feat: updates make target to generate display metadata as well (#95)

Co-authored-by: Grant Sorbo <gtsorbo@google.com>

Makefile

@@ -18,9 +18,11 @@
 # Make will use bash instead of sh
 SHELL := /usr/bin/env bash
 
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.12
 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
 REGISTRY_URL := gcr.io/cloud-foundation-cicd
+ENABLE_BPMETADATA := 1
+export ENABLE_BPMETADATA
 
 # Enter docker container for local development
 .PHONY: docker_run
@@ -68,6 +70,7 @@ docker_test_integration:
 .PHONY: docker_test_lint
 docker_test_lint:
 	docker run --rm -it \
+		-e ENABLE_BPMETADATA \
 		-e EXCLUDE_LINT_DIRS \
 		-v "$(CURDIR)":/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
@@ -77,9 +80,10 @@ docker_test_lint:
 .PHONY: docker_generate_docs
 docker_generate_docs:
 	docker run --rm -it \
+		-e ENABLE_BPMETADATA \
 		-v "$(CURDIR)":/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
-		/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs'
+		/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs -d'
 
 # Alias for backwards compatibility
 .PHONY: generate_docs

metadata.display.yaml

@@ -0,0 +1,24 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: blueprints.cloud.google.com/v1alpha1
+kind: BlueprintMetadata
+metadata:
+  name: terraform-google-secure-cicd-display
+spec:
+  info:
+    title: Secure CI/CD pipeline
+    source:
+      repo: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd.git
+      sourceType: git

metadata.yaml

@@ -19,93 +19,97 @@ metadata:
   annotations:
     config.kubernetes.io/local-config: "true"
 spec:
-  title: Secure CI/CD pipeline
-  source:
-    repo: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd.git
-    sourceType: git
-  description:
-    tagline: Create up a secure CI/CD pipeline that follows best practices.
-    detailed: |-
-      Set up a secure CI/CD pipeline that follows best practices for building, scanning, storing, and deploying containers to GKE.
-      You can choose whether to deploy your solution through the console directly or download as Terraform on GitHub to deploy later.
-    architecture:
-    - A developer pushes code for a container-based application to the App Source Code repository in Cloud Source Repositories. This repository must include a skaffold.yaml configuration file, a cloudbuild-ci.yaml configuration file, and templated Kubernetes manifests for the respective Kubernetes deployments, services and other objects.
-    - Changes to the App Source Code repo will trigger a build of the containers as defined in the skaffold.yaml configuration.
-    - Metadata about the built containers is stored in the build artifacts Cloud Storage bucket.
-    - The resulting built containers will be scanned for container structure and CVE’s based on a customer-configurable security policy and stored in an Artifact Registry repository.
-    - Upon passing all scans, the containers are signed by the Binary Authorization build attestor.
-    - At the end of the build process, the pipeline creates a new Cloud Deploy release to rollout the newly built container images to the Dev environment.
-    - After successful deployment, the Cloud Deploy operations Pub/Sub topic receives a confirmation message that triggers the post-deployment checks on the live application via Cloud Build.
-    - Upon passing the post-deployment application security tests, the containers are signed by the security attestor.
-    - The Cloud Deploy release is promoted, triggering a rollout to the QA environment. Steps 7-8 repeat, but the containers receive the quality attestor after passing through the QA environment.
-    - The release is promoted for the final time, creating a rollout to the Prod environment.
-    - The GKE clusters validate deployed containers based on the respective Binary Authorization policy, requiring additional attestors from the pipeline at each higher environment.
-    - All Cloud Build and Cloud Deploy processes will run in a private Cloud Build worker pool hosted in a customer-managed VPC.
-  documentation:
-  - title: Architecture Diagram
-    url: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd/blob/main/assets/secure_cicd_pipeline_v2.svg
-  subBlueprints:
-  - name: cloudbuild-private-pool
-    location: modules/cloudbuild-private-pool
-  - name: secure-cd
-    location: modules/secure-cd
-  - name: secure-ci
-    location: modules/secure-ci
-  - name: workerpool-gke-ha-vpn
-    location: modules/workerpool-gke-ha-vpn
-  examples:
-  - name: app_cicd
-    location: examples/app_cicd
-  - name: cloudbuild_private_pool
-    location: examples/cloudbuild_private_pool
-  - name: private_cluster_cicd
-    location: examples/private_cluster_cicd
-  - name: standalone_single_project
-    location: examples/standalone_single_project
-  roles:
-  - level: Project
+  info:
+    title: Secure CI/CD pipeline
+    source:
+      repo: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd.git
+      sourceType: git
+    description:
+      tagline: Create a CI/CD pipeline that follows security best practices.
+      detailed: |-
+        Set up a secure CI/CD pipeline that follows best practices for building, scanning, storing, and deploying containers to GKE.
+        You can choose whether to deploy your solution through the console directly or download as Terraform from GitHub to deploy later.
+      architecture:
+      - A developer pushes code for a container-based application to the App Source Code repository in Cloud Source Repositories. This repository must include a skaffold.yaml configuration file, a cloudbuild-ci.yaml configuration file, and templated Kubernetes manifests for the respective Kubernetes deployments, services and other objects.
+      - Changes to the App Source Code repo will trigger a build of the containers as defined in the skaffold.yaml configuration.
+      - Metadata about the built containers is stored in the build artifacts Cloud Storage bucket.
+      - The resulting built containers will be scanned for container structure and CVE’s based on a customer-configurable security policy and stored in an Artifact Registry repository.
+      - Upon passing all scans, the containers are signed by the Binary Authorization build attestor.
+      - At the end of the build process, the pipeline creates a new Cloud Deploy release to rollout the newly built container images to the Dev environment.
+      - After successful deployment, the Cloud Deploy operations Pub/Sub topic receives a confirmation message that triggers the post-deployment checks on the live application via Cloud Build.
+      - Upon passing the post-deployment application security tests, the containers are signed by the security attestor.
+      - The Cloud Deploy release is promoted, triggering a rollout to the QA environment. Steps 7-8 repeat, but the containers receive the quality attestor after passing through the QA environment.
+      - The release is promoted for the final time, creating a rollout to the Prod environment.
+      - The GKE clusters validate deployed containers based on the respective Binary Authorization policy, requiring additional attestors from the pipeline at each higher environment.
+      - All Cloud Build and Cloud Deploy processes will run in a private Cloud Build worker pool hosted in a customer-managed VPC.
+  content:
+    documentation:
+    - title: Architecture Diagram
+      url: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd/blob/main/assets/secure_cicd_pipeline_v2.svg
+    subBlueprints:
+    - name: cloudbuild-private-pool
+      location: modules/cloudbuild-private-pool
+    - name: secure-cd
+      location: modules/secure-cd
+    - name: secure-ci
+      location: modules/secure-ci
+    - name: workerpool-gke-ha-vpn
+      location: modules/workerpool-gke-ha-vpn
+    examples:
+    - name: app_cicd
+      location: examples/app_cicd
+    - name: cloudbuild_private_pool
+      location: examples/cloudbuild_private_pool
+    - name: private_cluster_cicd
+      location: examples/private_cluster_cicd
+    - name: standalone_single_project
+      location: examples/standalone_single_project
+  requirements:
     roles:
-    - roles/artifactregistry.admin
-    - roles/binaryauthorization.attestorsAdmin
-    - roles/cloudbuild.builds.builder
-    - roles/cloudbuild.workerPoolOwner
-    - roles/clouddeploy.admin
-    - roles/cloudkms.admin
-    - roles/cloudkms.publicKeyViewer
-    - roles/containeranalysis.notes.editor
-    - roles/compute.networkAdmin
-    - roles/iam.serviceAccountAdmin
-    - roles/iam.serviceAccountUser
-    - roles/pubsub.editor
-    - roles/serviceusage.serviceUsageAdmin
-    - roles/source.admin
-    - roles/storage.admin
-    - roles/resourcemanager.projectIamAdmin
-    - roles/viewer
-  - level: Project
-    roles:
-    - roles/compute.networkAdmin
-    - roles/container.admin
-    - roles/binaryauthorization.policyEditor
-    - roles/resourcemanager.projectIamAdmin
-    - roles/iam.serviceAccountAdmin
-    - roles/serviceusage.serviceUsageViewer
-    - roles/iam.serviceAccountUser
-  services:
-  - cloudresourcemanager.googleapis.com
-  - cloudbilling.googleapis.com
-  - clouddeploy.googleapis.com
-  - storage-api.googleapis.com
-  - serviceusage.googleapis.com
-  - cloudbuild.googleapis.com
-  - containerregistry.googleapis.com
-  - iamcredentials.googleapis.com
-  - secretmanager.googleapis.com
-  - sourcerepo.googleapis.com
-  - artifactregistry.googleapis.com
-  - containeranalysis.googleapis.com
-  - cloudkms.googleapis.com
-  - binaryauthorization.googleapis.com
-  - containerscanning.googleapis.com
-  - servicenetworking.googleapis.com
-  - pubsub.googleapis.com
+    - level: Project
+      roles:
+      - roles/compute.networkAdmin
+      - roles/container.admin
+      - roles/binaryauthorization.policyEditor
+      - roles/resourcemanager.projectIamAdmin
+      - roles/iam.serviceAccountAdmin
+      - roles/serviceusage.serviceUsageViewer
+      - roles/iam.serviceAccountUser
+    - level: Project
+      roles:
+      - roles/artifactregistry.admin
+      - roles/binaryauthorization.attestorsAdmin
+      - roles/cloudbuild.builds.builder
+      - roles/cloudbuild.workerPoolOwner
+      - roles/clouddeploy.admin
+      - roles/cloudkms.admin
+      - roles/cloudkms.publicKeyViewer
+      - roles/containeranalysis.notes.editor
+      - roles/compute.networkAdmin
+      - roles/gkehub.editor
+      - roles/iam.serviceAccountAdmin
+      - roles/iam.serviceAccountUser
+      - roles/pubsub.editor
+      - roles/serviceusage.serviceUsageAdmin
+      - roles/source.admin
+      - roles/storage.admin
+      - roles/resourcemanager.projectIamAdmin
+      - roles/viewer
+    services:
+    - cloudresourcemanager.googleapis.com
+    - cloudbilling.googleapis.com
+    - clouddeploy.googleapis.com
+    - storage-api.googleapis.com
+    - serviceusage.googleapis.com
+    - cloudbuild.googleapis.com
+    - containerregistry.googleapis.com
+    - iamcredentials.googleapis.com
+    - secretmanager.googleapis.com
+    - sourcerepo.googleapis.com
+    - artifactregistry.googleapis.com
+    - containeranalysis.googleapis.com
+    - cloudkms.googleapis.com
+    - binaryauthorization.googleapis.com
+    - containerscanning.googleapis.com
+    - servicenetworking.googleapis.com
+    - pubsub.googleapis.com

modules/cloudbuild-private-pool/metadata.display.yaml

@@ -0,0 +1,61 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: blueprints.cloud.google.com/v1alpha1
+kind: BlueprintMetadata
+metadata:
+  name: terraform-google-secure-cicd-display
+spec:
+  info:
+    title: Cloud Build Private Pool Module
+    source:
+      repo: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd.git
+      sourceType: git
+      dir: cloudbuild-private-pool
+  ui:
+    input:
+      variables:
+        create_cloudbuild_network:
+          name: create_cloudbuild_network
+          title: Create Cloudbuild Network
+        labels:
+          name: labels
+          title: Labels
+        location:
+          name: location
+          title: Location
+        machine_type:
+          name: machine_type
+          title: Machine Type
+        network_project_id:
+          name: network_project_id
+          title: Network Project Id
+        private_pool_vpc_name:
+          name: private_pool_vpc_name
+          title: Private Pool Vpc Name
+        project_id:
+          name: project_id
+          title: Project Id
+        worker_address:
+          name: worker_address
+          title: Worker Address
+        worker_pool_name:
+          name: worker_pool_name
+          title: Worker Pool Name
+        worker_pool_no_external_ip:
+          name: worker_pool_no_external_ip
+          title: Worker Pool No External Ip
+        worker_range_name:
+          name: worker_range_name
+          title: Worker Range Name