feat!: Use Connect Gateway for standalone example (#59)

feat!: Use Connect Gateway as alternative to VPN for deploying to private GKE clusters from Cloud Build (addressing #20)
feat!: Require Cloud Build BYOSA in secure-cd submodule instead of default CB SA
feat: automatic app deployment testing in standalone example verification test
fix: documentation and walkthrough cleanup and clarification
chore(deps): bump Cloud Build builder image dependencies

build/cloudbuild-cd.yaml

@@ -26,6 +26,8 @@ artifacts:
     location: gs://$_CACHE_BUCKET_NAME/artifacts/$BRANCH_NAME
     paths:
       - '/workspace/svcs-endpoints-filtered.json'
+      - '/workspace/zap_report_${_TARGET_ID}_${_RELEASE_ID}.html'
+logsBucket: gs://$_CACHE_BUCKET_NAME/build_logs
 steps:
 
 ############################### Post-Deploy Checks ###########################
@@ -39,7 +41,16 @@ steps:
     - -c
     - |
       gcloud config set project $_CLUSTER_PROJECT
-      gcloud container clusters get-credentials $_CLUSTER_NAME --region=$_DEFAULT_REGION
+      echo "Target Type ${_TARGET_TYPE}"
+      case ${_TARGET_TYPE} in
+        "anthos_cluster")
+          gcloud container fleet memberships get-credentials $_ANTHOS_MEMBERSHIP
+          ;;
+        *)
+          gcloud container clusters get-credentials $_CLUSTER_NAME --region=$_DEFAULT_REGION
+          ;;
+      esac
+
       kubectl get svc -ojson > /workspace/svcs.json
 
       ### Below only grabs external IP'd svcs
@@ -49,6 +60,9 @@ steps:
       ENDPOINTS=( $$(jq -r '.[].endpoint' /workspace/svcs-endpoints-filtered.json))
       echo $$SVC_NAMES > /workspace/svc_names_env.txt
       echo $$ENDPOINTS > /workspace/endpoints_env.txt
+  volumes:
+    - name: 'zapvolume'
+      path: '/zap/wrk'
 
 # ZAProxy Scan
 - name: 'gcr.io/cloud-builders/docker'
@@ -61,15 +75,14 @@ steps:
       ENDPOINTS=( $$(cat /workspace/endpoints_env.txt))
 
       INDEX=0
-      for SVC in "$${SVC_NAMES[@]}"; do
-          echo "$$SVC"
-          ENDPOINT="$${ENDPOINTS[$$INDEX]}"
-          echo "Checking $$ENDPOINT"
-
-          docker run owasp/zap2docker-stable zap-cli quick-scan --self-contained --start-options '-config api.disablekey=true' http://$$ENDPOINT
-
-          INDEX=$${INDEX}+1
-      done
+      ENDPOINT="$${ENDPOINTS[$$INDEX]}"
+      echo "Checking $$ENDPOINT"
+
+      docker container run --user root -v zapvolume:/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py -t http://$$ENDPOINT -r zap_report_${_TARGET_ID}_${_RELEASE_ID}.html -z '-config api.disablekey=true' -I
+      cp /zap/wrk/zap_report_${_TARGET_ID}_${_RELEASE_ID}.html /workspace/zap_report_${_TARGET_ID}_${_RELEASE_ID}.html
+  volumes:
+    - name: 'zapvolume'
+      path: '/zap/wrk'
   waitFor:
     - 'get-svc-endpoints'
 

build/cloudbuild-ci.yaml

@@ -12,19 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Pipeline Setup
-#   Maven cache to reduce calls to Maven Central
-# test (in parallel)
-#   Secrets Scanner: secrets scanner
-#   License checking: ???
-# Build
-#   Docker build
-# After Build
-#   Artifact Structure Test: Container structure test
-#   Image Vulnerabilities: CVE scanner
-# Security Testing Gate
-#   Attestation
-
 timeout: "3600s" # 1 hour
 tags:
   - "secure-cicd-ci"
@@ -41,12 +28,9 @@ artifacts:
     paths:
       - 'build-artifacts.json'
       - 'build-artifacts-notag.json'
+logsBucket: gs://$_CACHE_BUCKET_NAME/build_logs
 steps:
 
-############################### Securing Source Code ###########################
-
-# Secrets Scanner (TODO: Switch to Talisman)
-
 ############################### Build Containers ###########################
 
 # Create build-installation-image
@@ -57,7 +41,7 @@ steps:
     - '-xe'
     - -c
     - |
-      ./mvnw validate
+      ./mvnw clean install
 
       skaffold config set --global local-cluster false
       skaffold build --default-repo=${_GAR_REPO_URI} --tag=$SHORT_SHA --cache-file='/.skaffold/cache' --file-output=/artifacts/build-artifacts.json

build/lint.cloudbuild.yaml

@@ -13,6 +13,9 @@
 # limitations under the License.
 
 steps:
+- id: swap-module-refs
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && module-swapper']
 - name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   id: 'lint'
   args: ['/usr/local/bin/test_lint.sh']

examples/app_cicd/cloud-build-builder/Dockerfile

@@ -24,17 +24,16 @@ WORKDIR /go/src/app
 RUN make out/signer
 RUN cp out/signer /signer
 
-
-FROM alpine:3.13
+FROM alpine:3.17
 
 ### 1. Get Java via the package manager
 RUN apk update \
 && apk upgrade \
-&& apk add --no-cache bash curl jq openjdk11-jre git openssh \
+&& apk add --no-cache bash curl jq openjdk17-jre git openssh \
 && apk add --no-cache --virtual=build-dependencies unzip
 
-#### Set JAVA_HOME
-ENV JAVA_HOME="/usr/lib/jvm/java-11-openjdk"
+### Set JAVA_HOME
+ENV JAVA_HOME="/usr/lib/jvm/java-17-openjdk"
 
 ### 2. Get Python, PIP
 RUN apk add --no-cache python3 \
@@ -46,7 +45,7 @@ if [[ ! -e /usr/bin/python ]]; then ln -sf /usr/bin/python3 /usr/bin/python; fi
 rm -r /root/.cache
 
 #### 3. Install gcloud
-ENV CLOUD_SDK_VERSION="391.0.0"
+ENV CLOUD_SDK_VERSION="423.0.0"
 ENV CLOUDSDK_INSTALL_DIR /usr/local/gcloud/
 RUN wget "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-${CLOUD_SDK_VERSION}-linux-x86_64.tar.gz" \
 && tar -C /usr/local -xzf "google-cloud-sdk-${CLOUD_SDK_VERSION}-linux-x86_64.tar.gz" \

examples/app_cicd/cloud-build-builder/cloudbuild-skaffold-build-image.yaml

@@ -14,7 +14,7 @@
 
 options:
   # Use higher CPU machines so the caching and build steps are faster.
-  machineType: 'N1_HIGHCPU_32'
+  machineType: 'E2_HIGHCPU_32'
 steps:
 - name: 'gcr.io/cloud-builders/docker'
   args: [ 'build', '-t', '$_DEFAULT_REGION-docker.pkg.dev/$PROJECT_ID/$_GAR_REPOSITORY/skaffold-builder', '.' ]

examples/app_cicd/main.tf

@@ -39,12 +39,13 @@ module "cd_pipeline" {
   project_id       = var.project_id
   primary_location = var.primary_location
 
-  gar_repo_name             = module.ci_pipeline.app_artifact_repo
-  cloudbuild_cd_repo        = "cloudbuild-cd-config"
-  deploy_branch_clusters    = var.deploy_branch_clusters
-  app_deploy_trigger_yaml   = "cloudbuild-cd.yaml"
-  cache_bucket_name         = module.ci_pipeline.cache_bucket_name
-  clouddeploy_pipeline_name = local.clouddeploy_pipeline_name
+  gar_repo_name              = module.ci_pipeline.app_artifact_repo
+  cloudbuild_cd_repo         = "cloudbuild-cd-config"
+  deploy_branch_clusters     = var.deploy_branch_clusters
+  app_deploy_trigger_yaml    = "cloudbuild-cd.yaml"
+  cache_bucket_name          = module.ci_pipeline.cache_bucket_name
+  clouddeploy_pipeline_name  = local.clouddeploy_pipeline_name
+  cloudbuild_service_account = module.ci_pipeline.build_sa_email
   depends_on = [
     module.ci_pipeline
   ]

examples/private_cluster_cicd/cloud-build-builder/Dockerfile

@@ -24,17 +24,16 @@ WORKDIR /go/src/app
 RUN make out/signer
 RUN cp out/signer /signer
 
-
-FROM alpine:3.13
+FROM alpine:3.17
 
 ### 1. Get Java via the package manager
 RUN apk update \
 && apk upgrade \
-&& apk add --no-cache bash curl jq openjdk11-jre git openssh \
+&& apk add --no-cache bash curl jq openjdk17-jre git openssh \
 && apk add --no-cache --virtual=build-dependencies unzip
 
-#### Set JAVA_HOME
-ENV JAVA_HOME="/usr/lib/jvm/java-11-openjdk"
+### Set JAVA_HOME
+ENV JAVA_HOME="/usr/lib/jvm/java-17-openjdk"
 
 ### 2. Get Python, PIP
 RUN apk add --no-cache python3 \
@@ -46,7 +45,7 @@ if [[ ! -e /usr/bin/python ]]; then ln -sf /usr/bin/python3 /usr/bin/python; fi
 rm -r /root/.cache
 
 #### 3. Install gcloud
-ENV CLOUD_SDK_VERSION="391.0.0"
+ENV CLOUD_SDK_VERSION="423.0.0"
 ENV CLOUDSDK_INSTALL_DIR /usr/local/gcloud/
 RUN wget "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-${CLOUD_SDK_VERSION}-linux-x86_64.tar.gz" \
 && tar -C /usr/local -xzf "google-cloud-sdk-${CLOUD_SDK_VERSION}-linux-x86_64.tar.gz" \

examples/private_cluster_cicd/cloud-build-builder/cloudbuild-skaffold-build-image.yaml

@@ -14,7 +14,7 @@
 
 options:
   # Use higher CPU machines so the caching and build steps are faster.
-  machineType: 'N1_HIGHCPU_32'
+  machineType: 'E2_HIGHCPU_32'
 steps:
 - name: 'gcr.io/cloud-builders/docker'
   args: [ 'build', '-t', '$_DEFAULT_REGION-docker.pkg.dev/$PROJECT_ID/$_GAR_REPOSITORY/skaffold-builder', '.' ]

examples/private_cluster_cicd/main.tf

@@ -42,13 +42,14 @@ module "cd_pipeline" {
   project_id       = var.project_id
   primary_location = "us-central1"
 
-  gar_repo_name             = module.ci_pipeline.app_artifact_repo
-  cloudbuild_cd_repo        = "cloudbuild-cd-config-pc"
-  deploy_branch_clusters    = var.deploy_branch_clusters
-  app_deploy_trigger_yaml   = "cloudbuild-cd.yaml"
-  cache_bucket_name         = module.ci_pipeline.cache_bucket_name
-  cloudbuild_private_pool   = module.cloudbuild_private_pool.workerpool_id
-  clouddeploy_pipeline_name = local.clouddeploy_pipeline_name
+  gar_repo_name              = module.ci_pipeline.app_artifact_repo
+  cloudbuild_cd_repo         = "cloudbuild-cd-config-pc"
+  deploy_branch_clusters     = var.deploy_branch_clusters
+  app_deploy_trigger_yaml    = "cloudbuild-cd.yaml"
+  cache_bucket_name          = module.ci_pipeline.cache_bucket_name
+  cloudbuild_private_pool    = module.cloudbuild_private_pool.workerpool_id
+  clouddeploy_pipeline_name  = local.clouddeploy_pipeline_name
+  cloudbuild_service_account = module.ci_pipeline.build_sa_email
   depends_on = [
     module.ci_pipeline
   ]

examples/standalone_single_project/README.md

@@ -22,6 +22,8 @@ This example also creates GKE clusters and accompanying VPC networks for multipl
 | Name | Description |
 |------|-------------|
 | app\_source\_repo | URL of the created CSR app soure repo |
+| cloudbuild\_cd\_repo\_name | URL of the created CSR app soure repo |
 | console\_walkthrough\_link | URL to open the in-console walkthrough. |
+| gar\_repo | Artifact Registry repo |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/standalone_single_project/cicd.tf

@@ -18,27 +18,33 @@ locals {
   deploy_branch_clusters = {
     "01-${var.env1_name}" = {
       cluster               = module.gke_cluster[var.env1_name].name,
+      anthos_membership     = module.fleet_membership[var.env1_name].cluster_membership_id
+      target_type           = "anthos_cluster"
       network               = module.vpc.network_name
-      project_id            = var.project_id,
-      location              = var.region,
+      project_id            = var.project_id
+      location              = var.region
       required_attestations = [module.ci_pipeline.binauth_attestor_ids["build"]]
       env_attestation       = module.ci_pipeline.binauth_attestor_ids["security"]
       next_env              = "02-qa"
     },
     "02-${var.env2_name}" = {
       cluster               = module.gke_cluster[var.env2_name].name,
+      anthos_membership     = module.fleet_membership[var.env2_name].cluster_membership_id
+      target_type           = "anthos_cluster"
       network               = module.vpc.network_name
-      project_id            = var.project_id,
-      location              = var.region,
+      project_id            = var.project_id
+      location              = var.region
       required_attestations = [module.ci_pipeline.binauth_attestor_ids["security"], module.ci_pipeline.binauth_attestor_ids["build"]]
       env_attestation       = module.ci_pipeline.binauth_attestor_ids["quality"]
       next_env              = "03-prod"
     },
     "03-${var.env3_name}" = {
       cluster               = module.gke_cluster[var.env3_name].name,
+      anthos_membership     = module.fleet_membership[var.env3_name].cluster_membership_id
+      target_type           = "anthos_cluster"
       network               = module.vpc.network_name
-      project_id            = var.project_id,
-      location              = var.region,
+      project_id            = var.project_id
+      location              = var.region
       required_attestations = [module.ci_pipeline.binauth_attestor_ids["quality"], module.ci_pipeline.binauth_attestor_ids["security"], module.ci_pipeline.binauth_attestor_ids["build"]]
       env_attestation       = ""
       next_env              = ""
@@ -77,14 +83,15 @@ module "cd_pipeline" {
   project_id       = var.project_id
   primary_location = var.region
 
-  gar_repo_name             = module.ci_pipeline.app_artifact_repo
-  cloudbuild_cd_repo        = "${var.app_name}-cloudbuild-cd-config"
-  deploy_branch_clusters    = local.deploy_branch_clusters
-  app_deploy_trigger_yaml   = "cloudbuild-cd.yaml"
-  cache_bucket_name         = module.ci_pipeline.cache_bucket_name
-  cloudbuild_private_pool   = module.cloudbuild_private_pool.workerpool_id
-  clouddeploy_pipeline_name = local.clouddeploy_pipeline_name
-  labels                    = var.labels
+  gar_repo_name              = module.ci_pipeline.app_artifact_repo
+  cloudbuild_cd_repo         = "${var.app_name}-cloudbuild-cd-config"
+  deploy_branch_clusters     = local.deploy_branch_clusters
+  app_deploy_trigger_yaml    = "cloudbuild-cd.yaml"
+  cache_bucket_name          = module.ci_pipeline.cache_bucket_name
+  cloudbuild_private_pool    = module.cloudbuild_private_pool.workerpool_id
+  clouddeploy_pipeline_name  = local.clouddeploy_pipeline_name
+  cloudbuild_service_account = module.ci_pipeline.build_sa_email
+  labels                     = var.labels
   depends_on = [
     module.ci_pipeline
   ]

examples/standalone_single_project/gke.tf

@@ -95,3 +95,14 @@ module "gke_cluster" {
     module.vpc
   ]
 }
+
+module "fleet_membership" {
+  for_each = toset(local.envs)
+  source   = "terraform-google-modules/kubernetes-engine/google//modules/fleet-membership"
+  version  = "~> 25.0.0"
+
+  membership_name = "${module.gke_cluster[each.value].name}-membership"
+  project_id      = var.project_id
+  location        = var.region
+  cluster_name    = module.gke_cluster[each.value].name
+}

examples/standalone_single_project/network.tf

@@ -60,30 +60,3 @@ resource "google_compute_network_peering_routes_config" "gke_peering_routes_conf
   import_custom_routes = true
   export_custom_routes = true
 }
-
-# Cloud Build Workerpool <-> GKE HA VPNs
-module "gke_cloudbuild_vpn" {
-  source  = "GoogleCloudPlatform/secure-cicd/google//modules/workerpool-gke-ha-vpn"
-  version = "~> 0.3"
-
-  project_id = var.project_id
-  location   = var.region
-
-  gke_project  = var.project_id
-  gke_network  = module.vpc.network_name
-  gke_location = var.region
-  gke_control_plane_cidrs = {
-    (module.gke_cluster[var.env1_name].master_ipv4_cidr_block) = "GKE ${var.env1_name} control plane"
-    (module.gke_cluster[var.env2_name].master_ipv4_cidr_block) = "GKE ${var.env2_name} control plane",
-    (module.gke_cluster[var.env3_name].master_ipv4_cidr_block) = "GKE ${var.env3_name} control plane",
-  }
-
-  workerpool_network = module.cloudbuild_private_pool.workerpool_network
-  workerpool_range   = module.cloudbuild_private_pool.workerpool_range
-  gateway_1_asn      = 65001
-  gateway_2_asn      = 65002
-  bgp_range_1        = "169.254.1.0/30"
-  bgp_range_2        = "169.254.2.0/30"
-
-  labels = var.labels
-}

examples/standalone_single_project/outputs.tf

@@ -19,6 +19,16 @@ output "app_source_repo" {
   value       = module.ci_pipeline.source_repo_urls["${var.app_name}-source"]
 }
 
+output "cloudbuild_cd_repo_name" {
+  description = "URL of the created CSR app soure repo"
+  value       = "${var.app_name}-cloudbuild-cd-config"
+}
+
+output "gar_repo" {
+  description = "Artifact Registry repo"
+  value       = module.ci_pipeline.app_artifact_repo
+}
+
 output "console_walkthrough_link" {
   description = "URL to open the in-console walkthrough."
   value       = "https://shell.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2FGoogleCloudPlatform%2Fterraform-google-secure-cicd.git&cloudshell_git_branch=main&cloudshell_tutorial=examples%2Fstandalone_single_project%2Fwalkthrough.md"