Merge branch 'master' into master
This commit is contained in:
commit
4d83dcf490
11
CHANGELOG.md
11
CHANGELOG.md
|
@ -4,10 +4,12 @@ All notable changes to this project will be documented in this file.
|
|||
|
||||
## [Unreleased]
|
||||
|
||||
|
||||
## [18.0.0] - 2022-09-09
|
||||
|
||||
<!-- None < 2022-06-06 13:42:51+00:00 -->
|
||||
<!-- 2022-09-09 18:02:15+00:00 < 2022-06-06 13:42:51+00:00 -->
|
||||
|
||||
- [[#808](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/808)] Rename examples to blueprints ([juliocc](https://github.com/juliocc)) <!-- 2022-09-09 15:14:19+00:00 -->
|
||||
|
||||
### FAST
|
||||
|
||||
|
@ -50,6 +52,8 @@ All notable changes to this project will be documented in this file.
|
|||
|
||||
### EXAMPLES
|
||||
|
||||
- [[#801](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/801)] Update Cloud SQL example ([lcaggio](https://github.com/lcaggio)) <!-- 2022-09-09 14:02:07+00:00 -->
|
||||
- [[#802](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/802)] Fix Data Platform example ([lcaggio](https://github.com/lcaggio)) <!-- 2022-09-09 07:19:28+00:00 -->
|
||||
- [[#790](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/790)] Cloud Identity Group factory ([lcaggio](https://github.com/lcaggio)) <!-- 2022-09-01 13:30:58+00:00 -->
|
||||
- [[#740](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/740)] Update to multiple READMEs ([bluPhy](https://github.com/bluPhy)) <!-- 2022-08-11 07:40:55+00:00 -->
|
||||
- [[#738](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/738)] Improve Data Playground example ([lcaggio](https://github.com/lcaggio)) <!-- 2022-08-09 13:56:39+00:00 -->
|
||||
|
@ -65,6 +69,7 @@ All notable changes to this project will be documented in this file.
|
|||
|
||||
### MODULES
|
||||
|
||||
- [[#805](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/805)] Change `modules/project` service_config default ([juliocc](https://github.com/juliocc)) <!-- 2022-09-09 07:54:31+00:00 -->
|
||||
- [[#787](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/787)] Support manager role in cloud identity group module ([lcaggio](https://github.com/lcaggio)) <!-- 2022-08-31 10:29:05+00:00 -->
|
||||
- [[#786](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/786)] Secret manager flag sensitive output ([ddaluka](https://github.com/ddaluka)) <!-- 2022-08-29 11:22:52+00:00 -->
|
||||
- [[#775](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/775)] net-glb: Added support for regional external HTTP(s) load balancing ([rosmo](https://github.com/rosmo)) <!-- 2022-08-27 20:58:11+00:00 -->
|
||||
|
@ -107,7 +112,7 @@ All notable changes to this project will be documented in this file.
|
|||
### TOOLS
|
||||
|
||||
- [[#796](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/796)] Remove duplicate path component from doc_examples test names. ([juliocc](https://github.com/juliocc)) <!-- 2022-09-07 09:37:19+00:00 -->
|
||||
- [[#794](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/794)] Test documentation examples in the `blueprints/` folder ([juliocc](https://github.com/juliocc)) <!-- 2022-09-06 19:38:26+00:00 -->
|
||||
- [[#794](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/794)] Test documentation examples in the `examples/` folder ([juliocc](https://github.com/juliocc)) <!-- 2022-09-06 19:38:26+00:00 -->
|
||||
- [[#788](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/788)] fix yaml quotes for merge-pr workflow ([drebes](https://github.com/drebes)) <!-- 2022-08-31 13:47:33+00:00 -->
|
||||
- [[#763](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/763)] Changelog generator ([ludoo](https://github.com/ludoo)) <!-- 2022-08-02 09:45:06+00:00 -->
|
||||
- [[#762](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/762)] Update changelog on pull request merge ([ludoo](https://github.com/ludoo)) <!-- 2022-07-30 17:04:00+00:00 -->
|
||||
|
@ -672,4 +677,4 @@ All notable changes to this project will be documented in this file.
|
|||
[1.3.0]: https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/compare/v1.2.0...v1.3.0
|
||||
[1.2.0]: https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/compare/v1.1.0...v1.2.0
|
||||
[1.1.0]: https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/compare/v1.0.0...v1.1.0
|
||||
[1.0.0]: https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/compare/v0.1...v1.0.0
|
||||
[1.0.0]: https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/compare/v0.1...v1.0.0
|
|
@ -13,145 +13,108 @@
|
|||
# limitations under the License.
|
||||
|
||||
default:
|
||||
image:
|
||||
name: registry.gitlab.com/gitlab-org/terraform-images/releases/1.1
|
||||
before_script:
|
||||
- |
|
||||
ssh-agent -a $SSH_AUTH_SOCK > /dev/null
|
||||
echo "$CICD_MODULES_KEY" | base64 -d | tr -d '\r' | ssh-add - > /dev/null
|
||||
mkdir -p ~/.ssh
|
||||
ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
|
||||
ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
|
||||
cd "$${TF_ROOT}"
|
||||
cp -R .tf-setup/. .
|
||||
- echo "${CI_JOB_JWT_V2}" > token.txt
|
||||
image:
|
||||
name: hashicorp/terraform
|
||||
entrypoint:
|
||||
- "/usr/bin/env"
|
||||
- "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
|
||||
variables:
|
||||
GOOGLE_CREDENTIALS: cicd-sa-credentials.json
|
||||
FAST_OUTPUTS_BUCKET: ${outputs_bucket}
|
||||
FAST_SERVICE_ACCOUNT: ${service_account}
|
||||
FAST_WIF_PROVIDER: ${identity_provider}
|
||||
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
|
||||
TF_PROVIDERS_FILE: ${tf_providers_file}
|
||||
TF_VAR_FILES: ${tf_var_files == [] ? "''" : join("\n ", tf_var_files)}
|
||||
TF_VERSION: 1.1.7
|
||||
TF_ROOT: $${CI_PROJECT_DIR} # The relative path to the root directory of the Terraform project
|
||||
|
||||
stages:
|
||||
- gcp-auth
|
||||
- tf-setup
|
||||
- tf-init
|
||||
- tf-validate
|
||||
- tf-files
|
||||
- tf-plan
|
||||
- tf-apply
|
||||
|
||||
cache:
|
||||
key: "$${TF_ROOT}"
|
||||
key: gcp-auth
|
||||
paths:
|
||||
- $${TF_ROOT}/.terraform/
|
||||
- $${TF_ROOT}/.tf-setup/
|
||||
- cicd-sa-credentials.json
|
||||
- .tf-setup
|
||||
|
||||
# Configure GCP Auth with Access Token
|
||||
gcp-auth:
|
||||
image:
|
||||
name: google/cloud-sdk:slim
|
||||
stage: gcp-auth
|
||||
before_script: []
|
||||
script:
|
||||
- |
|
||||
PAYLOAD="$(cat <<EOF
|
||||
{
|
||||
"audience": "//iam.googleapis.com/$${FAST_WIF_PROVIDER}",
|
||||
"grantType": "urn:ietf:params:oauth:grant-type:token-exchange",
|
||||
"requestedTokenType": "urn:ietf:params:oauth:token-type:access_token",
|
||||
"scope": "https://www.googleapis.com/auth/cloud-platform",
|
||||
"subjectTokenType": "urn:ietf:params:oauth:token-type:jwt",
|
||||
"subjectToken": "$${CI_JOB_JWT_V2}"
|
||||
}
|
||||
EOF
|
||||
)"
|
||||
|
||||
FEDERATED_TOKEN="$(curl --silent "https://sts.googleapis.com/v1/token" \
|
||||
--header "Accept: application/json" \
|
||||
--header "Content-Type: application/json" \
|
||||
--data "$${PAYLOAD}" \
|
||||
| jq -r '.access_token'
|
||||
)"
|
||||
|
||||
GOOGLE_OAUTH_ACCESS_TOKEN="$(curl --silent --show-error --fail "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/$${FAST_SERVICE_ACCOUNT}:generateAccessToken" \
|
||||
--header "Accept: application/json" \
|
||||
--header "Content-Type: application/json" \
|
||||
--header "Authorization: Bearer $${FEDERATED_TOKEN}" \
|
||||
--data '{"scope": ["https://www.googleapis.com/auth/cloud-platform"]}' \
|
||||
| jq -r '.accessToken'
|
||||
)"
|
||||
|
||||
echo "GOOGLE_OAUTH_ACCESS_TOKEN=$GOOGLE_OAUTH_ACCESS_TOKEN" >> gcp-auth.env
|
||||
|
||||
if [ -z "$GOOGLE_OAUTH_ACCESS_TOKEN" ]; then exit 1; fi
|
||||
# WIP - will have to find a better way of doing this
|
||||
artifacts:
|
||||
reports:
|
||||
dotenv: gcp-auth.env
|
||||
|
||||
# Downloading from bucket into cache
|
||||
tf-setup:
|
||||
stage: tf-setup
|
||||
before_script: []
|
||||
script:
|
||||
- |
|
||||
mkdir -p .tf-setup
|
||||
curl -X GET \
|
||||
-H "Authorization: Bearer $GOOGLE_OAUTH_ACCESS_TOKEN" \
|
||||
-o ".tf-setup/$${TF_PROVIDERS_FILE}" \
|
||||
"https://storage.googleapis.com/$${FAST_OUTPUTS_BUCKET}/providers/$${TF_PROVIDERS_FILE}"
|
||||
for f in $TF_VAR_FILES; do
|
||||
curl -X GET \
|
||||
-H "Authorization: Bearer $GOOGLE_OAUTH_ACCESS_TOKEN" \
|
||||
-o ".tf-setup/$f" \
|
||||
"https://storage.googleapis.com/$${FAST_OUTPUTS_BUCKET}/tfvars/$f"
|
||||
done
|
||||
gcloud iam workload-identity-pools create-cred-config \
|
||||
${FAST_WIF_PROVIDER} \
|
||||
--service-account=${FAST_SERVICE_ACCOUNT} \
|
||||
--service-account-token-lifetime-seconds=3600 \
|
||||
--output-file=${GOOGLE_CREDENTIALS} \
|
||||
--credential-source-file=token.txt
|
||||
tf-files:
|
||||
dependencies:
|
||||
- gcp-auth
|
||||
|
||||
# Terraform Init
|
||||
tf-init:
|
||||
stage: tf-init
|
||||
image:
|
||||
name: google/cloud-sdk:slim
|
||||
stage: tf-files
|
||||
script:
|
||||
# - gcloud components install -q alpha
|
||||
- gcloud config set auth/credential_file_override ${GOOGLE_CREDENTIALS}
|
||||
- mkdir -p .tf-setup
|
||||
- |
|
||||
gitlab-terraform init
|
||||
dependencies:
|
||||
- gcp-auth
|
||||
|
||||
# Terraform Validate
|
||||
tf-validate:
|
||||
stage: tf-validate
|
||||
script:
|
||||
gcloud alpha storage cp -r \
|
||||
"gs://${FAST_OUTPUTS_BUCKET}/providers/${TF_PROVIDERS_FILE}" .tf-setup/
|
||||
- |
|
||||
gitlab-terraform validate
|
||||
dependencies:
|
||||
- gcp-auth
|
||||
gcloud alpha storage cp -r \
|
||||
"gs://${FAST_OUTPUTS_BUCKET}/tfvars" .tf-setup/
|
||||
|
||||
# Terraform Plan
|
||||
tf-plan:
|
||||
# uncomment the following lines and set the SSH key secret for private modules repo
|
||||
# before_script:
|
||||
# - |
|
||||
# ssh-agent -a $SSH_AUTH_SOCK > /dev/null
|
||||
# echo "$CICD_MODULES_KEY" | base64 -d | tr -d '\r' | ssh-add - > /dev/null
|
||||
# mkdir -p ~/.ssh
|
||||
# ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
|
||||
# ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
|
||||
stage: tf-plan
|
||||
script:
|
||||
- |
|
||||
gitlab-terraform plan
|
||||
gitlab-terraform plan-json
|
||||
- cp .tf-setup/${TF_PROVIDERS_FILE} ./
|
||||
- |
|
||||
for f in ${TF_VAR_FILES}; do
|
||||
ln -s ".tf-setup/tfvars/$f" ./
|
||||
done
|
||||
- terraform init
|
||||
- terraform validate
|
||||
- terraform plan
|
||||
dependencies:
|
||||
- gcp-auth
|
||||
artifacts:
|
||||
paths:
|
||||
- $${TF_ROOT}/plan.cache
|
||||
reports:
|
||||
terraform: $${TF_ROOT}/plan.json
|
||||
- tf-files
|
||||
|
||||
# Terraform Apply
|
||||
tf-apply:
|
||||
# uncomment the following lines and set the SSH key secret for private modules repo
|
||||
# before_script:
|
||||
# - |
|
||||
# ssh-agent -a $SSH_AUTH_SOCK > /dev/null
|
||||
# echo "$CICD_MODULES_KEY" | base64 -d | tr -d '\r' | ssh-add - > /dev/null
|
||||
# mkdir -p ~/.ssh
|
||||
# ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
|
||||
# ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
|
||||
stage: tf-apply
|
||||
script:
|
||||
- cd "$${TF_ROOT}"
|
||||
- gitlab-terraform apply
|
||||
- cp .tf-setup/${TF_PROVIDERS_FILE} ./
|
||||
- |
|
||||
for f in ${TF_VAR_FILES}; do
|
||||
ln -s ".tf-setup/tfvars/$f" ./
|
||||
done
|
||||
- terraform init
|
||||
- terraform validate
|
||||
- terraform apply -input=false -auto-approve
|
||||
dependencies:
|
||||
- tf-files
|
||||
when: manual
|
||||
only:
|
||||
variables:
|
||||
- $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
|
||||
dependencies:
|
||||
- gcp-auth
|
Loading…
Reference in New Issue