Skip to content

Latest commit

 

History

History
 
 

cloudbuild

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
cloudbuild_builder
cloudbuild_builder
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

README.md

Overview

Usage

Basic usage of this module is as follows:

module "bootstrap" {
  source  = "terraform-google-modules/bootstrap/google//modules/cloudbuild"
  version = "~> 1.3"

  org_id         = "<ORGANIZATION_ID>"
  billing_account         = "<BILLING_ACCOUNT_ID>"
  group_org_admins        = "gcp-organization-admins@example.com"
  default_region          = "australia-southeast1"
  sa_enable_impersonation = true
  terraform_sa_email      = "<SERVICE_ACCOUNT_EMAIL>"
  terraform_sa_name       = "<SERVICE_ACCOUNT_NAME>"
  terraform_state_bucket  = "<GCS_STATE_BUCKET_NAME>"
}

Functional examples and sample Cloud Build definitions are included in the examples directory.

Features

  1. Create a new GCP cloud build project using project_prefix
  2. Enable APIs in the cloud build project using activate_apis
  3. Build a Terraform docker image for Cloud Build, including terraform-validator.
  4. Create a GCS bucket for Cloud Build Artifacts using project_prefix
  5. Create Cloud Source Repos for pipelines using list of repos in cloud_source_repos
    1. Create Cloud Build trigger for terraform apply on master branch
    2. Create Cloud Build trigger for terrafor plan on all other branches
  6. Create KMS Keyring and key for encryption
    1. Grant access to decrypt to Cloud Build service account and terraform_sa_email
    2. Grant access to encrypt to group_org_admins
  7. Optionally give Cloud Build service account permissions to impersonate terraform service account using sa_enable_impersonation and supplied value for terraform_sa_name

Resources created

  • KMS Keyring and key for secrets, including IAM for Cloudbuild, Org Admins and Terraform service acocunt
  • (optional) Cloudbuild impersonation permissions for a service account
  • (optional) Cloud Source Repos, with triggers for terraform plan (all other branches) & terraform apply (master)

Inputs

Name Description Type Default Required
activate_apis List of APIs to enable in the Cloudbuild project. list(string) <list> no
billing_account The ID of the billing account to associate projects with. string n/a yes
cloud_source_repos List of Cloud Source Repo's to create with CloudBuild triggers. list(string) <list> no
cloudbuild_apply_filename Path and name of Cloud Build YAML definition used for terraform apply. string "cloudbuild-tf-apply.yaml" no
cloudbuild_plan_filename Path and name of Cloud Build YAML definition used for terraform plan. string "cloudbuild-tf-plan.yaml" no
default_region Default region to create resources where applicable. string "us-central1" no
folder_id The ID of a folder to host this project string "" no
group_org_admins Google Group for GCP Organization Administrators string n/a yes
org_id GCP Organization ID string n/a yes
project_labels Labels to apply to the project. map(string) <map> no
project_prefix Name prefix to use for projects created. string "cft" no
sa_enable_impersonation Allow org_admins group to impersonate service account & enable APIs required. bool "false" no
skip_gcloud_download Whether to skip downloading gcloud (assumes gcloud is already available outside the module) bool "true" no
storage_bucket_labels Labels to apply to the storage bucket. map(string) <map> no
terraform_apply_branches List of git branches configured to run terraform apply Cloud Build trigger. All other branches will run plan by default. list(string) <list> no
terraform_sa_email Email for terraform service account. string n/a yes
terraform_sa_name Fully-qualified name of the terraform service account. string n/a yes
terraform_state_bucket Default state bucket, used in Cloud Build substitutions. string n/a yes
terraform_validator_release Default terraform-validator release. string "2020-03-05" no
terraform_version Default terraform version. string "0.12.24" no
terraform_version_sha256sum sha256sum for default terraform version. string "602d2529aafdaa0f605c06adb7c72cfb585d8aa19b3f4d8d189b42589e27bf11" no

Outputs

Name Description
cloudbuild_project_id Project where CloudBuild configuration and terraform container image will reside.
csr_repos List of Cloud Source Repos created by the module, linked to Cloud Build triggers.
gcs_bucket_cloudbuild_artifacts Bucket used to store Cloud/Build artefacts in CloudBuild project.
kms_crypto_key KMS key created by the module.
kms_keyring KMS Keyring created by the module.

Requirements

Software

  • gcloud sdk >= 206.0.0
  • Terraform >= 0.12.6
  • [terraform-provider-google] plugin 2.1.x
  • [terraform-provider-google-beta] plugin 2.1.x

Permissions

  • roles/billing.user on supplied billing account
  • roles/resourcemanager.organizationAdmin on GCP Organization
  • roles/resourcemanager.projectCreator on GCP Organization or folder

APIs

A project with the following APIs enabled must be used to host the resources of this module:

  • Google Cloud Resource Manager API: cloudresourcemanager.googleapis.com
  • Google Cloud Billing API: cloudbilling.googleapis.com
  • Google Cloud IAM API: iam.googleapis.com
  • Google Cloud Storage API storage-api.googleapis.com
  • Google Cloud Service Usage API: serviceusage.googleapis.com
  • Google Cloud Build API: cloudbuild.googleapis.com
  • Google Cloud Source Repo API: sourcerepo.googleapis.com
  • Google Cloud KMS API: cloudkms.googleapis.com

This API can be enabled in the default project created during establishing an organization.

Contributing

Refer to the contribution guidelines for information on contributing to this module.