zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into master

This commit is contained in:
Julio Castillo 2022-09-12 08:54:16 +02:00 committed by GitHub
parent f8c971773f 6253df72c9
commit 4d83dcf490
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 73 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
CHANGELOG.md
View File

@ -4,10 +4,12 @@ All notable changes to this project will be documented in this file.
## [Unreleased]
## [18.0.0] - 2022-09-09
<!-- None < 2022-06-06 13:42:51+00:00 -->
<!-- 2022-09-09 18:02:15+00:00 < 2022-06-06 13:42:51+00:00 -->
- [[#808](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/808)] Rename examples to blueprints ([juliocc](https://github.com/juliocc)) <!-- 2022-09-09 15:14:19+00:00 -->
### FAST
@ -50,6 +52,8 @@ All notable changes to this project will be documented in this file.
### EXAMPLES
- [[#801](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/801)] Update Cloud SQL example ([lcaggio](https://github.com/lcaggio)) <!-- 2022-09-09 14:02:07+00:00 -->
- [[#802](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/802)] Fix Data Platform example ([lcaggio](https://github.com/lcaggio)) <!-- 2022-09-09 07:19:28+00:00 -->
- [[#790](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/790)] Cloud Identity Group factory ([lcaggio](https://github.com/lcaggio)) <!-- 2022-09-01 13:30:58+00:00 -->
- [[#740](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/740)] Update to multiple READMEs ([bluPhy](https://github.com/bluPhy)) <!-- 2022-08-11 07:40:55+00:00 -->
- [[#738](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/738)] Improve Data Playground example ([lcaggio](https://github.com/lcaggio)) <!-- 2022-08-09 13:56:39+00:00 -->
@ -65,6 +69,7 @@ All notable changes to this project will be documented in this file.
### MODULES
- [[#805](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/805)] Change `modules/project` service_config default ([juliocc](https://github.com/juliocc)) <!-- 2022-09-09 07:54:31+00:00 -->
- [[#787](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/787)] Support manager role in cloud identity group module ([lcaggio](https://github.com/lcaggio)) <!-- 2022-08-31 10:29:05+00:00 -->
- [[#786](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/786)] Secret manager flag sensitive output ([ddaluka](https://github.com/ddaluka)) <!-- 2022-08-29 11:22:52+00:00 -->
- [[#775](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/775)] net-glb: Added support for regional external HTTP(s) load balancing ([rosmo](https://github.com/rosmo)) <!-- 2022-08-27 20:58:11+00:00 -->
@ -107,7 +112,7 @@ All notable changes to this project will be documented in this file.
### TOOLS
- [[#796](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/796)] Remove duplicate path component from doc_examples test names. ([juliocc](https://github.com/juliocc)) <!-- 2022-09-07 09:37:19+00:00 -->
- [[#794](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/794)] Test documentation examples in the `blueprints/` folder ([juliocc](https://github.com/juliocc)) <!-- 2022-09-06 19:38:26+00:00 -->
- [[#794](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/794)] Test documentation examples in the `examples/` folder ([juliocc](https://github.com/juliocc)) <!-- 2022-09-06 19:38:26+00:00 -->
- [[#788](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/788)] fix yaml quotes for merge-pr workflow ([drebes](https://github.com/drebes)) <!-- 2022-08-31 13:47:33+00:00 -->
- [[#763](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/763)] Changelog generator ([ludoo](https://github.com/ludoo)) <!-- 2022-08-02 09:45:06+00:00 -->
- [[#762](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/762)] Update changelog on pull request merge ([ludoo](https://github.com/ludoo)) <!-- 2022-07-30 17:04:00+00:00 -->
@ -672,4 +677,4 @@ All notable changes to this project will be documented in this file.
[1.3.0]: https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/compare/v1.2.0...v1.3.0
[1.2.0]: https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/compare/v1.1.0...v1.2.0
[1.1.0]: https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/compare/v1.0.0...v1.1.0
[1.0.0]: https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/compare/v0.1...v1.0.0
[1.0.0]: https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/compare/v0.1...v1.0.0

167
fast/assets/templates/workflow-gitlab.yaml
View File

@ -13,145 +13,108 @@
# limitations under the License.
default:
image:
name: registry.gitlab.com/gitlab-org/terraform-images/releases/1.1
before_script:
- |
ssh-agent -a $SSH_AUTH_SOCK > /dev/null
echo "$CICD_MODULES_KEY" | base64 -d | tr -d '\r' | ssh-add - > /dev/null
mkdir -p ~/.ssh
ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
cd "$${TF_ROOT}"
cp -R .tf-setup/. .
- echo "${CI_JOB_JWT_V2}" > token.txt
image:
name: hashicorp/terraform
entrypoint:
- "/usr/bin/env"
- "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
variables:
GOOGLE_CREDENTIALS: cicd-sa-credentials.json
FAST_OUTPUTS_BUCKET: ${outputs_bucket}
FAST_SERVICE_ACCOUNT: ${service_account}
FAST_WIF_PROVIDER: ${identity_provider}
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
TF_PROVIDERS_FILE: ${tf_providers_file}
TF_VAR_FILES: ${tf_var_files == [] ? "''" : join("\n ", tf_var_files)}
TF_VERSION: 1.1.7
TF_ROOT: $${CI_PROJECT_DIR} # The relative path to the root directory of the Terraform project
stages:
- gcp-auth
- tf-setup
- tf-init
- tf-validate
- tf-files
- tf-plan
- tf-apply
cache:
key: "$${TF_ROOT}"
key: gcp-auth
paths:
- $${TF_ROOT}/.terraform/
- $${TF_ROOT}/.tf-setup/
- cicd-sa-credentials.json
- .tf-setup
# Configure GCP Auth with Access Token
gcp-auth:
image:
name: google/cloud-sdk:slim
stage: gcp-auth
before_script: []
script:
- |
PAYLOAD="$(cat <<EOF
{
"audience": "//iam.googleapis.com/$${FAST_WIF_PROVIDER}",
"grantType": "urn:ietf:params:oauth:grant-type:token-exchange",
"requestedTokenType": "urn:ietf:params:oauth:token-type:access_token",
"scope": "https://www.googleapis.com/auth/cloud-platform",
"subjectTokenType": "urn:ietf:params:oauth:token-type:jwt",
"subjectToken": "$${CI_JOB_JWT_V2}"
}
EOF
)"
FEDERATED_TOKEN="$(curl --silent "https://sts.googleapis.com/v1/token" \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data "$${PAYLOAD}" \
| jq -r '.access_token'
)"
GOOGLE_OAUTH_ACCESS_TOKEN="$(curl --silent --show-error --fail "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/$${FAST_SERVICE_ACCOUNT}:generateAccessToken" \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $${FEDERATED_TOKEN}" \
--data '{"scope": ["https://www.googleapis.com/auth/cloud-platform"]}' \
| jq -r '.accessToken'
)"
echo "GOOGLE_OAUTH_ACCESS_TOKEN=$GOOGLE_OAUTH_ACCESS_TOKEN" >> gcp-auth.env
if [ -z "$GOOGLE_OAUTH_ACCESS_TOKEN" ]; then exit 1; fi
# WIP - will have to find a better way of doing this
artifacts:
reports:
dotenv: gcp-auth.env
# Downloading from bucket into cache
tf-setup:
stage: tf-setup
before_script: []
script:
- |
mkdir -p .tf-setup
curl -X GET \
-H "Authorization: Bearer $GOOGLE_OAUTH_ACCESS_TOKEN" \
-o ".tf-setup/$${TF_PROVIDERS_FILE}" \
"https://storage.googleapis.com/$${FAST_OUTPUTS_BUCKET}/providers/$${TF_PROVIDERS_FILE}"
for f in $TF_VAR_FILES; do
curl -X GET \
-H "Authorization: Bearer $GOOGLE_OAUTH_ACCESS_TOKEN" \
-o ".tf-setup/$f" \
"https://storage.googleapis.com/$${FAST_OUTPUTS_BUCKET}/tfvars/$f"
done
gcloud iam workload-identity-pools create-cred-config \
${FAST_WIF_PROVIDER} \
--service-account=${FAST_SERVICE_ACCOUNT} \
--service-account-token-lifetime-seconds=3600 \
--output-file=${GOOGLE_CREDENTIALS} \
--credential-source-file=token.txt
tf-files:
dependencies:
- gcp-auth
# Terraform Init
tf-init:
stage: tf-init
image:
name: google/cloud-sdk:slim
stage: tf-files
script:
# - gcloud components install -q alpha
- gcloud config set auth/credential_file_override ${GOOGLE_CREDENTIALS}
- mkdir -p .tf-setup
- |
gitlab-terraform init
dependencies:
- gcp-auth
# Terraform Validate
tf-validate:
stage: tf-validate
script:
gcloud alpha storage cp -r \
"gs://${FAST_OUTPUTS_BUCKET}/providers/${TF_PROVIDERS_FILE}" .tf-setup/
- |
gitlab-terraform validate
dependencies:
- gcp-auth
gcloud alpha storage cp -r \
"gs://${FAST_OUTPUTS_BUCKET}/tfvars" .tf-setup/
# Terraform Plan
tf-plan:
# uncomment the following lines and set the SSH key secret for private modules repo
# before_script:
# - |
# ssh-agent -a $SSH_AUTH_SOCK > /dev/null
# echo "$CICD_MODULES_KEY" | base64 -d | tr -d '\r' | ssh-add - > /dev/null
# mkdir -p ~/.ssh
# ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
# ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
stage: tf-plan
script:
- |
gitlab-terraform plan
gitlab-terraform plan-json
- cp .tf-setup/${TF_PROVIDERS_FILE} ./
- |
for f in ${TF_VAR_FILES}; do
ln -s ".tf-setup/tfvars/$f" ./
done
- terraform init
- terraform validate
- terraform plan
dependencies:
- gcp-auth
artifacts:
paths:
- $${TF_ROOT}/plan.cache
reports:
terraform: $${TF_ROOT}/plan.json
- tf-files
# Terraform Apply
tf-apply:
# uncomment the following lines and set the SSH key secret for private modules repo
# before_script:
# - |
# ssh-agent -a $SSH_AUTH_SOCK > /dev/null
# echo "$CICD_MODULES_KEY" | base64 -d | tr -d '\r' | ssh-add - > /dev/null
# mkdir -p ~/.ssh
# ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
# ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
stage: tf-apply
script:
- cd "$${TF_ROOT}"
- gitlab-terraform apply
- cp .tf-setup/${TF_PROVIDERS_FILE} ./
- |
for f in ${TF_VAR_FILES}; do
ln -s ".tf-setup/tfvars/$f" ./
done
- terraform init
- terraform validate
- terraform apply -input=false -auto-approve
dependencies:
- tf-files
when: manual
only:
variables:
- $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
dependencies:
- gcp-auth