GKE CI/CD (#804)

This commit is contained in:
Ludovico Magnocavallo 2022-09-09 07:33:25 +01:00 committed by GitHub
parent d318a7e657
commit a18a3c92b3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 233 additions and 123 deletions

View File

@ -165,6 +165,7 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
| [branch-security.tf](./branch-security.tf) | Security stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
| [branch-teams.tf](./branch-teams.tf) | Team stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
| [cicd-data-platform.tf](./cicd-data-platform.tf) | CI/CD resources for the data platform branch. | <code>iam-service-account</code> · <code>source-repository</code> | |
| [cicd-gke.tf](./cicd-gke.tf) | CI/CD resources for the data platform branch. | <code>iam-service-account</code> · <code>source-repository</code> | |
| [cicd-networking.tf](./cicd-networking.tf) | CI/CD resources for the networking branch. | <code>iam-service-account</code> · <code>source-repository</code> | |
| [cicd-project-factory.tf](./cicd-project-factory.tf) | CI/CD resources for the teams branch. | <code>iam-service-account</code> · <code>source-repository</code> | |
| [cicd-security.tf](./cicd-security.tf) | CI/CD resources for the security branch. | <code>iam-service-account</code> · <code>source-repository</code> | |
@ -181,31 +182,31 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
|---|---|:---:|:---:|:---:|:---:|
| [automation](variables.tf#L20) | Automation resources created by the bootstrap stage. | <code title="object&#40;&#123;&#10; outputs_bucket &#61; string&#10; project_id &#61; string&#10; project_number &#61; string&#10; federated_identity_pool &#61; string&#10; federated_identity_providers &#61; map&#40;object&#40;&#123;&#10; issuer &#61; string&#10; issuer_uri &#61; string&#10; name &#61; string&#10; principal_tpl &#61; string&#10; principalset_tpl &#61; string&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | | <code>00-bootstrap</code> |
| [billing_account](variables.tf#L38) | Billing account id and organization id ('nnnnnnnn' or null). | <code title="object&#40;&#123;&#10; id &#61; string&#10; organization_id &#61; number&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | | <code>00-bootstrap</code> |
| [organization](variables.tf#L179) | Organization details. | <code title="object&#40;&#123;&#10; domain &#61; string&#10; id &#61; number&#10; customer_id &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | | <code>00-bootstrap</code> |
| [prefix](variables.tf#L203) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
| [cicd_repositories](variables.tf#L47) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | <code title="object&#40;&#123;&#10; data_platform_dev &#61; object&#40;&#123;&#10; branch &#61; string&#10; identity_provider &#61; string&#10; name &#61; string&#10; type &#61; string&#10; &#125;&#41;&#10; data_platform_prod &#61; object&#40;&#123;&#10; branch &#61; string&#10; identity_provider &#61; string&#10; name &#61; string&#10; type &#61; string&#10; &#125;&#41;&#10; networking &#61; object&#40;&#123;&#10; branch &#61; string&#10; identity_provider &#61; string&#10; name &#61; string&#10; type &#61; string&#10; &#125;&#41;&#10; project_factory_dev &#61; object&#40;&#123;&#10; branch &#61; string&#10; identity_provider &#61; string&#10; name &#61; string&#10; type &#61; string&#10; &#125;&#41;&#10; project_factory_prod &#61; object&#40;&#123;&#10; branch &#61; string&#10; identity_provider &#61; string&#10; name &#61; string&#10; type &#61; string&#10; &#125;&#41;&#10; security &#61; object&#40;&#123;&#10; branch &#61; string&#10; identity_provider &#61; string&#10; name &#61; string&#10; type &#61; string&#10; &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | |
| [custom_roles](variables.tf#L117) | Custom roles defined at the org level, in key => id format. | <code title="object&#40;&#123;&#10; service_project_network_admin &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | <code>00-bootstrap</code> |
| [fast_features](variables.tf#L126) | Selective control for top-level FAST features. | <code title="object&#40;&#123;&#10; data_platform &#61; bool&#10; gke &#61; bool&#10; project_factory &#61; bool&#10; sandbox &#61; bool&#10; teams &#61; bool&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; data_platform &#61; true&#10; gke &#61; true&#10; project_factory &#61; true&#10; sandbox &#61; true&#10; teams &#61; true&#10;&#125;">&#123;&#8230;&#125;</code> | <code>00-bootstrap</code> |
| [groups](variables.tf#L146) | Group names to grant organization-level permissions. | <code>map&#40;string&#41;</code> | | <code title="&#123;&#10; gcp-billing-admins &#61; &#34;gcp-billing-admins&#34;,&#10; gcp-devops &#61; &#34;gcp-devops&#34;,&#10; gcp-network-admins &#61; &#34;gcp-network-admins&#34;&#10; gcp-organization-admins &#61; &#34;gcp-organization-admins&#34;&#10; gcp-security-admins &#61; &#34;gcp-security-admins&#34;&#10; gcp-support &#61; &#34;gcp-support&#34;&#10;&#125;">&#123;&#8230;&#125;</code> | <code>00-bootstrap</code> |
| [locations](variables.tf#L161) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object&#40;&#123;&#10; bq &#61; string&#10; gcs &#61; string&#10; logging &#61; string&#10; pubsub &#61; list&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; bq &#61; &#34;EU&#34;&#10; gcs &#61; &#34;EU&#34;&#10; logging &#61; &#34;global&#34;&#10; pubsub &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> | <code>00-bootstrap</code> |
| [organization_policy_configs](variables.tf#L189) | Organization policies customization. | <code title="object&#40;&#123;&#10; allowed_policy_member_domains &#61; list&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | |
| [outputs_location](variables.tf#L197) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable | <code>string</code> | | <code>null</code> | |
| [tag_names](variables.tf#L214) | Customized names for resource management tags. | <code title="object&#40;&#123;&#10; context &#61; string&#10; environment &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; context &#61; &#34;context&#34;&#10; environment &#61; &#34;environment&#34;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [team_folders](variables.tf#L231) | Team folders to be created. Format is described in a code comment. | <code title="map&#40;object&#40;&#123;&#10; descriptive_name &#61; string&#10; group_iam &#61; map&#40;list&#40;string&#41;&#41;&#10; impersonation_groups &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>null</code> | |
| [organization](variables.tf#L191) | Organization details. | <code title="object&#40;&#123;&#10; domain &#61; string&#10; id &#61; number&#10; customer_id &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | | <code>00-bootstrap</code> |
| [prefix](variables.tf#L215) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
| [cicd_repositories](variables.tf#L47) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | <code title="object&#40;&#123;&#10; data_platform_dev &#61; object&#40;&#123;&#10; branch &#61; string&#10; identity_provider &#61; string&#10; name &#61; string&#10; type &#61; string&#10; &#125;&#41;&#10; data_platform_prod &#61; object&#40;&#123;&#10; branch &#61; string&#10; identity_provider &#61; string&#10; name &#61; string&#10; type &#61; string&#10; &#125;&#41;&#10; gke_dev &#61; object&#40;&#123;&#10; branch &#61; string&#10; identity_provider &#61; string&#10; name &#61; string&#10; type &#61; string&#10; &#125;&#41;&#10; gke_prod &#61; object&#40;&#123;&#10; branch &#61; string&#10; identity_provider &#61; string&#10; name &#61; string&#10; type &#61; string&#10; &#125;&#41;&#10; networking &#61; object&#40;&#123;&#10; branch &#61; string&#10; identity_provider &#61; string&#10; name &#61; string&#10; type &#61; string&#10; &#125;&#41;&#10; project_factory_dev &#61; object&#40;&#123;&#10; branch &#61; string&#10; identity_provider &#61; string&#10; name &#61; string&#10; type &#61; string&#10; &#125;&#41;&#10; project_factory_prod &#61; object&#40;&#123;&#10; branch &#61; string&#10; identity_provider &#61; string&#10; name &#61; string&#10; type &#61; string&#10; &#125;&#41;&#10; security &#61; object&#40;&#123;&#10; branch &#61; string&#10; identity_provider &#61; string&#10; name &#61; string&#10; type &#61; string&#10; &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | |
| [custom_roles](variables.tf#L129) | Custom roles defined at the org level, in key => id format. | <code title="object&#40;&#123;&#10; service_project_network_admin &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | <code>00-bootstrap</code> |
| [fast_features](variables.tf#L138) | Selective control for top-level FAST features. | <code title="object&#40;&#123;&#10; data_platform &#61; bool&#10; gke &#61; bool&#10; project_factory &#61; bool&#10; sandbox &#61; bool&#10; teams &#61; bool&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; data_platform &#61; true&#10; gke &#61; true&#10; project_factory &#61; true&#10; sandbox &#61; true&#10; teams &#61; true&#10;&#125;">&#123;&#8230;&#125;</code> | <code>00-bootstrap</code> |
| [groups](variables.tf#L158) | Group names to grant organization-level permissions. | <code>map&#40;string&#41;</code> | | <code title="&#123;&#10; gcp-billing-admins &#61; &#34;gcp-billing-admins&#34;,&#10; gcp-devops &#61; &#34;gcp-devops&#34;,&#10; gcp-network-admins &#61; &#34;gcp-network-admins&#34;&#10; gcp-organization-admins &#61; &#34;gcp-organization-admins&#34;&#10; gcp-security-admins &#61; &#34;gcp-security-admins&#34;&#10; gcp-support &#61; &#34;gcp-support&#34;&#10;&#125;">&#123;&#8230;&#125;</code> | <code>00-bootstrap</code> |
| [locations](variables.tf#L173) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object&#40;&#123;&#10; bq &#61; string&#10; gcs &#61; string&#10; logging &#61; string&#10; pubsub &#61; list&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; bq &#61; &#34;EU&#34;&#10; gcs &#61; &#34;EU&#34;&#10; logging &#61; &#34;global&#34;&#10; pubsub &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> | <code>00-bootstrap</code> |
| [organization_policy_configs](variables.tf#L201) | Organization policies customization. | <code title="object&#40;&#123;&#10; allowed_policy_member_domains &#61; list&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | |
| [outputs_location](variables.tf#L209) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable | <code>string</code> | | <code>null</code> | |
| [tag_names](variables.tf#L226) | Customized names for resource management tags. | <code title="object&#40;&#123;&#10; context &#61; string&#10; environment &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; context &#61; &#34;context&#34;&#10; environment &#61; &#34;environment&#34;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [team_folders](variables.tf#L243) | Team folders to be created. Format is described in a code comment. | <code title="map&#40;object&#40;&#123;&#10; descriptive_name &#61; string&#10; group_iam &#61; map&#40;list&#40;string&#41;&#41;&#10; impersonation_groups &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>null</code> | |
## Outputs
| name | description | sensitive | consumers |
|---|---|:---:|---|
| [cicd_repositories](outputs.tf#L188) | WIF configuration for CI/CD repositories. | | |
| [dataplatform](outputs.tf#L202) | Data for the Data Platform stage. | | |
| [gke_multitenant](outputs.tf#L274) | Data for the GKE multitenant stage. | | <code>03-gke-multitenant</code> |
| [networking](outputs.tf#L218) | Data for the networking stage. | | |
| [project_factories](outputs.tf#L227) | Data for the project factories stage. | | |
| [providers](outputs.tf#L243) | Terraform provider files for this stage and dependent stages. | ✓ | <code>02-networking</code> · <code>02-security</code> · <code>03-dataplatform</code> · <code>xx-sandbox</code> · <code>xx-teams</code> |
| [sandbox](outputs.tf#L250) | Data for the sandbox stage. | | <code>xx-sandbox</code> |
| [security](outputs.tf#L264) | Data for the networking stage. | | <code>02-security</code> |
| [teams](outputs.tf#L295) | Data for the teams stage. | | |
| [tfvars](outputs.tf#L308) | Terraform variable files for the following stages. | ✓ | |
| [cicd_repositories](outputs.tf#L197) | WIF configuration for CI/CD repositories. | | |
| [dataplatform](outputs.tf#L211) | Data for the Data Platform stage. | | |
| [gke_multitenant](outputs.tf#L283) | Data for the GKE multitenant stage. | | <code>03-gke-multitenant</code> |
| [networking](outputs.tf#L227) | Data for the networking stage. | | |
| [project_factories](outputs.tf#L236) | Data for the project factories stage. | | |
| [providers](outputs.tf#L252) | Terraform provider files for this stage and dependent stages. | ✓ | <code>02-networking</code> · <code>02-security</code> · <code>03-dataplatform</code> · <code>xx-sandbox</code> · <code>xx-teams</code> |
| [sandbox](outputs.tf#L259) | Data for the sandbox stage. | | <code>xx-sandbox</code> |
| [security](outputs.tf#L273) | Data for the networking stage. | | <code>02-security</code> |
| [teams](outputs.tf#L304) | Data for the teams stage. | | |
| [tfvars](outputs.tf#L317) | Terraform variable files for the following stages. | ✓ | |
<!-- END TFDOC -->

View File

@ -16,11 +16,6 @@
# tfdoc:file:description Data Platform stages resources.
moved {
from = module.branch-dp-folder
to = module.branch-dp-folder.0
}
module "branch-dp-folder" {
source = "../../../modules/folder"
count = var.fast_features.data_platform ? 1 : 0
@ -33,11 +28,6 @@ module "branch-dp-folder" {
}
}
moved {
from = module.branch-dp-dev-folder
to = module.branch-dp-dev-folder.0
}
module "branch-dp-dev-folder" {
source = "../../../modules/folder"
count = var.fast_features.data_platform ? 1 : 0
@ -62,11 +52,6 @@ module "branch-dp-dev-folder" {
}
}
moved {
from = module.branch-dp-prod-folder
to = module.branch-dp-prod-folder.0
}
module "branch-dp-prod-folder" {
source = "../../../modules/folder"
count = var.fast_features.data_platform ? 1 : 0
@ -91,11 +76,6 @@ module "branch-dp-prod-folder" {
# automation service accounts and buckets
moved {
from = module.branch-dp-dev-sa
to = module.branch-dp-dev-sa.0
}
module "branch-dp-dev-sa" {
source = "../../../modules/iam-service-account"
count = var.fast_features.data_platform ? 1 : 0
@ -113,11 +93,6 @@ module "branch-dp-dev-sa" {
}
}
moved {
from = module.branch-dp-prod-sa
to = module.branch-dp-prod-sa.0
}
module "branch-dp-prod-sa" {
source = "../../../modules/iam-service-account"
count = var.fast_features.data_platform ? 1 : 0
@ -135,11 +110,6 @@ module "branch-dp-prod-sa" {
}
}
moved {
from = module.branch-dp-dev-gcs
to = module.branch-dp-dev-gcs.0
}
module "branch-dp-dev-gcs" {
source = "../../../modules/gcs"
count = var.fast_features.data_platform ? 1 : 0
@ -154,11 +124,6 @@ module "branch-dp-dev-gcs" {
}
}
moved {
from = module.branch-dp-prod-gcs
to = module.branch-dp-prod-gcs.0
}
module "branch-dp-prod-gcs" {
source = "../../../modules/gcs"
count = var.fast_features.data_platform ? 1 : 0

View File

@ -16,11 +16,6 @@
# tfdoc:file:description GKE multitenant stage resources.
moved {
from = module.branch-gke-folder
to = module.branch-gke-folder.0
}
module "branch-gke-folder" {
source = "../../../modules/folder"
count = var.fast_features.gke ? 1 : 0
@ -33,11 +28,6 @@ module "branch-gke-folder" {
}
}
moved {
from = module.branch-gke-dev-folder
to = module.branch-gke-dev-folder.0
}
module "branch-gke-dev-folder" {
source = "../../../modules/folder"
count = var.fast_features.gke ? 1 : 0
@ -58,11 +48,6 @@ module "branch-gke-dev-folder" {
}
}
moved {
from = module.branch-gke-prod-folder
to = module.branch-gke-prod-folder.0
}
module "branch-gke-prod-folder" {
source = "../../../modules/folder"
count = var.fast_features.gke ? 1 : 0
@ -83,11 +68,6 @@ module "branch-gke-prod-folder" {
}
}
moved {
from = module.branch-gke-dev-sa
to = module.branch-gke-dev-sa.0
}
module "branch-gke-dev-sa" {
source = "../../../modules/iam-service-account"
count = var.fast_features.gke ? 1 : 0
@ -96,18 +76,18 @@ module "branch-gke-dev-sa" {
description = "Terraform gke multitenant dev service account."
prefix = var.prefix
iam = {
"roles/iam.serviceAccountTokenCreator" = ["group:${local.groups.gcp-devops}"]
"roles/iam.serviceAccountTokenCreator" = concat(
["group:${local.groups.gcp-devops}"],
compact([
try(module.branch-gke-dev-sa-cicd.0.iam_email, null)
])
)
}
iam_storage_roles = {
(var.automation.outputs_bucket) = ["roles/storage.admin"]
}
}
moved {
from = module.branch-gke-prod-sa
to = module.branch-gke-prod-sa.0
}
module "branch-gke-prod-sa" {
source = "../../../modules/iam-service-account"
count = var.fast_features.gke ? 1 : 0
@ -116,18 +96,18 @@ module "branch-gke-prod-sa" {
description = "Terraform gke multitenant prod service account."
prefix = var.prefix
iam = {
"roles/iam.serviceAccountTokenCreator" = ["group:${local.groups.gcp-devops}"]
"roles/iam.serviceAccountTokenCreator" = concat(
["group:${local.groups.gcp-devops}"],
compact([
try(module.branch-gke-prod-sa-cicd.0.iam_email, null)
])
)
}
iam_storage_roles = {
(var.automation.outputs_bucket) = ["roles/storage.admin"]
}
}
moved {
from = module.branch-gke-dev-gcs
to = module.branch-gke-dev-gcs.0
}
module "branch-gke-dev-gcs" {
source = "../../../modules/gcs"
count = var.fast_features.gke ? 1 : 0
@ -140,11 +120,6 @@ module "branch-gke-dev-gcs" {
}
}
moved {
from = module.branch-gke-prod-gcs
to = module.branch-gke-prod-gcs.0
}
module "branch-gke-prod-gcs" {
source = "../../../modules/gcs"
count = var.fast_features.gke ? 1 : 0

View File

@ -16,11 +16,6 @@
# tfdoc:file:description Project factory stage resources.
moved {
from = module.branch-teams-dev-pf-sa
to = module.branch-pf-dev-sa.0
}
module "branch-pf-dev-sa" {
source = "../../../modules/iam-service-account"
count = var.fast_features.project_factory ? 1 : 0
@ -39,11 +34,6 @@ module "branch-pf-dev-sa" {
}
}
moved {
from = module.branch-teams-prod-pf-sa
to = module.branch-pf-prod-sa.0
}
module "branch-pf-prod-sa" {
source = "../../../modules/iam-service-account"
count = var.fast_features.project_factory ? 1 : 0
@ -62,11 +52,6 @@ module "branch-pf-prod-sa" {
}
}
moved {
from = module.branch-teams-dev-pf-gcs
to = module.branch-pf-dev-gcs.0
}
module "branch-pf-dev-gcs" {
source = "../../../modules/gcs"
count = var.fast_features.project_factory ? 1 : 0
@ -81,11 +66,6 @@ module "branch-pf-dev-gcs" {
}
}
moved {
from = module.branch-teams-prod-pf-gcs
to = module.branch-pf-prod-gcs.0
}
module "branch-pf-prod-gcs" {
source = "../../../modules/gcs"
count = var.fast_features.project_factory ? 1 : 0

View File

@ -16,11 +16,6 @@
# tfdoc:file:description Team stage resources.
moved {
from = module.branch-teams-folder
to = module.branch-teams-folder.0
}
# TODO(ludo): add support for CI/CD
############### top-level Teams branch and automation resources ###############

View File

@ -0,0 +1,175 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
# tfdoc:file:description CI/CD resources for the data platform branch.
# source repositories
module "branch-gke-dev-cicd-repo" {
source = "../../../modules/source-repository"
for_each = (
try(local.cicd_repositories.gke_dev.type, null) == "sourcerepo"
? { 0 = local.cicd_repositories.gke_dev }
: {}
)
project_id = var.automation.project_id
name = each.value.name
iam = {
"roles/source.admin" = compact([
try(module.branch-gke-dev-sa.0.iam_email, "")
])
"roles/source.reader" = compact([
try(module.branch-gke-dev-sa-cicd.0.iam_email, "")
])
}
triggers = {
fast-03-gke-dev = {
filename = ".cloudbuild/workflow.yaml"
included_files = [
"**/*json", "**/*tf", "**/*yaml", ".cloudbuild/workflow.yaml"
]
service_account = module.branch-gke-dev-sa-cicd.0.id
substitutions = {}
template = {
project_id = null
branch_name = each.value.branch
repo_name = each.value.name
tag_name = null
}
}
}
depends_on = [module.branch-gke-dev-sa-cicd]
}
module "branch-gke-prod-cicd-repo" {
source = "../../../modules/source-repository"
for_each = (
try(local.cicd_repositories.gke_prod.type, null) == "sourcerepo"
? { 0 = local.cicd_repositories.gke_prod }
: {}
)
project_id = var.automation.project_id
name = each.value.name
iam = {
"roles/source.admin" = [module.branch-gke-prod-sa.0.iam_email]
"roles/source.reader" = [module.branch-gke-prod-sa-cicd.0.iam_email]
}
triggers = {
fast-03-gke-prod = {
filename = ".cloudbuild/workflow.yaml"
included_files = [
"**/*json", "**/*tf", "**/*yaml", ".cloudbuild/workflow.yaml"
]
service_account = module.branch-gke-prod-sa-cicd.0.id
substitutions = {}
template = {
project_id = null
branch_name = each.value.branch
repo_name = each.value.name
tag_name = null
}
}
}
depends_on = [module.branch-gke-prod-sa-cicd]
}
# SAs used by CI/CD workflows to impersonate automation SAs
module "branch-gke-dev-sa-cicd" {
source = "../../../modules/iam-service-account"
for_each = (
try(local.cicd_repositories.gke_dev.name, null) != null
? { 0 = local.cicd_repositories.gke_dev }
: {}
)
project_id = var.automation.project_id
name = "dev-resman-gke-1"
description = "Terraform CI/CD GKE development service account."
prefix = var.prefix
iam = (
each.value.type == "sourcerepo"
# used directly from the cloud build trigger for source repos
? {
"roles/iam.serviceAccountUser" = local.automation_resman_sa
}
# impersonated via workload identity federation for external repos
: {
"roles/iam.workloadIdentityUser" = [
each.value.branch == null
? format(
local.identity_providers[each.value.identity_provider].principalset_tpl,
var.automation.federated_identity_pool,
each.value.name
)
: format(
local.identity_providers[each.value.identity_provider].principal_tpl,
var.automation.federated_identity_pool,
each.value.name,
each.value.branch
)
]
}
)
iam_project_roles = {
(var.automation.project_id) = ["roles/logging.logWriter"]
}
iam_storage_roles = {
(var.automation.outputs_bucket) = ["roles/storage.objectViewer"]
}
}
module "branch-gke-prod-sa-cicd" {
source = "../../../modules/iam-service-account"
for_each = (
try(local.cicd_repositories.gke_prod.name, null) != null
? { 0 = local.cicd_repositories.gke_prod }
: {}
)
project_id = var.automation.project_id
name = "prod-resman-gke-1"
description = "Terraform CI/CD GKE production service account."
prefix = var.prefix
iam = (
each.value.type == "sourcerepo"
# used directly from the cloud build trigger for source repos
? {
"roles/iam.serviceAccountUser" = local.automation_resman_sa
}
# impersonated via workload identity federation for external repos
: {
"roles/iam.workloadIdentityUser" = [
each.value.branch == null
? format(
local.identity_providers[each.value.identity_provider].principalset_tpl,
var.automation.federated_identity_pool,
each.value.name
)
: format(
local.identity_providers[each.value.identity_provider].principal_tpl,
var.automation.federated_identity_pool,
each.value.name,
each.value.branch
)
]
}
)
iam_project_roles = {
(var.automation.project_id) = ["roles/logging.logWriter"]
}
iam_storage_roles = {
(var.automation.outputs_bucket) = ["roles/storage.objectViewer"]
}
}

View File

@ -37,8 +37,7 @@ locals {
cicd_repositories = {
for k, v in coalesce(var.cicd_repositories, {}) : k => v
if(
v != null
&&
v != null &&
(
try(v.type, null) == "sourcerepo"
||
@ -46,8 +45,7 @@ locals {
keys(local.identity_providers),
coalesce(try(v.identity_provider, null), ":")
)
)
&&
) &&
fileexists("${path.module}/templates/workflow-${try(v.type, "")}.yaml")
)
}

View File

@ -27,7 +27,16 @@ locals {
tf_providers_file = "03-data-platform-prod-providers.tf"
tf_var_files = local.cicd_workflow_var_files.stage_3
}
# TODO(jccb): add gke here
gke_dev = {
service_account = try(module.branch-gke-dev-sa-cicd.0.email, null)
tf_providers_file = "03-gke-dev-providers.tf"
tf_var_files = local.cicd_workflow_var_files.stage_3
}
gke_prod = {
service_account = try(module.branch-gke-prod-sa-cicd.0.email, null)
tf_providers_file = "03-gke-prod-providers.tf"
tf_var_files = local.cicd_workflow_var_files.stage_3
}
networking = {
service_account = try(module.branch-network-sa-cicd.0.email, null)
tf_providers_file = "02-networking-providers.tf"

View File

@ -59,6 +59,18 @@ variable "cicd_repositories" {
name = string
type = string
})
gke_dev = object({
branch = string
identity_provider = string
name = string
type = string
})
gke_prod = object({
branch = string
identity_provider = string
name = string
type = string
})
networking = object({
branch = string
identity_provider = string