "terraform_sa_email" { 23 | description = "Email for privileged service account for Terraform." 24 | value = module.simple.terraform_sa_email 25 | } 26 | 27 | output "terraform_sa_name" { 28 | description = "Fully qualified name for privileged service account for Terraform." 29 | value = module.simple.terraform_sa_name 30 | } 31 | 32 | output "gcs_bucket_tfstate" { 33 | description = "Bucket used for storing terraform state for foundations pipelines in seed project." 34 | value = module.simple.gcs_bucket_tfstate 35 | } 36 | -------------------------------------------------------------------------------- /test/fixtures/simple/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources." 19 | type = string 20 | } 21 | 22 | variable "org_id" { 23 | description = "The numeric organization id" 24 | type = string 25 | } 26 | 27 | variable "folder_id" { 28 | description = "The folder to deploy in" 29 | type = string 30 | } 31 | 32 | variable "billing_account" { 33 | description = "The billing account id associated with the project, e.g. XXXXXX-YYYYYY-ZZZZZZ" 34 | type = string 35 | } 36 | 37 | variable "group_org_admins" { 38 | description = "Google Group for GCP Organization Administrators" 39 | type = string 40 | } 41 | 42 | variable "group_billing_admins" { 43 | description = "Google Group for GCP Billing Administrators" 44 | type = string 45 | } 46 | 47 | variable "default_region" { 48 | description = "Default region to create resources where applicable." 49 | type = string 50 | default = "us-central1" 51 | } 52 | 53 | variable "org_project_creators" { 54 | description = "Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required." 55 | type = list(string) 56 | default = [] 57 | } 58 | 59 | variable "project_deletion_policy" { 60 | description = "The deletion policy for the project created." 61 | type = string 62 | default = "PREVENT" 63 | } 64 | -------------------------------------------------------------------------------- /test/fixtures/tf_cloudbuild_builder_simple_github/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | resource "random_id" "suffix" { 18 | byte_length = 4 19 | } 20 | 21 | # Github Secret 22 | resource "google_secret_manager_secret" "github_token" { 23 | project = var.project_id 24 | secret_id = "builder-gh-${random_id.suffix.dec}" 25 | 26 | replication { 27 | auto { 28 | 29 | } 30 | } 31 | } 32 | 33 | resource "google_secret_manager_secret_version" "github_token" { 34 | secret = google_secret_manager_secret.github_token.id 35 | secret_data = var.github_pat 36 | } 37 | 38 | resource "google_secret_manager_secret" "github_app_id" { 39 | project = var.project_id 40 | secret_id = "builder-gh-app-id-${random_id.suffix.dec}" 41 | 42 | replication { 43 | auto { 44 | 45 | } 46 | } 47 | } 48 | 49 | resource "google_secret_manager_secret_version" "github_app_id" { 50 | secret = google_secret_manager_secret.github_app_id.id 51 | secret_data = var.github_app_id 52 | } 53 | 54 | module "example" { 55 | source = "../../../examples/tf_cloudbuild_builder_simple_github" 56 | 57 | project_id = var.project_id 58 | github_pat_secret_id = google_secret_manager_secret.github_token.id 59 | github_app_id_secret_id = google_secret_manager_secret.github_app_id.id 60 | repository_uri = var.repository_uri 61 | } 62 | -------------------------------------------------------------------------------- /test/fixtures/tf_cloudbuild_builder_simple_github/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "artifact_repo" { 18 | description = "GAR Repo created to store TF Cloud Builder images" 19 | value = module.example.artifact_repo 20 | } 21 | 22 | output "workflow_id" { 23 | description = "Workflow ID for triggering new TF Builder build" 24 | value = module.example.workflow_id 25 | } 26 | 27 | output "scheduler_id" { 28 | description = "Scheduler ID for periodically triggering TF Builder build Workflow" 29 | value = module.example.scheduler_id 30 | } 31 | 32 | output "cloudbuild_trigger_id" { 33 | description = "Trigger used for building new TF Builder" 34 | value = module.example.cloudbuild_trigger_id 35 | } 36 | 37 | output "repository_id" { 38 | description = "ID of the Cloud Build repositories (2nd gen) repository" 39 | value = module.example.repository_id 40 | } 41 | 42 | output "project_id" { 43 | description = "The ID of the project in which the resources were provisioned" 44 | value = module.example.project_id 45 | } 46 | 47 | output "location" { 48 | description = "The location in which the resources were provisioned" 49 | value = module.example.location 50 | } 51 | -------------------------------------------------------------------------------- /test/fixtures/tf_cloudbuild_builder_simple_github/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources." 19 | type = string 20 | } 21 | 22 | variable "github_pat" { 23 | description = "The personal access token for authenticating with GitHub." 24 | type = string 25 | sensitive = true 26 | } 27 | 28 | variable "github_app_id" { 29 | description = "The application ID for the Cloudbuild GitHub app." 30 | type = string 31 | sensitive = true 32 | } 33 | 34 | variable "repository_uri" { 35 | description = "The URI of the GitHub repository where the Terraform configs are stored." 36 | type = string 37 | } 38 | -------------------------------------------------------------------------------- /test/fixtures/tf_cloudbuild_builder_simple_gitlab/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "artifact_repo" { 18 | description = "GAR Repo created to store TF Cloud Builder images" 19 | value = module.example.artifact_repo 20 | } 21 | 22 | output "workflow_id" { 23 | description = "Workflow ID for triggering new TF Builder build" 24 | value = module.example.workflow_id 25 | } 26 | 27 | output "scheduler_id" { 28 | description = "Scheduler ID for periodically triggering TF Builder build Workflow" 29 | value = module.example.scheduler_id 30 | } 31 | 32 | output "cloudbuild_trigger_id" { 33 | description = "Trigger used for building new TF Builder" 34 | value = module.example.cloudbuild_trigger_id 35 | } 36 | 37 | output "repository_id" { 38 | description = "ID of the Cloud Build repositories (2nd gen) repository" 39 | value = module.example.repository_id 40 | } 41 | 42 | output "project_id" { 43 | description = "The ID of the project in which the resources were provisioned" 44 | value = module.example.project_id 45 | } 46 | 47 | output "location" { 48 | description = "The location in which the resources were provisioned" 49 | value = module.example.location 50 | } 51 | -------------------------------------------------------------------------------- /test/fixtures/tf_cloudbuild_builder_simple_gitlab/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources." 19 | type = string 20 | } 21 | 22 | variable "repository_uri" { 23 | description = "The HTTPS clone URL of the repository, ending with .git." 24 | type = string 25 | } 26 | 27 | variable "gitlab_authorizer_credential" { 28 | description = "Credential for GitLab authorizer" 29 | type = string 30 | sensitive = true 31 | } 32 | 33 | variable "gitlab_read_authorizer_credential" { 34 | description = "Credential for GitLab read authorizer" 35 | type = string 36 | sensitive = true 37 | } 38 | -------------------------------------------------------------------------------- /test/fixtures/tf_cloudbuild_workspace_simple_github/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | resource "random_id" "suffix" { 18 | byte_length = 4 19 | } 20 | 21 | # Github Secret 22 | resource "google_secret_manager_secret" "github_token" { 23 | project = var.project_id 24 | secret_id = "cb-gh-${random_id.suffix.dec}" 25 | 26 | replication { 27 | auto { 28 | 29 | } 30 | } 31 | } 32 | 33 | resource "google_secret_manager_secret_version" "github_token" { 34 | secret = google_secret_manager_secret.github_token.id 35 | secret_data = var.github_pat 36 | } 37 | 38 | resource "google_secret_manager_secret" "github_app_id" { 39 | project = var.project_id 40 | secret_id = "cb-gh-app-id-${random_id.suffix.dec}" 41 | 42 | replication { 43 | auto { 44 | 45 | } 46 | } 47 | } 48 | 49 | resource "google_secret_manager_secret_version" "github_app_id" { 50 | secret = google_secret_manager_secret.github_app_id.id 51 | secret_data = var.github_app_id 52 | } 53 | 54 | module "example" { 55 | source = "../../../examples/tf_cloudbuild_workspace_simple_github" 56 | 57 | project_id = var.project_id 58 | github_pat_secret_id = google_secret_manager_secret.github_token.id 59 | github_app_id_secret_id = google_secret_manager_secret.github_app_id.id 60 | repository_uri = var.repository_uri 61 | } 62 | -------------------------------------------------------------------------------- /test/fixtures/tf_cloudbuild_workspace_simple_github/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "cloudbuild_plan_trigger_id" { 18 | description = "Trigger used for running TF plan" 19 | value = module.example.cloudbuild_plan_trigger_id 20 | } 21 | 22 | output "cloudbuild_apply_trigger_id" { 23 | description = "Trigger used for running TF apply" 24 | value = module.example.cloudbuild_apply_trigger_id 25 | } 26 | 27 | output "cloudbuild_sa" { 28 | description = "SA used by Cloud Build triggers" 29 | value = module.example.cloudbuild_sa 30 | } 31 | 32 | output "state_bucket" { 33 | description = "Bucket for storing TF state" 34 | value = module.example.state_bucket 35 | } 36 | 37 | output "logs_bucket" { 38 | description = "Bucket for storing TF logs" 39 | value = module.example.logs_bucket 40 | } 41 | 42 | output "artifacts_bucket" { 43 | description = "Bucket for storing TF plans" 44 | value = module.example.artifacts_bucket 45 | } 46 | 47 | output "project_id" { 48 | description = "The ID of the project in which the resources were provisioned" 49 | value = module.example.project_id 50 | } 51 | 52 | output "location" { 53 | description = "The location in which the resources were provisioned" 54 | value = module.example.location 55 | } 56 | 57 | -------------------------------------------------------------------------------- /test/fixtures/tf_cloudbuild_workspace_simple_github/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources." 19 | type = string 20 | } 21 | 22 | variable "github_pat" { 23 | description = "The personal access token for authenticating with GitHub." 24 | type = string 25 | sensitive = true 26 | } 27 | 28 | variable "github_app_id" { 29 | description = "The application ID for the Cloudbuild GitHub app." 30 | type = string 31 | sensitive = true 32 | } 33 | 34 | variable "repository_uri" { 35 | description = "The HTTPS clone URL of the repository, ending with .git." 36 | type = string 37 | } 38 | -------------------------------------------------------------------------------- /test/fixtures/tf_cloudbuild_workspace_simple_gitlab/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "cloudbuild_plan_trigger_id" { 18 | description = "Trigger used for running TF plan" 19 | value = module.example.cloudbuild_plan_trigger_id 20 | } 21 | 22 | output "cloudbuild_apply_trigger_id" { 23 | description = "Trigger used for running TF apply" 24 | value = module.example.cloudbuild_apply_trigger_id 25 | } 26 | 27 | output "cloudbuild_sa" { 28 | description = "SA used by Cloud Build triggers" 29 | value = module.example.cloudbuild_sa 30 | } 31 | 32 | output "state_bucket" { 33 | description = "Bucket for storing TF state" 34 | value = module.example.state_bucket 35 | } 36 | 37 | output "logs_bucket" { 38 | description = "Bucket for storing TF logs" 39 | value = module.example.logs_bucket 40 | } 41 | 42 | output "artifacts_bucket" { 43 | description = "Bucket for storing TF plans" 44 | value = module.example.artifacts_bucket 45 | } 46 | 47 | output "project_id" { 48 | description = "The ID of the project in which the resources were provisioned" 49 | value = module.example.project_id 50 | } 51 | 52 | output "location" { 53 | description = "The location in which the resources were provisioned" 54 | value = module.example.location 55 | } 56 | -------------------------------------------------------------------------------- /test/fixtures/tf_cloudbuild_workspace_simple_gitlab/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources." 19 | type = string 20 | } 21 | 22 | variable "repository_uri" { 23 | description = "The HTTPS clone URL of the repository, ending with .git." 24 | type = string 25 | } 26 | 27 | variable "gitlab_authorizer_credential" { 28 | description = "Credential for GitLab authorizer" 29 | type = string 30 | sensitive = true 31 | } 32 | 33 | variable "gitlab_read_authorizer_credential" { 34 | description = "Credential for GitLab read authorizer" 35 | type = string 36 | sensitive = true 37 | } 38 | -------------------------------------------------------------------------------- /test/integration/cloudbuild_enabled/inspec.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: simple 16 | depends: 17 | - name: inspec-gcp 18 | git: https://github.com/inspec/inspec-gcp.git 19 | tag: v1.8.0 20 | attributes: 21 | - name: group_org_admins 22 | required: true 23 | - name: seed_project_id 24 | required: true 25 | type: string 26 | - name: terraform_sa_email 27 | required: true 28 | type: string 29 | - name: terraform_sa_name 30 | required: true 31 | type: string 32 | - name: gcs_bucket_tfstate 33 | required: true 34 | type: string 35 | - name: cloudbuild_project_id 36 | required: true 37 | type: string 38 | - name: gcs_bucket_cloudbuild_artifacts 39 | required: true 40 | type: string 41 | - name: gcs_bucket_cloudbuild_logs 42 | required: true 43 | type: string 44 | - name: csr_repos 45 | required: true 46 | type: hash 47 | - name: tf_runner_artifact_repo 48 | required: true 49 | type: string 50 | -------------------------------------------------------------------------------- /test/integration/discover_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package test 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" 21 | ) 22 | 23 | func TestAll(t *testing.T) { 24 | tft.AutoDiscoverAndTest(t) 25 | } 26 | -------------------------------------------------------------------------------- /test/integration/im_cloudbuild_workspace_github/files/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The project ID to host the network in" 19 | } 20 | 21 | module "test-vpc-module" { 22 | source = "terraform-google-modules/network/google" 23 | version = "10.0.0" 24 | project_id = var.project_id 25 | network_name = "my-github-example-custom-network" 26 | 27 | subnets = [ 28 | { 29 | subnet_name = "github-example-subnet-01" 30 | subnet_ip = "10.10.10.0/24" 31 | subnet_region = "us-west1" 32 | }, 33 | { 34 | subnet_name = "github-example-subnet-02" 35 | subnet_ip = "10.10.20.0/24" 36 | subnet_region = "us-west1" 37 | subnet_private_access = "true" 38 | subnet_flow_logs = "true" 39 | }, 40 | { 41 | subnet_name = "github-example-subnet-03" 42 | subnet_ip = "10.10.30.0/24" 43 | subnet_region = "us-west1" 44 | subnet_flow_logs = "true" 45 | subnet_flow_logs_interval = "INTERVAL_10_MIN" 46 | subnet_flow_logs_sampling = 0.7 47 | subnet_flow_logs_metadata = "INCLUDE_ALL_METADATA" 48 | subnet_flow_logs_filter = "false" 49 | } 50 | ] 51 | } 52 | -------------------------------------------------------------------------------- /test/integration/im_cloudbuild_workspace_gitlab/files/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The project ID to host the network in" 19 | } 20 | 21 | module "test-vpc-module" { 22 | source = "terraform-google-modules/network/google" 23 | version = "10.0.0" 24 | project_id = var.project_id 25 | network_name = "my-gitlab-example-custom-network" 26 | 27 | subnets = [ 28 | { 29 | subnet_name = "gitlab-example-subnet-01" 30 | subnet_ip = "10.10.10.0/24" 31 | subnet_region = "us-west1" 32 | }, 33 | { 34 | subnet_name = "gitlab-example-subnet-02" 35 | subnet_ip = "10.10.20.0/24" 36 | subnet_region = "us-west1" 37 | subnet_private_access = "true" 38 | subnet_flow_logs = "true" 39 | }, 40 | { 41 | subnet_name = "gitlab-example-subnet-03" 42 | subnet_ip = "10.10.30.0/24" 43 | subnet_region = "us-west1" 44 | subnet_flow_logs = "true" 45 | subnet_flow_logs_interval = "INTERVAL_10_MIN" 46 | subnet_flow_logs_sampling = 0.7 47 | subnet_flow_logs_metadata = "INCLUDE_ALL_METADATA" 48 | subnet_flow_logs_filter = "false" 49 | } 50 | ] 51 | } 52 | -------------------------------------------------------------------------------- /test/integration/simple-folder/inspec.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: bootstrap-folder 16 | depends: 17 | - name: inspec-gcp 18 | git: https://github.com/inspec/inspec-gcp.git 19 | tag: v1.8.0 20 | attributes: 21 | - name: group_org_admins 22 | required: true 23 | - name: seed_project_id 24 | required: true 25 | type: string 26 | - name: terraform_sa_email 27 | required: true 28 | type: string 29 | - name: terraform_sa_name 30 | required: true 31 | type: string 32 | - name: gcs_bucket_tfstate 33 | required: true 34 | type: string 35 | - name: parent_folder 36 | required: true 37 | type: string 38 | - name: org_id 39 | required: true 40 | type: string 41 | -------------------------------------------------------------------------------- /test/integration/simple/controls/gcp.rb: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | default_apis = [ 16 | "serviceusage.googleapis.com", 17 | "servicenetworking.googleapis.com", 18 | "compute.googleapis.com", 19 | "logging.googleapis.com", 20 | "bigquery.googleapis.com", 21 | "cloudresourcemanager.googleapis.com", 22 | "cloudbilling.googleapis.com", 23 | "iam.googleapis.com", 24 | "admin.googleapis.com", 25 | "appengine.googleapis.com", 26 | "storage-api.googleapis.com" 27 | ] 28 | 29 | control "bootstrap" do 30 | title "Bootstrap module GCP resources" 31 | 32 | describe google_project(project: attribute("seed_project_id")) do 33 | it { should exist } 34 | end 35 | 36 | describe google_storage_bucket(name: attribute("gcs_bucket_tfstate")) do 37 | it { should exist } 38 | end 39 | 40 | describe google_storage_bucket_iam_binding(bucket: attribute("gcs_bucket_tfstate"), role: 'roles/storage.admin') do 41 | its('members') {should include 'serviceAccount:' + attribute("terraform_sa_email")} 42 | end 43 | 44 | describe google_service_account(project: attribute("seed_project_id"), name: attribute("terraform_sa_name").split('/').last) do 45 | it { should exist } 46 | end 47 | 48 | describe google_service_account_keys(project: attribute("seed_project_id"), service_account: attribute("terraform_sa_name").split('/').last) do 49 | its('key_types') { should_not include 'USER_MANAGED' } 50 | end 51 | 52 | default_apis.each do |api| 53 | describe google_project_service(project: attribute("seed_project_id"), name: api) do 54 | it { should exist } 55 | its('state') { should cmp "ENABLED" } 56 | end 57 | end 58 | 59 | end 60 | -------------------------------------------------------------------------------- /test/integration/simple/inspec.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: simple 16 | depends: 17 | - name: inspec-gcp 18 | git: https://github.com/inspec/inspec-gcp.git 19 | tag: v1.8.0 20 | attributes: 21 | - name: group_org_admins 22 | required: true 23 | - name: seed_project_id 24 | required: true 25 | type: string 26 | - name: terraform_sa_email 27 | required: true 28 | type: string 29 | - name: terraform_sa_name 30 | required: true 31 | type: string 32 | - name: gcs_bucket_tfstate 33 | required: true 34 | type: string 35 | -------------------------------------------------------------------------------- /test/integration/utils/utils.go: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package utils 16 | 17 | import ( 18 | "os" 19 | "strings" 20 | "testing" 21 | 22 | "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" 23 | "github.com/xanzy/go-gitlab" 24 | ) 25 | 26 | // GetRandomStringFromSetup gets a random string output variable setup. 27 | func GetRandomStringFromSetup(t *testing.T) string { 28 | t.Helper() 29 | setup := tft.NewTFBlueprintTest(t) 30 | return setup.GetTFSetupStringOutput("random_testing_string") 31 | } 32 | 33 | // GetFileContents returns the contents of a given file. 34 | func GetFileContents(t *testing.T, path string) []byte { 35 | t.Helper() 36 | contents, err := os.ReadFile(path) 37 | if err != nil { 38 | t.Fatal(err.Error()) 39 | } 40 | return contents 41 | } 42 | 43 | // LastElement gets the last element in a string separated by sep. 44 | // Typically used to grab a resource ID from a full resource name. 45 | func LastElement(str, sep string) string { 46 | return strings.Split(str, sep)[len(strings.Split(str, sep))-1] 47 | } 48 | 49 | // GetDeleteProjectOptions returns default DeleteProjectOptions 50 | func GetDeleteProjectOptions() *gitlab.DeleteProjectOptions { 51 | return &gitlab.DeleteProjectOptions{} 52 | } 53 | -------------------------------------------------------------------------------- /test/setup/.gitignore: -------------------------------------------------------------------------------- 1 | terraform.tfvars 2 | source.sh 3 | -------------------------------------------------------------------------------- /test/setup/iam.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | locals { 18 | int_required_roles = [ 19 | "roles/owner" 20 | ] 21 | int_org_required_roles = [ 22 | "roles/billing.user", 23 | "roles/resourcemanager.organizationAdmin", 24 | "roles/orgpolicy.policyAdmin", 25 | "roles/resourcemanager.projectCreator" 26 | ] 27 | } 28 | 29 | resource "google_organization_iam_member" "org_admins_group" { 30 | for_each = toset(local.int_org_required_roles) 31 | org_id = var.org_id 32 | role = each.value 33 | member = "serviceAccount:${google_service_account.int_test.email}" 34 | } 35 | 36 | resource "google_billing_account_iam_member" "tf_billing_user" { 37 | billing_account_id = var.billing_account 38 | role = "roles/billing.admin" 39 | member = "serviceAccount:${google_service_account.int_test.email}" 40 | } 41 | 42 | resource "google_service_account" "int_test" { 43 | project = module.project.project_id 44 | account_id = "ci-account" 45 | display_name = "ci-account" 46 | } 47 | 48 | resource "google_project_iam_member" "int_test" { 49 | for_each = toset(local.int_required_roles) 50 | 51 | project = module.project.project_id 52 | role = each.value 53 | member = "serviceAccount:${google_service_account.int_test.email}" 54 | } 55 | 56 | resource "google_service_account_key" "int_test" { 57 | service_account_id = google_service_account.int_test.id 58 | } 59 | 60 | resource "google_project_iam_member" "cb_service_agent_role" { 61 | project = module.project.project_id 62 | role = "roles/cloudbuild.serviceAgent" 63 | member = "serviceAccount:service-${module.project.project_number}@gcp-sa-cloudbuild.iam.gserviceaccount.com" 64 | 65 | depends_on = [module.project] 66 | } 67 | -------------------------------------------------------------------------------- /test/setup/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "project_id" { 18 | value = module.project.project_id 19 | } 20 | 21 | output "sa_key" { 22 | value = google_service_account_key.int_test.private_key 23 | sensitive = true 24 | } 25 | 26 | output "org_id" { 27 | value = var.org_id 28 | } 29 | 30 | output "folder_id" { 31 | value = var.folder_id 32 | } 33 | 34 | output "parent_folder" { 35 | value = google_folder.bootstrap.name 36 | } 37 | 38 | output "billing_account" { 39 | value = var.billing_account 40 | } 41 | 42 | output "group_org_admins" { 43 | value = var.group_org_admins 44 | } 45 | 46 | output "group_billing_admins" { 47 | value = var.group_billing_admins 48 | } 49 | 50 | output "default_region" { 51 | value = var.default_region 52 | } 53 | 54 | output "org_project_creators" { 55 | value = ["serviceAccount:${google_service_account.int_test.email}"] 56 | } 57 | 58 | output "random_testing_string" { 59 | description = "Access the random ID created in setup for labeling other resources." 60 | value = random_id.suffix.hex 61 | } 62 | 63 | output "project_deletion_policy" { 64 | value = "DELETE" 65 | } 66 | -------------------------------------------------------------------------------- /test/setup/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | variable "org_id" { 17 | description = "The numeric organization id" 18 | type = string 19 | } 20 | 21 | variable "folder_id" { 22 | description = "The folder to deploy in" 23 | type = string 24 | } 25 | 26 | variable "billing_account" { 27 | description = "The billing account id associated with the project, e.g. XXXXXX-YYYYYY-ZZZZZZ" 28 | type = string 29 | } 30 | 31 | variable "group_org_admins" { 32 | description = "Google Group for GCP Organization Administrators" 33 | type = string 34 | } 35 | 36 | variable "group_billing_admins" { 37 | description = "Google Group for GCP Billing Administrators" 38 | type = string 39 | } 40 | 41 | variable "default_region" { 42 | description = "Default region to create resources where applicable." 43 | type = string 44 | default = "us-central1" 45 | } 46 | -------------------------------------------------------------------------------- /test/setup/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 0.13.0" 19 | required_providers { 20 | google = { 21 | source = "hashicorp/google" 22 | version = ">= 3.50, < 7" 23 | } 24 | google-beta = { 25 | source = "hashicorp/google-beta" 26 | version = ">= 3.50, < 7" 27 | } 28 | random = { 29 | source = "hashicorp/random" 30 | } 31 | terracurl = { 32 | source = "devops-rob/terracurl" 33 | version = "~> 1.0" 34 | } 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | 20 | required_providers { 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 3.50, < 7" 24 | } 25 | random = { 26 | source = "hashicorp/random" 27 | version = ">= 3.1" 28 | } 29 | } 30 | 31 | provider_meta "google" { 32 | module_name = "blueprints/terraform/terraform-google-bootstrap/v11.0.0" 33 | } 34 | } 35 | --------------------------------------------------------------------------------