From a0d17de25648890d3104c2a32d7293a8d6114cc1 Mon Sep 17 00:00:00 2001 From: Awais Malik Date: Fri, 26 May 2023 18:13:12 -0700 Subject: [PATCH] feat: updates make target to generate display metadata as well (#95) Co-authored-by: Grant Sorbo --- Makefile | 8 +- metadata.display.yaml | 24 ++ metadata.yaml | 182 ++++----- .../metadata.display.yaml | 61 +++ modules/cloudbuild-private-pool/metadata.yaml | 246 ++++++------ modules/secure-cd/metadata.display.yaml | 64 ++++ modules/secure-cd/metadata.yaml | 268 ++++++------- modules/secure-ci/metadata.display.yaml | 82 ++++ modules/secure-ci/metadata.yaml | 354 +++++++++--------- .../metadata.display.yaml | 70 ++++ modules/workerpool-gke-ha-vpn/metadata.yaml | 281 +++++++------- 11 files changed, 975 insertions(+), 665 deletions(-) create mode 100644 metadata.display.yaml create mode 100644 modules/cloudbuild-private-pool/metadata.display.yaml create mode 100644 modules/secure-cd/metadata.display.yaml create mode 100644 modules/secure-ci/metadata.display.yaml create mode 100644 modules/workerpool-gke-ha-vpn/metadata.display.yaml diff --git a/Makefile b/Makefile index 2f5ae416..130c173a 100644 --- a/Makefile +++ b/Makefile @@ -18,9 +18,11 @@ # Make will use bash instead of sh SHELL := /usr/bin/env bash -DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1 +DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.12 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools REGISTRY_URL := gcr.io/cloud-foundation-cicd +ENABLE_BPMETADATA := 1 +export ENABLE_BPMETADATA # Enter docker container for local development .PHONY: docker_run @@ -68,6 +70,7 @@ docker_test_integration: .PHONY: docker_test_lint docker_test_lint: docker run --rm -it \ + -e ENABLE_BPMETADATA \ -e EXCLUDE_LINT_DIRS \ -v "$(CURDIR)":/workspace \ $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ @@ -77,9 +80,10 @@ docker_test_lint: .PHONY: docker_generate_docs docker_generate_docs: docker run --rm -it \ + -e ENABLE_BPMETADATA \ -v "$(CURDIR)":/workspace \ $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ - /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs' + /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs -d' # Alias for backwards compatibility .PHONY: generate_docs diff --git a/metadata.display.yaml b/metadata.display.yaml new file mode 100644 index 00000000..28d15c89 --- /dev/null +++ b/metadata.display.yaml @@ -0,0 +1,24 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-secure-cicd-display +spec: + info: + title: Secure CI/CD pipeline + source: + repo: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd.git + sourceType: git diff --git a/metadata.yaml b/metadata.yaml index d4b8f849..c2bd3796 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -19,93 +19,97 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Secure CI/CD pipeline - source: - repo: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd.git - sourceType: git - description: - tagline: Create up a secure CI/CD pipeline that follows best practices. - detailed: |- - Set up a secure CI/CD pipeline that follows best practices for building, scanning, storing, and deploying containers to GKE. - You can choose whether to deploy your solution through the console directly or download as Terraform on GitHub to deploy later. - architecture: - - A developer pushes code for a container-based application to the App Source Code repository in Cloud Source Repositories. This repository must include a skaffold.yaml configuration file, a cloudbuild-ci.yaml configuration file, and templated Kubernetes manifests for the respective Kubernetes deployments, services and other objects. - - Changes to the App Source Code repo will trigger a build of the containers as defined in the skaffold.yaml configuration. - - Metadata about the built containers is stored in the build artifacts Cloud Storage bucket. - - The resulting built containers will be scanned for container structure and CVE’s based on a customer-configurable security policy and stored in an Artifact Registry repository. - - Upon passing all scans, the containers are signed by the Binary Authorization build attestor. - - At the end of the build process, the pipeline creates a new Cloud Deploy release to rollout the newly built container images to the Dev environment. - - After successful deployment, the Cloud Deploy operations Pub/Sub topic receives a confirmation message that triggers the post-deployment checks on the live application via Cloud Build. - - Upon passing the post-deployment application security tests, the containers are signed by the security attestor. - - The Cloud Deploy release is promoted, triggering a rollout to the QA environment. Steps 7-8 repeat, but the containers receive the quality attestor after passing through the QA environment. - - The release is promoted for the final time, creating a rollout to the Prod environment. - - The GKE clusters validate deployed containers based on the respective Binary Authorization policy, requiring additional attestors from the pipeline at each higher environment. - - All Cloud Build and Cloud Deploy processes will run in a private Cloud Build worker pool hosted in a customer-managed VPC. - documentation: - - title: Architecture Diagram - url: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd/blob/main/assets/secure_cicd_pipeline_v2.svg - subBlueprints: - - name: cloudbuild-private-pool - location: modules/cloudbuild-private-pool - - name: secure-cd - location: modules/secure-cd - - name: secure-ci - location: modules/secure-ci - - name: workerpool-gke-ha-vpn - location: modules/workerpool-gke-ha-vpn - examples: - - name: app_cicd - location: examples/app_cicd - - name: cloudbuild_private_pool - location: examples/cloudbuild_private_pool - - name: private_cluster_cicd - location: examples/private_cluster_cicd - - name: standalone_single_project - location: examples/standalone_single_project - roles: - - level: Project + info: + title: Secure CI/CD pipeline + source: + repo: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd.git + sourceType: git + description: + tagline: Create a CI/CD pipeline that follows security best practices. + detailed: |- + Set up a secure CI/CD pipeline that follows best practices for building, scanning, storing, and deploying containers to GKE. + You can choose whether to deploy your solution through the console directly or download as Terraform from GitHub to deploy later. + architecture: + - A developer pushes code for a container-based application to the App Source Code repository in Cloud Source Repositories. This repository must include a skaffold.yaml configuration file, a cloudbuild-ci.yaml configuration file, and templated Kubernetes manifests for the respective Kubernetes deployments, services and other objects. + - Changes to the App Source Code repo will trigger a build of the containers as defined in the skaffold.yaml configuration. + - Metadata about the built containers is stored in the build artifacts Cloud Storage bucket. + - The resulting built containers will be scanned for container structure and CVE’s based on a customer-configurable security policy and stored in an Artifact Registry repository. + - Upon passing all scans, the containers are signed by the Binary Authorization build attestor. + - At the end of the build process, the pipeline creates a new Cloud Deploy release to rollout the newly built container images to the Dev environment. + - After successful deployment, the Cloud Deploy operations Pub/Sub topic receives a confirmation message that triggers the post-deployment checks on the live application via Cloud Build. + - Upon passing the post-deployment application security tests, the containers are signed by the security attestor. + - The Cloud Deploy release is promoted, triggering a rollout to the QA environment. Steps 7-8 repeat, but the containers receive the quality attestor after passing through the QA environment. + - The release is promoted for the final time, creating a rollout to the Prod environment. + - The GKE clusters validate deployed containers based on the respective Binary Authorization policy, requiring additional attestors from the pipeline at each higher environment. + - All Cloud Build and Cloud Deploy processes will run in a private Cloud Build worker pool hosted in a customer-managed VPC. + content: + documentation: + - title: Architecture Diagram + url: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd/blob/main/assets/secure_cicd_pipeline_v2.svg + subBlueprints: + - name: cloudbuild-private-pool + location: modules/cloudbuild-private-pool + - name: secure-cd + location: modules/secure-cd + - name: secure-ci + location: modules/secure-ci + - name: workerpool-gke-ha-vpn + location: modules/workerpool-gke-ha-vpn + examples: + - name: app_cicd + location: examples/app_cicd + - name: cloudbuild_private_pool + location: examples/cloudbuild_private_pool + - name: private_cluster_cicd + location: examples/private_cluster_cicd + - name: standalone_single_project + location: examples/standalone_single_project + requirements: roles: - - roles/artifactregistry.admin - - roles/binaryauthorization.attestorsAdmin - - roles/cloudbuild.builds.builder - - roles/cloudbuild.workerPoolOwner - - roles/clouddeploy.admin - - roles/cloudkms.admin - - roles/cloudkms.publicKeyViewer - - roles/containeranalysis.notes.editor - - roles/compute.networkAdmin - - roles/iam.serviceAccountAdmin - - roles/iam.serviceAccountUser - - roles/pubsub.editor - - roles/serviceusage.serviceUsageAdmin - - roles/source.admin - - roles/storage.admin - - roles/resourcemanager.projectIamAdmin - - roles/viewer - - level: Project - roles: - - roles/compute.networkAdmin - - roles/container.admin - - roles/binaryauthorization.policyEditor - - roles/resourcemanager.projectIamAdmin - - roles/iam.serviceAccountAdmin - - roles/serviceusage.serviceUsageViewer - - roles/iam.serviceAccountUser - services: - - cloudresourcemanager.googleapis.com - - cloudbilling.googleapis.com - - clouddeploy.googleapis.com - - storage-api.googleapis.com - - serviceusage.googleapis.com - - cloudbuild.googleapis.com - - containerregistry.googleapis.com - - iamcredentials.googleapis.com - - secretmanager.googleapis.com - - sourcerepo.googleapis.com - - artifactregistry.googleapis.com - - containeranalysis.googleapis.com - - cloudkms.googleapis.com - - binaryauthorization.googleapis.com - - containerscanning.googleapis.com - - servicenetworking.googleapis.com - - pubsub.googleapis.com + - level: Project + roles: + - roles/compute.networkAdmin + - roles/container.admin + - roles/binaryauthorization.policyEditor + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/serviceusage.serviceUsageViewer + - roles/iam.serviceAccountUser + - level: Project + roles: + - roles/artifactregistry.admin + - roles/binaryauthorization.attestorsAdmin + - roles/cloudbuild.builds.builder + - roles/cloudbuild.workerPoolOwner + - roles/clouddeploy.admin + - roles/cloudkms.admin + - roles/cloudkms.publicKeyViewer + - roles/containeranalysis.notes.editor + - roles/compute.networkAdmin + - roles/gkehub.editor + - roles/iam.serviceAccountAdmin + - roles/iam.serviceAccountUser + - roles/pubsub.editor + - roles/serviceusage.serviceUsageAdmin + - roles/source.admin + - roles/storage.admin + - roles/resourcemanager.projectIamAdmin + - roles/viewer + services: + - cloudresourcemanager.googleapis.com + - cloudbilling.googleapis.com + - clouddeploy.googleapis.com + - storage-api.googleapis.com + - serviceusage.googleapis.com + - cloudbuild.googleapis.com + - containerregistry.googleapis.com + - iamcredentials.googleapis.com + - secretmanager.googleapis.com + - sourcerepo.googleapis.com + - artifactregistry.googleapis.com + - containeranalysis.googleapis.com + - cloudkms.googleapis.com + - binaryauthorization.googleapis.com + - containerscanning.googleapis.com + - servicenetworking.googleapis.com + - pubsub.googleapis.com diff --git a/modules/cloudbuild-private-pool/metadata.display.yaml b/modules/cloudbuild-private-pool/metadata.display.yaml new file mode 100644 index 00000000..0f6bc817 --- /dev/null +++ b/modules/cloudbuild-private-pool/metadata.display.yaml @@ -0,0 +1,61 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-secure-cicd-display +spec: + info: + title: Cloud Build Private Pool Module + source: + repo: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd.git + sourceType: git + dir: cloudbuild-private-pool + ui: + input: + variables: + create_cloudbuild_network: + name: create_cloudbuild_network + title: Create Cloudbuild Network + labels: + name: labels + title: Labels + location: + name: location + title: Location + machine_type: + name: machine_type + title: Machine Type + network_project_id: + name: network_project_id + title: Network Project Id + private_pool_vpc_name: + name: private_pool_vpc_name + title: Private Pool Vpc Name + project_id: + name: project_id + title: Project Id + worker_address: + name: worker_address + title: Worker Address + worker_pool_name: + name: worker_pool_name + title: Worker Pool Name + worker_pool_no_external_ip: + name: worker_pool_no_external_ip + title: Worker Pool No External Ip + worker_range_name: + name: worker_range_name + title: Worker Range Name diff --git a/modules/cloudbuild-private-pool/metadata.yaml b/modules/cloudbuild-private-pool/metadata.yaml index 06c9caae..bcc883d3 100644 --- a/modules/cloudbuild-private-pool/metadata.yaml +++ b/modules/cloudbuild-private-pool/metadata.yaml @@ -19,128 +19,126 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Cloud Build Private Pool Module - source: - repo: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd.git - sourceType: git - version: 0.3.0 - actuationTool: - type: Terraform - version: '>= 0.13.0' - description: {} - examples: - - name: app_cicd - location: examples/app_cicd - - name: cloudbuild_private_pool - location: examples/cloudbuild_private_pool - - name: private_cluster_cicd - location: examples/private_cluster_cicd - - name: standalone_single_project - location: examples/standalone_single_project - variables: - - name: create_cloudbuild_network - description: 'Whether to create a VPC for the Cloud Build Worker Pool. Set to false if providing an existing VPC name in ''private_pool_vpc_name'' ' - type: bool - required: true - - name: labels - description: A set of key/value label pairs to assign to the resources deployed by this blueprint. - type: map(string) - default: {} - required: false - - name: location - description: Region for Cloud Build worker pool - type: string - default: us-central1 - required: false - - name: machine_type - description: Machine type for Cloud Build worker pool - type: string - default: e2-standard-4 - required: false - - name: network_project_id - description: Project ID for Cloud Build network. - type: string - required: true - - name: private_pool_vpc_name - description: Set the name of the private pool VPC - type: string - default: cloudbuild-vpc - required: false - - name: project_id - description: Project ID for Cloud Build Private Worker Pool - type: string - required: true - - name: worker_address - description: 'Choose an address range for the Cloud Build Private Pool workers. example: 10.37.0.0. Do not include a prefix, as it must be /16' - type: string - default: 10.37.0.0 - required: false - - name: worker_pool_name - description: Name of Cloud Build Worker Pool - type: string - default: cloudbuild-private-worker-pool - required: false - - name: worker_pool_no_external_ip - description: Whether to disable external IP on the Cloud Build Worker Pool - type: bool - default: false - required: false - - name: worker_range_name - description: Name of Cloud Build Worker IP address range - type: string - default: worker-pool-range - required: false - outputs: - - name: workerpool_id - description: Cloud Build worker pool ID - - name: workerpool_network - description: Self Link for Cloud Build workerpool VPC network - - name: workerpool_range - description: IP Address range for Cloud Build worker pool - roles: - - level: Project + info: + title: Cloud Build Private Pool Module + source: + repo: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd.git + sourceType: git + dir: cloudbuild-private-pool + version: 1.1.1 + actuationTool: + flavor: Terraform + version: '>= 0.13.0' + description: {} + content: + examples: + - name: app_cicd + location: examples/app_cicd + - name: cloudbuild_private_pool + location: examples/cloudbuild_private_pool + - name: private_cluster_cicd + location: examples/private_cluster_cicd + - name: standalone_single_project + location: examples/standalone_single_project + interfaces: + variables: + - name: create_cloudbuild_network + description: 'Whether to create a VPC for the Cloud Build Worker Pool. Set to false if providing an existing VPC name in ''private_pool_vpc_name'' ' + varType: bool + required: true + - name: labels + description: A set of key/value label pairs to assign to the resources deployed by this blueprint. + varType: map(string) + defaultValue: {} + - name: location + description: Region for Cloud Build worker pool + varType: string + defaultValue: us-central1 + - name: machine_type + description: Machine type for Cloud Build worker pool + varType: string + defaultValue: e2-medium + - name: network_project_id + description: Project ID for Cloud Build network. + varType: string + required: true + - name: private_pool_vpc_name + description: Set the name of the private pool VPC + varType: string + defaultValue: cloudbuild-vpc + - name: project_id + description: Project ID for Cloud Build Private Worker Pool + varType: string + required: true + - name: worker_address + description: 'Choose an address range for the Cloud Build Private Pool workers. example: 10.37.0.0. Do not include a prefix, as it must be /16' + varType: string + defaultValue: 10.37.0.0 + - name: worker_pool_name + description: Name of Cloud Build Worker Pool + varType: string + defaultValue: cloudbuild-private-worker-pool + - name: worker_pool_no_external_ip + description: Whether to disable external IP on the Cloud Build Worker Pool + varType: bool + defaultValue: false + - name: worker_range_name + description: Name of Cloud Build Worker IP address range + varType: string + defaultValue: worker-pool-range + outputs: + - name: workerpool_id + description: Cloud Build worker pool ID + - name: workerpool_network + description: Self Link for Cloud Build workerpool VPC network + - name: workerpool_range + description: IP Address range for Cloud Build worker pool + requirements: roles: - - roles/artifactregistry.admin - - roles/binaryauthorization.attestorsAdmin - - roles/cloudbuild.builds.builder - - roles/cloudbuild.workerPoolOwner - - roles/clouddeploy.admin - - roles/cloudkms.admin - - roles/cloudkms.publicKeyViewer - - roles/containeranalysis.notes.editor - - roles/compute.networkAdmin - - roles/iam.serviceAccountAdmin - - roles/iam.serviceAccountUser - - roles/pubsub.editor - - roles/serviceusage.serviceUsageAdmin - - roles/source.admin - - roles/storage.admin - - roles/resourcemanager.projectIamAdmin - - roles/viewer - - level: Project - roles: - - roles/compute.networkAdmin - - roles/container.admin - - roles/binaryauthorization.policyEditor - - roles/resourcemanager.projectIamAdmin - - roles/iam.serviceAccountAdmin - - roles/serviceusage.serviceUsageViewer - - roles/iam.serviceAccountUser - services: - - cloudresourcemanager.googleapis.com - - cloudbilling.googleapis.com - - clouddeploy.googleapis.com - - storage-api.googleapis.com - - serviceusage.googleapis.com - - cloudbuild.googleapis.com - - containerregistry.googleapis.com - - iamcredentials.googleapis.com - - secretmanager.googleapis.com - - sourcerepo.googleapis.com - - artifactregistry.googleapis.com - - containeranalysis.googleapis.com - - cloudkms.googleapis.com - - binaryauthorization.googleapis.com - - containerscanning.googleapis.com - - servicenetworking.googleapis.com - - pubsub.googleapis.com + - level: Project + roles: + - roles/artifactregistry.admin + - roles/binaryauthorization.attestorsAdmin + - roles/cloudbuild.builds.builder + - roles/cloudbuild.workerPoolOwner + - roles/clouddeploy.admin + - roles/cloudkms.admin + - roles/cloudkms.publicKeyViewer + - roles/containeranalysis.notes.editor + - roles/compute.networkAdmin + - roles/gkehub.editor + - roles/iam.serviceAccountAdmin + - roles/iam.serviceAccountUser + - roles/pubsub.editor + - roles/serviceusage.serviceUsageAdmin + - roles/source.admin + - roles/storage.admin + - roles/resourcemanager.projectIamAdmin + - roles/viewer + - level: Project + roles: + - roles/compute.networkAdmin + - roles/container.admin + - roles/binaryauthorization.policyEditor + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/serviceusage.serviceUsageViewer + - roles/iam.serviceAccountUser + services: + - cloudresourcemanager.googleapis.com + - cloudbilling.googleapis.com + - clouddeploy.googleapis.com + - storage-api.googleapis.com + - serviceusage.googleapis.com + - cloudbuild.googleapis.com + - containerregistry.googleapis.com + - iamcredentials.googleapis.com + - secretmanager.googleapis.com + - sourcerepo.googleapis.com + - artifactregistry.googleapis.com + - containeranalysis.googleapis.com + - cloudkms.googleapis.com + - binaryauthorization.googleapis.com + - containerscanning.googleapis.com + - servicenetworking.googleapis.com + - pubsub.googleapis.com diff --git a/modules/secure-cd/metadata.display.yaml b/modules/secure-cd/metadata.display.yaml new file mode 100644 index 00000000..0acbac23 --- /dev/null +++ b/modules/secure-cd/metadata.display.yaml @@ -0,0 +1,64 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-secure-cicd-display +spec: + info: + title: Secure CD Module + source: + repo: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd.git + sourceType: git + dir: secure-cd + ui: + input: + variables: + additional_substitutions: + name: additional_substitutions + title: Additional Substitutions + app_deploy_trigger_yaml: + name: app_deploy_trigger_yaml + title: App Deploy Trigger Yaml + cache_bucket_name: + name: cache_bucket_name + title: Cache Bucket Name + cloudbuild_cd_repo: + name: cloudbuild_cd_repo + title: Cloudbuild Cd Repo + cloudbuild_private_pool: + name: cloudbuild_private_pool + title: Cloudbuild Private Pool + cloudbuild_service_account: + name: cloudbuild_service_account + title: Cloudbuild Service Account + clouddeploy_pipeline_name: + name: clouddeploy_pipeline_name + title: Clouddeploy Pipeline Name + deploy_branch_clusters: + name: deploy_branch_clusters + title: Deploy Branch Clusters + gar_repo_name: + name: gar_repo_name + title: Gar Repo Name + labels: + name: labels + title: Labels + primary_location: + name: primary_location + title: Primary Location + project_id: + name: project_id + title: Project Id diff --git a/modules/secure-cd/metadata.yaml b/modules/secure-cd/metadata.yaml index f67d1622..46a207db 100644 --- a/modules/secure-cd/metadata.yaml +++ b/modules/secure-cd/metadata.yaml @@ -19,134 +19,142 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Secure CD Module - source: - repo: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd.git - sourceType: git - version: 0.3.0 - actuationTool: - type: Terraform - version: '>= 0.13.0' - description: {} - examples: - - name: app_cicd - location: examples/app_cicd - - name: cloudbuild_private_pool - location: examples/cloudbuild_private_pool - - name: private_cluster_cicd - location: examples/private_cluster_cicd - - name: standalone_single_project - location: examples/standalone_single_project - variables: - - name: additional_substitutions - description: Parameters to be substituted in the build specification. All keys should begin with an underscore. - type: map(string) - default: {} - required: false - - name: app_deploy_trigger_yaml - description: Name of application cloudbuild yaml file for deployment - type: string - required: true - - name: cache_bucket_name - description: cloud build artifact bucket name - type: string - required: true - - name: cloudbuild_cd_repo - description: Name of repo that stores the Cloud Build CD phase configs - for post-deployment checks - type: string - required: true - - name: cloudbuild_private_pool - description: Cloud Build private pool self-link - type: string - default: "" - required: false - - name: clouddeploy_pipeline_name - description: Cloud Deploy pipeline name - type: string - required: true - - name: deploy_branch_clusters - description: mapping of branch names to cluster deployments - type: |- - map(object({ - cluster = string - project_id = string - location = string - required_attestations = list(string) - env_attestation = string - next_env = string - })) - default: {} - required: false - - name: gar_repo_name - description: Docker artifact registry repo to store app build images - type: string - required: true - - name: labels - description: A set of key/value label pairs to assign to the resources deployed by this blueprint. - type: map(string) - default: {} - required: false - - name: primary_location - description: Region used for key-ring - type: string - required: true - - name: project_id - description: Project ID for CICD Pipeline Project - type: string - required: true - outputs: - - name: binauthz_policy_required_attestations - description: Binary Authorization policy required attestation in GKE projects - - name: clouddeploy_delivery_pipeline_id - description: ID of the Cloud Deploy delivery pipeline - - name: clouddeploy_target_id - description: ID(s) of Cloud Deploy targets - - name: deploy_trigger_names - description: Names of CD Cloud Build triggers - roles: - - level: Project + info: + title: Secure CD Module + source: + repo: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd.git + sourceType: git + dir: secure-cd + version: 1.1.1 + actuationTool: + flavor: Terraform + version: '>= 1.0' + description: {} + content: + examples: + - name: app_cicd + location: examples/app_cicd + - name: cloudbuild_private_pool + location: examples/cloudbuild_private_pool + - name: private_cluster_cicd + location: examples/private_cluster_cicd + - name: standalone_single_project + location: examples/standalone_single_project + interfaces: + variables: + - name: additional_substitutions + description: Parameters to be substituted in the build specification. All keys should begin with an underscore. + varType: map(string) + defaultValue: {} + - name: app_deploy_trigger_yaml + description: Name of application cloudbuild yaml file for deployment + varType: string + required: true + - name: cache_bucket_name + description: cloud build artifact bucket name + varType: string + required: true + - name: cloudbuild_cd_repo + description: Name of repo that stores the Cloud Build CD phase configs - for post-deployment checks + varType: string + required: true + - name: cloudbuild_private_pool + description: Cloud Build private pool self-link + varType: string + defaultValue: "" + - name: cloudbuild_service_account + description: Cloud Build SA email address + varType: string + required: true + - name: clouddeploy_pipeline_name + description: Cloud Deploy pipeline name + varType: string + required: true + - name: deploy_branch_clusters + description: mapping of branch names to cluster deployments. target_type can be one of `gke`, `anthos_cluster`, or `run`. See [clouddeploy_target Terraform docs](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/clouddeploy_target) for more details + varType: |- + map(object({ + cluster = string + anthos_membership = string + project_id = string + location = string + required_attestations = list(string) + env_attestation = string + next_env = string + target_type = string + })) + defaultValue: {} + - name: gar_repo_name + description: Docker artifact registry repo to store app build images + varType: string + required: true + - name: labels + description: A set of key/value label pairs to assign to the resources deployed by this blueprint. + varType: map(string) + defaultValue: {} + - name: primary_location + description: Region used for key-ring + varType: string + required: true + - name: project_id + description: Project ID for CICD Pipeline Project + varType: string + required: true + outputs: + - name: binauthz_policy_required_attestations + description: Binary Authorization policy required attestation in GKE projects + - name: clouddeploy_delivery_pipeline_id + description: ID of the Cloud Deploy delivery pipeline + - name: clouddeploy_target_id + description: ID(s) of Cloud Deploy targets + - name: deploy_trigger_names + description: Names of CD Cloud Build triggers + requirements: roles: - - roles/artifactregistry.admin - - roles/binaryauthorization.attestorsAdmin - - roles/cloudbuild.builds.builder - - roles/cloudbuild.workerPoolOwner - - roles/clouddeploy.admin - - roles/cloudkms.admin - - roles/cloudkms.publicKeyViewer - - roles/containeranalysis.notes.editor - - roles/compute.networkAdmin - - roles/iam.serviceAccountAdmin - - roles/iam.serviceAccountUser - - roles/pubsub.editor - - roles/serviceusage.serviceUsageAdmin - - roles/source.admin - - roles/storage.admin - - roles/resourcemanager.projectIamAdmin - - roles/viewer - - level: Project - roles: - - roles/compute.networkAdmin - - roles/container.admin - - roles/binaryauthorization.policyEditor - - roles/resourcemanager.projectIamAdmin - - roles/iam.serviceAccountAdmin - - roles/serviceusage.serviceUsageViewer - - roles/iam.serviceAccountUser - services: - - cloudresourcemanager.googleapis.com - - cloudbilling.googleapis.com - - clouddeploy.googleapis.com - - storage-api.googleapis.com - - serviceusage.googleapis.com - - cloudbuild.googleapis.com - - containerregistry.googleapis.com - - iamcredentials.googleapis.com - - secretmanager.googleapis.com - - sourcerepo.googleapis.com - - artifactregistry.googleapis.com - - containeranalysis.googleapis.com - - cloudkms.googleapis.com - - binaryauthorization.googleapis.com - - containerscanning.googleapis.com - - servicenetworking.googleapis.com - - pubsub.googleapis.com + - level: Project + roles: + - roles/compute.networkAdmin + - roles/container.admin + - roles/binaryauthorization.policyEditor + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/serviceusage.serviceUsageViewer + - roles/iam.serviceAccountUser + - level: Project + roles: + - roles/artifactregistry.admin + - roles/binaryauthorization.attestorsAdmin + - roles/cloudbuild.builds.builder + - roles/cloudbuild.workerPoolOwner + - roles/clouddeploy.admin + - roles/cloudkms.admin + - roles/cloudkms.publicKeyViewer + - roles/containeranalysis.notes.editor + - roles/compute.networkAdmin + - roles/gkehub.editor + - roles/iam.serviceAccountAdmin + - roles/iam.serviceAccountUser + - roles/pubsub.editor + - roles/serviceusage.serviceUsageAdmin + - roles/source.admin + - roles/storage.admin + - roles/resourcemanager.projectIamAdmin + - roles/viewer + services: + - cloudresourcemanager.googleapis.com + - cloudbilling.googleapis.com + - clouddeploy.googleapis.com + - storage-api.googleapis.com + - serviceusage.googleapis.com + - cloudbuild.googleapis.com + - containerregistry.googleapis.com + - iamcredentials.googleapis.com + - secretmanager.googleapis.com + - sourcerepo.googleapis.com + - artifactregistry.googleapis.com + - containeranalysis.googleapis.com + - cloudkms.googleapis.com + - binaryauthorization.googleapis.com + - containerscanning.googleapis.com + - servicenetworking.googleapis.com + - pubsub.googleapis.com diff --git a/modules/secure-ci/metadata.display.yaml b/modules/secure-ci/metadata.display.yaml new file mode 100644 index 00000000..b5b517c6 --- /dev/null +++ b/modules/secure-ci/metadata.display.yaml @@ -0,0 +1,82 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-secure-cicd-display +spec: + info: + title: Secure CI Module + source: + repo: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd.git + sourceType: git + dir: secure-ci + ui: + input: + variables: + additional_substitutions: + name: additional_substitutions + title: Additional Substitutions + app_build_trigger_yaml: + name: app_build_trigger_yaml + title: App Build Trigger Yaml + app_source_repo: + name: app_source_repo + title: App Source Repo + attestor_names_prefix: + name: attestor_names_prefix + title: Attestor Names Prefix + build_image_config_yaml: + name: build_image_config_yaml + title: Build Image Config Yaml + cache_bucket_name: + name: cache_bucket_name + title: Cache Bucket Name + cloudbuild_cd_repo: + name: cloudbuild_cd_repo + title: Cloudbuild Cd Repo + cloudbuild_private_pool: + name: cloudbuild_private_pool + title: Cloudbuild Private Pool + cloudbuild_service_account_roles: + name: cloudbuild_service_account_roles + title: Cloudbuild Service Account Roles + clouddeploy_pipeline_name: + name: clouddeploy_pipeline_name + title: Clouddeploy Pipeline Name + gar_repo_name_suffix: + name: gar_repo_name_suffix + title: Gar Repo Name Suffix + labels: + name: labels + title: Labels + primary_location: + name: primary_location + title: Primary Location + project_id: + name: project_id + title: Project Id + runner_build_folder: + name: runner_build_folder + title: Runner Build Folder + skip_provisioners: + name: skip_provisioners + title: Skip Provisioners + trigger_branch_name: + name: trigger_branch_name + title: Trigger Branch Name + use_tf_google_credentials_env_var: + name: use_tf_google_credentials_env_var + title: Use Tf Google Credentials Env Var diff --git a/modules/secure-ci/metadata.yaml b/modules/secure-ci/metadata.yaml index ce66d806..e6a6717d 100644 --- a/modules/secure-ci/metadata.yaml +++ b/modules/secure-ci/metadata.yaml @@ -19,183 +19,179 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Secure CI Module - source: - repo: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd.git - sourceType: git - version: 0.3.0 - actuationTool: - type: Terraform - version: '>= 0.13.0' - description: {} - examples: - - name: app_cicd - location: examples/app_cicd - - name: cloudbuild_private_pool - location: examples/cloudbuild_private_pool - - name: private_cluster_cicd - location: examples/private_cluster_cicd - - name: standalone_single_project - location: examples/standalone_single_project - variables: - - name: additional_substitutions - description: Parameters to be substituted in the build specification. All keys should begin with an underscore. - type: map(string) - default: {} - required: false - - name: app_build_trigger_yaml - description: Name of application cloudbuild yaml file - type: string - required: true - - name: app_source_repo - description: Name of repo that contains app source code along with cloudbuild yaml - type: string - default: app-source - required: false - - name: attestor_names_prefix - description: A list of Binary Authorization attestors to create. The first attestor specified in this list will be used as the build-attestor during the CI phase. - type: list(string) - required: true - - name: build_image_config_yaml - description: Name of image builder yaml file - type: string - required: true - - name: cache_bucket_name - description: Name of cloudbuild artifact and cache GCS bucket - type: string - default: "" - required: false - - name: cloudbuild_cd_repo - description: Name of repo that stores the Cloud Build CD phase configs - for post-deployment checks - type: string - default: cloudbuild-cd-config - required: false - - name: cloudbuild_private_pool - description: Cloud Build private pool self-link - type: string - default: "" - required: false - - name: cloudbuild_service_account_roles - description: IAM roles given to the Cloud Build service account to enable security scanning operations - type: list(string) - default: - - roles/artifactregistry.admin - - roles/binaryauthorization.attestorsVerifier - - roles/cloudbuild.builds.builder - - roles/clouddeploy.developer - - roles/clouddeploy.releaser - - roles/cloudkms.cryptoOperator - - roles/containeranalysis.notes.attacher - - roles/containeranalysis.notes.occurrences.viewer - - roles/source.writer - - roles/storage.admin - - roles/cloudbuild.workerPoolUser - - roles/ondemandscanning.admin - - roles/logging.logWriter - required: false - - name: clouddeploy_pipeline_name - description: Cloud Deploy pipeline name - type: string - default: deploy-pipeline - required: false - - name: gar_repo_name_suffix - description: Docker artifact regitery repo to store app build images - type: string - default: app-image-repo - required: false - - name: labels - description: A set of key/value label pairs to assign to the resources deployed by this blueprint. - type: map(string) - default: {} - required: false - - name: primary_location - description: Region used for key-ring - type: string - required: true - - name: project_id - description: Project ID for CICD Pipeline Project - type: string - required: true - - name: runner_build_folder - description: Path to the source folder for the cloud builds submit command. Leave blank if `skip_provisioners = true` - type: string - default: "" - required: false - - name: skip_provisioners - description: Skip modules that use provisioners/local-exec - type: bool - default: false - required: false - - name: trigger_branch_name - description: A regular expression to match one or more branches for the build trigger. - type: string - required: true - - name: use_tf_google_credentials_env_var - description: Optional GOOGLE_CREDENTIALS environment variable to be activated. - type: bool - default: false - required: false - outputs: - - name: app_artifact_repo - description: GAR Repo created to store runner images - - name: binauth_attestor_ids - description: IDs of Attestors - - name: binauth_attestor_names - description: Names of Attestors - - name: binauth_attestor_project_id - description: Project ID where attestors get created - - name: build_trigger_name - description: The name of the cloud build trigger for the app source repo. - - name: cache_bucket_name - description: The name of the storage bucket for cloud build. - - name: source_repo_names - description: Name of the created CSR repos - - name: source_repo_urls - description: URLS of the created CSR repos - roles: - - level: Project + info: + title: Secure CI Module + source: + repo: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd.git + sourceType: git + dir: secure-ci + version: 1.1.1 + actuationTool: + flavor: Terraform + version: '>= 0.13.0' + description: {} + content: + examples: + - name: app_cicd + location: examples/app_cicd + - name: cloudbuild_private_pool + location: examples/cloudbuild_private_pool + - name: private_cluster_cicd + location: examples/private_cluster_cicd + - name: standalone_single_project + location: examples/standalone_single_project + interfaces: + variables: + - name: additional_substitutions + description: Parameters to be substituted in the build specification. All keys should begin with an underscore. + varType: map(string) + defaultValue: {} + - name: app_build_trigger_yaml + description: Name of application cloudbuild yaml file + varType: string + required: true + - name: app_source_repo + description: Name of repo that contains app source code along with cloudbuild yaml + varType: string + defaultValue: app-source + - name: attestor_names_prefix + description: A list of Binary Authorization attestors to create. The first attestor specified in this list will be used as the build-attestor during the CI phase. + varType: list(string) + required: true + - name: build_image_config_yaml + description: Name of image builder yaml file + varType: string + required: true + - name: cache_bucket_name + description: Name of cloudbuild artifact and cache GCS bucket + varType: string + defaultValue: "" + - name: cloudbuild_cd_repo + description: Name of repo that stores the Cloud Build CD phase configs - for post-deployment checks + varType: string + defaultValue: cloudbuild-cd-config + - name: cloudbuild_private_pool + description: Cloud Build private pool self-link + varType: string + defaultValue: "" + - name: cloudbuild_service_account_roles + description: IAM roles given to the Cloud Build service account to enable security scanning operations + varType: list(string) + defaultValue: + - roles/artifactregistry.admin + - roles/binaryauthorization.attestorsVerifier + - roles/cloudbuild.builds.builder + - roles/clouddeploy.developer + - roles/clouddeploy.releaser + - roles/cloudkms.cryptoOperator + - roles/containeranalysis.notes.attacher + - roles/containeranalysis.notes.occurrences.viewer + - roles/source.writer + - roles/storage.admin + - roles/cloudbuild.workerPoolUser + - roles/ondemandscanning.admin + - roles/logging.logWriter + - name: clouddeploy_pipeline_name + description: Cloud Deploy pipeline name + varType: string + defaultValue: deploy-pipeline + - name: gar_repo_name_suffix + description: Docker artifact regitery repo to store app build images + varType: string + defaultValue: app-image-repo + - name: labels + description: A set of key/value label pairs to assign to the resources deployed by this blueprint. + varType: map(string) + defaultValue: {} + - name: primary_location + description: Region used for key-ring + varType: string + required: true + - name: project_id + description: Project ID for CICD Pipeline Project + varType: string + required: true + - name: runner_build_folder + description: Path to the source folder for the cloud builds submit command. Leave blank if `skip_provisioners = true` + varType: string + defaultValue: "" + - name: skip_provisioners + description: Skip modules that use provisioners/local-exec + varType: bool + defaultValue: false + - name: trigger_branch_name + description: A regular expression to match one or more branches for the build trigger. + varType: string + required: true + - name: use_tf_google_credentials_env_var + description: Optional GOOGLE_CREDENTIALS environment variable to be activated. + varType: bool + defaultValue: false + outputs: + - name: app_artifact_repo + description: GAR Repo created to store runner images + - name: binauth_attestor_ids + description: IDs of Attestors + - name: binauth_attestor_names + description: Names of Attestors + - name: binauth_attestor_project_id + description: Project ID where attestors get created + - name: build_sa_email + description: Cloud Build Service Account email address + - name: build_trigger_name + description: The name of the cloud build trigger for the app source repo. + - name: cache_bucket_name + description: The name of the storage bucket for cloud build. + - name: source_repo_names + description: Name of the created CSR repos + - name: source_repo_urls + description: URLS of the created CSR repos + requirements: roles: - - roles/compute.networkAdmin - - roles/container.admin - - roles/binaryauthorization.policyEditor - - roles/resourcemanager.projectIamAdmin - - roles/iam.serviceAccountAdmin - - roles/serviceusage.serviceUsageViewer - - roles/iam.serviceAccountUser - - level: Project - roles: - - roles/artifactregistry.admin - - roles/binaryauthorization.attestorsAdmin - - roles/cloudbuild.builds.builder - - roles/cloudbuild.workerPoolOwner - - roles/clouddeploy.admin - - roles/cloudkms.admin - - roles/cloudkms.publicKeyViewer - - roles/containeranalysis.notes.editor - - roles/compute.networkAdmin - - roles/iam.serviceAccountAdmin - - roles/iam.serviceAccountUser - - roles/pubsub.editor - - roles/serviceusage.serviceUsageAdmin - - roles/source.admin - - roles/storage.admin - - roles/resourcemanager.projectIamAdmin - - roles/viewer - services: - - cloudresourcemanager.googleapis.com - - cloudbilling.googleapis.com - - clouddeploy.googleapis.com - - storage-api.googleapis.com - - serviceusage.googleapis.com - - cloudbuild.googleapis.com - - containerregistry.googleapis.com - - iamcredentials.googleapis.com - - secretmanager.googleapis.com - - sourcerepo.googleapis.com - - artifactregistry.googleapis.com - - containeranalysis.googleapis.com - - cloudkms.googleapis.com - - binaryauthorization.googleapis.com - - containerscanning.googleapis.com - - servicenetworking.googleapis.com - - pubsub.googleapis.com + - level: Project + roles: + - roles/artifactregistry.admin + - roles/binaryauthorization.attestorsAdmin + - roles/cloudbuild.builds.builder + - roles/cloudbuild.workerPoolOwner + - roles/clouddeploy.admin + - roles/cloudkms.admin + - roles/cloudkms.publicKeyViewer + - roles/containeranalysis.notes.editor + - roles/compute.networkAdmin + - roles/gkehub.editor + - roles/iam.serviceAccountAdmin + - roles/iam.serviceAccountUser + - roles/pubsub.editor + - roles/serviceusage.serviceUsageAdmin + - roles/source.admin + - roles/storage.admin + - roles/resourcemanager.projectIamAdmin + - roles/viewer + - level: Project + roles: + - roles/compute.networkAdmin + - roles/container.admin + - roles/binaryauthorization.policyEditor + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/serviceusage.serviceUsageViewer + - roles/iam.serviceAccountUser + services: + - cloudresourcemanager.googleapis.com + - cloudbilling.googleapis.com + - clouddeploy.googleapis.com + - storage-api.googleapis.com + - serviceusage.googleapis.com + - cloudbuild.googleapis.com + - containerregistry.googleapis.com + - iamcredentials.googleapis.com + - secretmanager.googleapis.com + - sourcerepo.googleapis.com + - artifactregistry.googleapis.com + - containeranalysis.googleapis.com + - cloudkms.googleapis.com + - binaryauthorization.googleapis.com + - containerscanning.googleapis.com + - servicenetworking.googleapis.com + - pubsub.googleapis.com diff --git a/modules/workerpool-gke-ha-vpn/metadata.display.yaml b/modules/workerpool-gke-ha-vpn/metadata.display.yaml new file mode 100644 index 00000000..bd49d4ce --- /dev/null +++ b/modules/workerpool-gke-ha-vpn/metadata.display.yaml @@ -0,0 +1,70 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-secure-cicd-display +spec: + info: + title: Workerpool HA VPN Module + source: + repo: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd.git + sourceType: git + dir: workerpool-gke-ha-vpn + ui: + input: + variables: + bgp_range_1: + name: bgp_range_1 + title: Bgp Range 1 + bgp_range_2: + name: bgp_range_2 + title: Bgp Range 2 + gateway_1_asn: + name: gateway_1_asn + title: Gateway 1 Asn + gateway_2_asn: + name: gateway_2_asn + title: Gateway 2 Asn + gke_control_plane_cidrs: + name: gke_control_plane_cidrs + title: Gke Control Plane Cidrs + gke_location: + name: gke_location + title: Gke Location + gke_network: + name: gke_network + title: Gke Network + gke_project: + name: gke_project + title: Gke Project + labels: + name: labels + title: Labels + location: + name: location + title: Location + project_id: + name: project_id + title: Project Id + vpn_router_name_prefix: + name: vpn_router_name_prefix + title: Vpn Router Name Prefix + workerpool_network: + name: workerpool_network + title: Workerpool Network + workerpool_range: + name: workerpool_range + title: Workerpool Range diff --git a/modules/workerpool-gke-ha-vpn/metadata.yaml b/modules/workerpool-gke-ha-vpn/metadata.yaml index c6757798..d27891c5 100644 --- a/modules/workerpool-gke-ha-vpn/metadata.yaml +++ b/modules/workerpool-gke-ha-vpn/metadata.yaml @@ -19,145 +19,144 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Workerpool HA VPN Module - source: - repo: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd.git - sourceType: git - version: 0.3.0 - actuationTool: - type: Terraform - version: '>= 0.13.0' - description: {} - examples: - - name: app_cicd - location: examples/app_cicd - - name: cloudbuild_private_pool - location: examples/cloudbuild_private_pool - - name: private_cluster_cicd - location: examples/private_cluster_cicd - - name: standalone_single_project - location: examples/standalone_single_project - variables: - - name: bgp_range_1 - description: BGP range for HA VPN tunnel 1 - type: string - default: 169.254.1.0/30 - required: false - - name: bgp_range_2 - description: BGP range for HA VPN tunnel 1 - type: string - default: 169.254.2.0/30 - required: false - - name: gateway_1_asn - description: 'ASN for HA VPN gateway #1. You can use any private ASN (64512 through 65534, 4200000000 through 4294967294) that you are not using elsewhere in your network' - type: number - default: 65001 - required: false - - name: gateway_2_asn - description: 'ASN for HA VPN gateway #2. You can use any private ASN (64512 through 65534, 4200000000 through 4294967294) that you are not using elsewhere in your network' - type: number - default: 65002 - required: false - - name: gke_control_plane_cidrs - description: map of GKE control plane CIDRs to name - type: map(string) - required: true - - name: gke_location - description: Region of GKE subnet & cluster - type: string - required: true - - name: gke_network - description: Name of GKE VPC - type: string - required: true - - name: gke_project - description: Project ID of GKE VPC and cluster - type: string - required: true - - name: labels - description: A set of key/value label pairs to assign to the resources deployed by this blueprint. - type: map(string) - default: {} - required: false - - name: location - description: Region for Cloud Build worker pool - type: string - default: us-central1 - required: false - - name: project_id - description: Project ID for Cloud Build - type: string - required: true - - name: vpn_router_name_prefix - description: Prefix for HA VPN router names - type: string - default: "" - required: false - - name: workerpool_network - description: Self link for Cloud Build VPC - type: string - required: true - - name: workerpool_range - description: Address range of Cloud Build Workerpool - type: string - required: true - outputs: - - name: vpn_gateway_cloudbuild - description: Name of HA VPN gateway on Cloud Build VPC - - name: vpn_gateway_gke - description: Name of HA VPN gateway on GKE VPC - - name: vpn_router_cloudbuild_names - description: Names of HA VPN router on Cloud Build VPC - - name: vpn_router_gke_names - description: Names of HA VPN router on GKE VPC - - name: vpn_tunnel_cloudbuild_names - description: Names of HA VPN tunnels on Cloud Build VPC - - name: vpn_tunnel_gke_names - description: Names of HA VPN tunnels on GKE VPC - roles: - - level: Project + info: + title: Workerpool HA VPN Module + source: + repo: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd.git + sourceType: git + dir: workerpool-gke-ha-vpn + version: 1.1.1 + actuationTool: + flavor: Terraform + version: '>= 0.13.0' + description: {} + content: + examples: + - name: app_cicd + location: examples/app_cicd + - name: cloudbuild_private_pool + location: examples/cloudbuild_private_pool + - name: private_cluster_cicd + location: examples/private_cluster_cicd + - name: standalone_single_project + location: examples/standalone_single_project + interfaces: + variables: + - name: bgp_range_1 + description: BGP range for HA VPN tunnel 1 + varType: string + defaultValue: 169.254.1.0/30 + - name: bgp_range_2 + description: BGP range for HA VPN tunnel 1 + varType: string + defaultValue: 169.254.2.0/30 + - name: gateway_1_asn + description: 'ASN for HA VPN gateway #1. You can use any private ASN (64512 through 65534, 4200000000 through 4294967294) that you are not using elsewhere in your network' + varType: number + defaultValue: 65001 + - name: gateway_2_asn + description: 'ASN for HA VPN gateway #2. You can use any private ASN (64512 through 65534, 4200000000 through 4294967294) that you are not using elsewhere in your network' + varType: number + defaultValue: 65002 + - name: gke_control_plane_cidrs + description: map of GKE control plane CIDRs to name + varType: map(string) + required: true + - name: gke_location + description: Region of GKE subnet & cluster + varType: string + required: true + - name: gke_network + description: Name of GKE VPC + varType: string + required: true + - name: gke_project + description: Project ID of GKE VPC and cluster + varType: string + required: true + - name: labels + description: A set of key/value label pairs to assign to the resources deployed by this blueprint. + varType: map(string) + defaultValue: {} + - name: location + description: Region for Cloud Build worker pool + varType: string + defaultValue: us-central1 + - name: project_id + description: Project ID for Cloud Build + varType: string + required: true + - name: vpn_router_name_prefix + description: Prefix for HA VPN router names + varType: string + defaultValue: "" + - name: workerpool_network + description: Self link for Cloud Build VPC + varType: string + required: true + - name: workerpool_range + description: Address range of Cloud Build Workerpool + varType: string + required: true + outputs: + - name: vpn_gateway_cloudbuild + description: Name of HA VPN gateway on Cloud Build VPC + - name: vpn_gateway_gke + description: Name of HA VPN gateway on GKE VPC + - name: vpn_router_cloudbuild_names + description: Names of HA VPN router on Cloud Build VPC + - name: vpn_router_gke_names + description: Names of HA VPN router on GKE VPC + - name: vpn_tunnel_cloudbuild_names + description: Names of HA VPN tunnels on Cloud Build VPC + - name: vpn_tunnel_gke_names + description: Names of HA VPN tunnels on GKE VPC + requirements: roles: - - roles/compute.networkAdmin - - roles/container.admin - - roles/binaryauthorization.policyEditor - - roles/resourcemanager.projectIamAdmin - - roles/iam.serviceAccountAdmin - - roles/serviceusage.serviceUsageViewer - - roles/iam.serviceAccountUser - - level: Project - roles: - - roles/artifactregistry.admin - - roles/binaryauthorization.attestorsAdmin - - roles/cloudbuild.builds.builder - - roles/cloudbuild.workerPoolOwner - - roles/clouddeploy.admin - - roles/cloudkms.admin - - roles/cloudkms.publicKeyViewer - - roles/containeranalysis.notes.editor - - roles/compute.networkAdmin - - roles/iam.serviceAccountAdmin - - roles/iam.serviceAccountUser - - roles/pubsub.editor - - roles/serviceusage.serviceUsageAdmin - - roles/source.admin - - roles/storage.admin - - roles/resourcemanager.projectIamAdmin - - roles/viewer - services: - - cloudresourcemanager.googleapis.com - - cloudbilling.googleapis.com - - clouddeploy.googleapis.com - - storage-api.googleapis.com - - serviceusage.googleapis.com - - cloudbuild.googleapis.com - - containerregistry.googleapis.com - - iamcredentials.googleapis.com - - secretmanager.googleapis.com - - sourcerepo.googleapis.com - - artifactregistry.googleapis.com - - containeranalysis.googleapis.com - - cloudkms.googleapis.com - - binaryauthorization.googleapis.com - - containerscanning.googleapis.com - - servicenetworking.googleapis.com - - pubsub.googleapis.com + - level: Project + roles: + - roles/artifactregistry.admin + - roles/binaryauthorization.attestorsAdmin + - roles/cloudbuild.builds.builder + - roles/cloudbuild.workerPoolOwner + - roles/clouddeploy.admin + - roles/cloudkms.admin + - roles/cloudkms.publicKeyViewer + - roles/containeranalysis.notes.editor + - roles/compute.networkAdmin + - roles/gkehub.editor + - roles/iam.serviceAccountAdmin + - roles/iam.serviceAccountUser + - roles/pubsub.editor + - roles/serviceusage.serviceUsageAdmin + - roles/source.admin + - roles/storage.admin + - roles/resourcemanager.projectIamAdmin + - roles/viewer + - level: Project + roles: + - roles/compute.networkAdmin + - roles/container.admin + - roles/binaryauthorization.policyEditor + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/serviceusage.serviceUsageViewer + - roles/iam.serviceAccountUser + services: + - cloudresourcemanager.googleapis.com + - cloudbilling.googleapis.com + - clouddeploy.googleapis.com + - storage-api.googleapis.com + - serviceusage.googleapis.com + - cloudbuild.googleapis.com + - containerregistry.googleapis.com + - iamcredentials.googleapis.com + - secretmanager.googleapis.com + - sourcerepo.googleapis.com + - artifactregistry.googleapis.com + - containeranalysis.googleapis.com + - cloudkms.googleapis.com + - binaryauthorization.googleapis.com + - containerscanning.googleapis.com + - servicenetworking.googleapis.com + - pubsub.googleapis.com