Merge branch 'master' into master
This commit is contained in:
commit
4d83dcf490
|
@ -4,10 +4,12 @@ All notable changes to this project will be documented in this file.
|
||||||
|
|
||||||
## [Unreleased]
|
## [Unreleased]
|
||||||
|
|
||||||
|
|
||||||
## [18.0.0] - 2022-09-09
|
## [18.0.0] - 2022-09-09
|
||||||
|
|
||||||
<!-- None < 2022-06-06 13:42:51+00:00 -->
|
<!-- 2022-09-09 18:02:15+00:00 < 2022-06-06 13:42:51+00:00 -->
|
||||||
|
|
||||||
|
- [[#808](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/808)] Rename examples to blueprints ([juliocc](https://github.com/juliocc)) <!-- 2022-09-09 15:14:19+00:00 -->
|
||||||
|
|
||||||
### FAST
|
### FAST
|
||||||
|
|
||||||
|
@ -50,6 +52,8 @@ All notable changes to this project will be documented in this file.
|
||||||
|
|
||||||
### EXAMPLES
|
### EXAMPLES
|
||||||
|
|
||||||
|
- [[#801](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/801)] Update Cloud SQL example ([lcaggio](https://github.com/lcaggio)) <!-- 2022-09-09 14:02:07+00:00 -->
|
||||||
|
- [[#802](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/802)] Fix Data Platform example ([lcaggio](https://github.com/lcaggio)) <!-- 2022-09-09 07:19:28+00:00 -->
|
||||||
- [[#790](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/790)] Cloud Identity Group factory ([lcaggio](https://github.com/lcaggio)) <!-- 2022-09-01 13:30:58+00:00 -->
|
- [[#790](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/790)] Cloud Identity Group factory ([lcaggio](https://github.com/lcaggio)) <!-- 2022-09-01 13:30:58+00:00 -->
|
||||||
- [[#740](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/740)] Update to multiple READMEs ([bluPhy](https://github.com/bluPhy)) <!-- 2022-08-11 07:40:55+00:00 -->
|
- [[#740](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/740)] Update to multiple READMEs ([bluPhy](https://github.com/bluPhy)) <!-- 2022-08-11 07:40:55+00:00 -->
|
||||||
- [[#738](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/738)] Improve Data Playground example ([lcaggio](https://github.com/lcaggio)) <!-- 2022-08-09 13:56:39+00:00 -->
|
- [[#738](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/738)] Improve Data Playground example ([lcaggio](https://github.com/lcaggio)) <!-- 2022-08-09 13:56:39+00:00 -->
|
||||||
|
@ -65,6 +69,7 @@ All notable changes to this project will be documented in this file.
|
||||||
|
|
||||||
### MODULES
|
### MODULES
|
||||||
|
|
||||||
|
- [[#805](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/805)] Change `modules/project` service_config default ([juliocc](https://github.com/juliocc)) <!-- 2022-09-09 07:54:31+00:00 -->
|
||||||
- [[#787](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/787)] Support manager role in cloud identity group module ([lcaggio](https://github.com/lcaggio)) <!-- 2022-08-31 10:29:05+00:00 -->
|
- [[#787](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/787)] Support manager role in cloud identity group module ([lcaggio](https://github.com/lcaggio)) <!-- 2022-08-31 10:29:05+00:00 -->
|
||||||
- [[#786](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/786)] Secret manager flag sensitive output ([ddaluka](https://github.com/ddaluka)) <!-- 2022-08-29 11:22:52+00:00 -->
|
- [[#786](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/786)] Secret manager flag sensitive output ([ddaluka](https://github.com/ddaluka)) <!-- 2022-08-29 11:22:52+00:00 -->
|
||||||
- [[#775](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/775)] net-glb: Added support for regional external HTTP(s) load balancing ([rosmo](https://github.com/rosmo)) <!-- 2022-08-27 20:58:11+00:00 -->
|
- [[#775](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/775)] net-glb: Added support for regional external HTTP(s) load balancing ([rosmo](https://github.com/rosmo)) <!-- 2022-08-27 20:58:11+00:00 -->
|
||||||
|
@ -107,7 +112,7 @@ All notable changes to this project will be documented in this file.
|
||||||
### TOOLS
|
### TOOLS
|
||||||
|
|
||||||
- [[#796](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/796)] Remove duplicate path component from doc_examples test names. ([juliocc](https://github.com/juliocc)) <!-- 2022-09-07 09:37:19+00:00 -->
|
- [[#796](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/796)] Remove duplicate path component from doc_examples test names. ([juliocc](https://github.com/juliocc)) <!-- 2022-09-07 09:37:19+00:00 -->
|
||||||
- [[#794](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/794)] Test documentation examples in the `blueprints/` folder ([juliocc](https://github.com/juliocc)) <!-- 2022-09-06 19:38:26+00:00 -->
|
- [[#794](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/794)] Test documentation examples in the `examples/` folder ([juliocc](https://github.com/juliocc)) <!-- 2022-09-06 19:38:26+00:00 -->
|
||||||
- [[#788](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/788)] fix yaml quotes for merge-pr workflow ([drebes](https://github.com/drebes)) <!-- 2022-08-31 13:47:33+00:00 -->
|
- [[#788](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/788)] fix yaml quotes for merge-pr workflow ([drebes](https://github.com/drebes)) <!-- 2022-08-31 13:47:33+00:00 -->
|
||||||
- [[#763](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/763)] Changelog generator ([ludoo](https://github.com/ludoo)) <!-- 2022-08-02 09:45:06+00:00 -->
|
- [[#763](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/763)] Changelog generator ([ludoo](https://github.com/ludoo)) <!-- 2022-08-02 09:45:06+00:00 -->
|
||||||
- [[#762](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/762)] Update changelog on pull request merge ([ludoo](https://github.com/ludoo)) <!-- 2022-07-30 17:04:00+00:00 -->
|
- [[#762](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/762)] Update changelog on pull request merge ([ludoo](https://github.com/ludoo)) <!-- 2022-07-30 17:04:00+00:00 -->
|
||||||
|
|
|
@ -13,145 +13,108 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
default:
|
default:
|
||||||
image:
|
|
||||||
name: registry.gitlab.com/gitlab-org/terraform-images/releases/1.1
|
|
||||||
before_script:
|
before_script:
|
||||||
- |
|
- echo "${CI_JOB_JWT_V2}" > token.txt
|
||||||
ssh-agent -a $SSH_AUTH_SOCK > /dev/null
|
image:
|
||||||
echo "$CICD_MODULES_KEY" | base64 -d | tr -d '\r' | ssh-add - > /dev/null
|
name: hashicorp/terraform
|
||||||
mkdir -p ~/.ssh
|
entrypoint:
|
||||||
ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
|
- "/usr/bin/env"
|
||||||
ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
|
- "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||||
cd "$${TF_ROOT}"
|
|
||||||
cp -R .tf-setup/. .
|
|
||||||
|
|
||||||
variables:
|
variables:
|
||||||
|
GOOGLE_CREDENTIALS: cicd-sa-credentials.json
|
||||||
FAST_OUTPUTS_BUCKET: ${outputs_bucket}
|
FAST_OUTPUTS_BUCKET: ${outputs_bucket}
|
||||||
FAST_SERVICE_ACCOUNT: ${service_account}
|
FAST_SERVICE_ACCOUNT: ${service_account}
|
||||||
FAST_WIF_PROVIDER: ${identity_provider}
|
FAST_WIF_PROVIDER: ${identity_provider}
|
||||||
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
|
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
|
||||||
TF_PROVIDERS_FILE: ${tf_providers_file}
|
TF_PROVIDERS_FILE: ${tf_providers_file}
|
||||||
TF_VAR_FILES: ${tf_var_files == [] ? "''" : join("\n ", tf_var_files)}
|
TF_VAR_FILES: ${tf_var_files == [] ? "''" : join("\n ", tf_var_files)}
|
||||||
TF_VERSION: 1.1.7
|
|
||||||
TF_ROOT: $${CI_PROJECT_DIR} # The relative path to the root directory of the Terraform project
|
|
||||||
|
|
||||||
stages:
|
stages:
|
||||||
- gcp-auth
|
- gcp-auth
|
||||||
- tf-setup
|
- tf-files
|
||||||
- tf-init
|
|
||||||
- tf-validate
|
|
||||||
- tf-plan
|
- tf-plan
|
||||||
- tf-apply
|
- tf-apply
|
||||||
|
|
||||||
cache:
|
cache:
|
||||||
key: "$${TF_ROOT}"
|
key: gcp-auth
|
||||||
paths:
|
paths:
|
||||||
- $${TF_ROOT}/.terraform/
|
- cicd-sa-credentials.json
|
||||||
- $${TF_ROOT}/.tf-setup/
|
- .tf-setup
|
||||||
|
|
||||||
# Configure GCP Auth with Access Token
|
|
||||||
gcp-auth:
|
gcp-auth:
|
||||||
|
image:
|
||||||
|
name: google/cloud-sdk:slim
|
||||||
stage: gcp-auth
|
stage: gcp-auth
|
||||||
before_script: []
|
|
||||||
script:
|
script:
|
||||||
- |
|
- |
|
||||||
PAYLOAD="$(cat <<EOF
|
gcloud iam workload-identity-pools create-cred-config \
|
||||||
{
|
${FAST_WIF_PROVIDER} \
|
||||||
"audience": "//iam.googleapis.com/$${FAST_WIF_PROVIDER}",
|
--service-account=${FAST_SERVICE_ACCOUNT} \
|
||||||
"grantType": "urn:ietf:params:oauth:grant-type:token-exchange",
|
--service-account-token-lifetime-seconds=3600 \
|
||||||
"requestedTokenType": "urn:ietf:params:oauth:token-type:access_token",
|
--output-file=${GOOGLE_CREDENTIALS} \
|
||||||
"scope": "https://www.googleapis.com/auth/cloud-platform",
|
--credential-source-file=token.txt
|
||||||
"subjectTokenType": "urn:ietf:params:oauth:token-type:jwt",
|
tf-files:
|
||||||
"subjectToken": "$${CI_JOB_JWT_V2}"
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
)"
|
|
||||||
|
|
||||||
FEDERATED_TOKEN="$(curl --silent "https://sts.googleapis.com/v1/token" \
|
|
||||||
--header "Accept: application/json" \
|
|
||||||
--header "Content-Type: application/json" \
|
|
||||||
--data "$${PAYLOAD}" \
|
|
||||||
| jq -r '.access_token'
|
|
||||||
)"
|
|
||||||
|
|
||||||
GOOGLE_OAUTH_ACCESS_TOKEN="$(curl --silent --show-error --fail "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/$${FAST_SERVICE_ACCOUNT}:generateAccessToken" \
|
|
||||||
--header "Accept: application/json" \
|
|
||||||
--header "Content-Type: application/json" \
|
|
||||||
--header "Authorization: Bearer $${FEDERATED_TOKEN}" \
|
|
||||||
--data '{"scope": ["https://www.googleapis.com/auth/cloud-platform"]}' \
|
|
||||||
| jq -r '.accessToken'
|
|
||||||
)"
|
|
||||||
|
|
||||||
echo "GOOGLE_OAUTH_ACCESS_TOKEN=$GOOGLE_OAUTH_ACCESS_TOKEN" >> gcp-auth.env
|
|
||||||
|
|
||||||
if [ -z "$GOOGLE_OAUTH_ACCESS_TOKEN" ]; then exit 1; fi
|
|
||||||
# WIP - will have to find a better way of doing this
|
|
||||||
artifacts:
|
|
||||||
reports:
|
|
||||||
dotenv: gcp-auth.env
|
|
||||||
|
|
||||||
# Downloading from bucket into cache
|
|
||||||
tf-setup:
|
|
||||||
stage: tf-setup
|
|
||||||
before_script: []
|
|
||||||
script:
|
|
||||||
- |
|
|
||||||
mkdir -p .tf-setup
|
|
||||||
curl -X GET \
|
|
||||||
-H "Authorization: Bearer $GOOGLE_OAUTH_ACCESS_TOKEN" \
|
|
||||||
-o ".tf-setup/$${TF_PROVIDERS_FILE}" \
|
|
||||||
"https://storage.googleapis.com/$${FAST_OUTPUTS_BUCKET}/providers/$${TF_PROVIDERS_FILE}"
|
|
||||||
for f in $TF_VAR_FILES; do
|
|
||||||
curl -X GET \
|
|
||||||
-H "Authorization: Bearer $GOOGLE_OAUTH_ACCESS_TOKEN" \
|
|
||||||
-o ".tf-setup/$f" \
|
|
||||||
"https://storage.googleapis.com/$${FAST_OUTPUTS_BUCKET}/tfvars/$f"
|
|
||||||
done
|
|
||||||
dependencies:
|
dependencies:
|
||||||
- gcp-auth
|
- gcp-auth
|
||||||
|
image:
|
||||||
# Terraform Init
|
name: google/cloud-sdk:slim
|
||||||
tf-init:
|
stage: tf-files
|
||||||
stage: tf-init
|
|
||||||
script:
|
script:
|
||||||
|
# - gcloud components install -q alpha
|
||||||
|
- gcloud config set auth/credential_file_override ${GOOGLE_CREDENTIALS}
|
||||||
|
- mkdir -p .tf-setup
|
||||||
- |
|
- |
|
||||||
gitlab-terraform init
|
gcloud alpha storage cp -r \
|
||||||
dependencies:
|
"gs://${FAST_OUTPUTS_BUCKET}/providers/${TF_PROVIDERS_FILE}" .tf-setup/
|
||||||
- gcp-auth
|
|
||||||
|
|
||||||
# Terraform Validate
|
|
||||||
tf-validate:
|
|
||||||
stage: tf-validate
|
|
||||||
script:
|
|
||||||
- |
|
- |
|
||||||
gitlab-terraform validate
|
gcloud alpha storage cp -r \
|
||||||
dependencies:
|
"gs://${FAST_OUTPUTS_BUCKET}/tfvars" .tf-setup/
|
||||||
- gcp-auth
|
|
||||||
|
|
||||||
# Terraform Plan
|
|
||||||
tf-plan:
|
tf-plan:
|
||||||
|
# uncomment the following lines and set the SSH key secret for private modules repo
|
||||||
|
# before_script:
|
||||||
|
# - |
|
||||||
|
# ssh-agent -a $SSH_AUTH_SOCK > /dev/null
|
||||||
|
# echo "$CICD_MODULES_KEY" | base64 -d | tr -d '\r' | ssh-add - > /dev/null
|
||||||
|
# mkdir -p ~/.ssh
|
||||||
|
# ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
|
||||||
|
# ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
|
||||||
stage: tf-plan
|
stage: tf-plan
|
||||||
script:
|
script:
|
||||||
- |
|
- cp .tf-setup/${TF_PROVIDERS_FILE} ./
|
||||||
gitlab-terraform plan
|
- |
|
||||||
gitlab-terraform plan-json
|
for f in ${TF_VAR_FILES}; do
|
||||||
|
ln -s ".tf-setup/tfvars/$f" ./
|
||||||
|
done
|
||||||
|
- terraform init
|
||||||
|
- terraform validate
|
||||||
|
- terraform plan
|
||||||
dependencies:
|
dependencies:
|
||||||
- gcp-auth
|
- tf-files
|
||||||
artifacts:
|
|
||||||
paths:
|
|
||||||
- $${TF_ROOT}/plan.cache
|
|
||||||
reports:
|
|
||||||
terraform: $${TF_ROOT}/plan.json
|
|
||||||
|
|
||||||
# Terraform Apply
|
|
||||||
tf-apply:
|
tf-apply:
|
||||||
|
# uncomment the following lines and set the SSH key secret for private modules repo
|
||||||
|
# before_script:
|
||||||
|
# - |
|
||||||
|
# ssh-agent -a $SSH_AUTH_SOCK > /dev/null
|
||||||
|
# echo "$CICD_MODULES_KEY" | base64 -d | tr -d '\r' | ssh-add - > /dev/null
|
||||||
|
# mkdir -p ~/.ssh
|
||||||
|
# ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
|
||||||
|
# ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
|
||||||
stage: tf-apply
|
stage: tf-apply
|
||||||
script:
|
script:
|
||||||
- cd "$${TF_ROOT}"
|
- cp .tf-setup/${TF_PROVIDERS_FILE} ./
|
||||||
- gitlab-terraform apply
|
- |
|
||||||
|
for f in ${TF_VAR_FILES}; do
|
||||||
|
ln -s ".tf-setup/tfvars/$f" ./
|
||||||
|
done
|
||||||
|
- terraform init
|
||||||
|
- terraform validate
|
||||||
|
- terraform apply -input=false -auto-approve
|
||||||
|
dependencies:
|
||||||
|
- tf-files
|
||||||
when: manual
|
when: manual
|
||||||
only:
|
only:
|
||||||
variables:
|
variables:
|
||||||
- $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
|
- $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
|
||||||
dependencies:
|
|
||||||
- gcp-auth
|
|
Loading…
Reference in New Issue