Skip to content

Latest commit

 

History

History
129 lines (99 loc) · 7.38 KB

README.md

File metadata and controls

129 lines (99 loc) · 7.38 KB
Raw

Overview

Usage

Basic usage of this module is as follows:

module "bootstrap" {
  source  = "terraform-google-modules/bootstrap/google//modules/cloudbuild"
  version = "~> 9.0"

  org_id         = "<ORGANIZATION_ID>"
  billing_account         = "<BILLING_ACCOUNT_ID>"
  group_org_admins        = "[email protected]"
  default_region          = "australia-southeast1"
  sa_enable_impersonation = true
  terraform_sa_email      = "<SERVICE_ACCOUNT_EMAIL>"
  terraform_sa_name       = "<SERVICE_ACCOUNT_NAME>"
  terraform_state_bucket  = "<GCS_STATE_BUCKET_NAME>"
}

Functional examples and sample Cloud Build definitions are included in the examples directory.

Features

  1. Create a new GCP cloud build project using project_prefix
  2. Enable APIs in the cloud build project using activate_apis
  3. Build a Terraform docker image for Cloud Build, including terraform-validator.
  4. Create a GCS bucket for Cloud Build Artifacts using project_prefix
  5. Create Cloud Source Repos for pipelines using list of repos in cloud_source_repos
    1. Create Cloud Build trigger for terraform apply on master branch
    2. Create Cloud Build trigger for terrafor plan on all other branches
  6. Create KMS Keyring and key for encryption
    1. Grant access to decrypt to Cloud Build service account and terraform_sa_email
    2. Grant access to encrypt to group_org_admins
  7. Optionally give Cloud Build service account permissions to impersonate terraform service account using sa_enable_impersonation and supplied value for terraform_sa_name

Resources created

  • KMS Keyring and key for secrets, including IAM for Cloudbuild, Org Admins and Terraform service acocunt
  • (optional) Cloudbuild impersonation permissions for a service account
  • (optional) Cloud Source Repos, with triggers for terraform plan (all other branches) & terraform apply (master)

Inputs

Name Description Type Default Required
activate_apis List of APIs to enable in the Cloudbuild project. list(string) 
[
  "serviceusage.googleapis.com",
  "servicenetworking.googleapis.com",
  "compute.googleapis.com",
  "logging.googleapis.com",
  "bigquery.googleapis.com",
  "cloudresourcemanager.googleapis.com",
  "cloudbilling.googleapis.com",
  "iam.googleapis.com",
  "admin.googleapis.com",
  "appengine.googleapis.com",
  "storage-api.googleapis.com"
]
 no
billing_account The ID of the billing account to associate projects with. string n/a yes
cloud_source_repos List of Cloud Source Repos to create with CloudBuild triggers. list(string) 
[
  "gcp-org",
  "gcp-networks",
  "gcp-projects"
]
 no
cloudbuild_apply_filename Path and name of Cloud Build YAML definition used for terraform apply. string "cloudbuild-tf-apply.yaml" no
cloudbuild_plan_filename Path and name of Cloud Build YAML definition used for terraform plan. string "cloudbuild-tf-plan.yaml" no
create_cloud_source_repos If shared Cloud Source Repos should be created. bool true no
default_region Default region to create resources where applicable. string "us-central1" no
folder_id The ID of a folder to host this project string "" no
force_destroy If supplied, the logs and artifacts buckets will be deleted even while containing objects. bool false no
gar_repo_name Custom name to use for GAR repo. string "" no
gcloud_version Default gcloud image version. string "388.0.0-slim" no
group_org_admins Google Group for GCP Organization Administrators string n/a yes
impersonate_service_account The service account to impersonate while running the gcloud builds submit command. string "" no
org_id GCP Organization ID string n/a yes
project_auto_create_network Create the default network for the project created. bool false no
project_deletion_policy The deletion policy for the project created. string "PREVENT" no
project_id Custom project ID to use for project created. string "" no
project_labels Labels to apply to the project. map(string) {} no
project_prefix Name prefix to use for projects created. string "cft" no
random_suffix Appends a 4 character random suffix to project ID and GCS bucket name. bool true no
sa_enable_impersonation Allow org_admins group to impersonate service account & enable APIs required. bool false no
storage_bucket_labels Labels to apply to the storage bucket. map(string) {} no
terraform_apply_branches List of git branches configured to run terraform apply Cloud Build trigger. All other branches will run plan by default. list(string) 
[
  "main"
]
 no
terraform_sa_email Email for terraform service account. string n/a yes
terraform_sa_name Fully-qualified name of the terraform service account. string n/a yes
terraform_state_bucket Default state bucket, used in Cloud Build substitutions. string n/a yes
terraform_version Default terraform version. string "1.0.2" no
terraform_version_sha256sum sha256sum for default terraform version. string "7329f887cc5a5bda4bedaec59c439a4af7ea0465f83e3c1b0f4d04951e1181f4" no

Outputs

Name Description
cloudbuild_project_id Project where CloudBuild configuration and terraform container image will reside.
csr_repos List of Cloud Source Repos created by the module, linked to Cloud Build triggers.
gcs_bucket_cloudbuild_artifacts Bucket used to store Cloud/Build artifacts in CloudBuild project.
gcs_bucket_cloudbuild_logs Bucket used to store Cloud/Build logs in CloudBuild project.
tf_runner_artifact_repo GAR Repo created to store runner images

Requirements

Software

Permissions

  • roles/billing.user on supplied billing account
  • roles/resourcemanager.organizationAdmin on GCP Organization
  • roles/resourcemanager.projectCreator on GCP Organization or folder

APIs

A project with the following APIs enabled must be used to host the resources of this module:

  • Google Cloud Resource Manager API: cloudresourcemanager.googleapis.com
  • Google Cloud Billing API: cloudbilling.googleapis.com
  • Google Cloud IAM API: iam.googleapis.com
  • Google Cloud Storage API storage-api.googleapis.com
  • Google Cloud Service Usage API: serviceusage.googleapis.com
  • Google Cloud Build API: cloudbuild.googleapis.com
  • Google Cloud KMS API: cloudkms.googleapis.com

If using Cloud Source Repositories, Google Cloud Source Repo API: sourcerepo.googleapis.com must also be enabled.

This API can be enabled in the default project created during establishing an organization.

Contributing

Refer to the contribution guidelines for information on contributing to this module.