GKE CI/CD (#804)
This commit is contained in:
parent
d318a7e657
commit
a18a3c92b3
|
@ -165,6 +165,7 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
|
|||
| [branch-security.tf](./branch-security.tf) | Security stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
|
||||
| [branch-teams.tf](./branch-teams.tf) | Team stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
|
||||
| [cicd-data-platform.tf](./cicd-data-platform.tf) | CI/CD resources for the data platform branch. | <code>iam-service-account</code> · <code>source-repository</code> | |
|
||||
| [cicd-gke.tf](./cicd-gke.tf) | CI/CD resources for the data platform branch. | <code>iam-service-account</code> · <code>source-repository</code> | |
|
||||
| [cicd-networking.tf](./cicd-networking.tf) | CI/CD resources for the networking branch. | <code>iam-service-account</code> · <code>source-repository</code> | |
|
||||
| [cicd-project-factory.tf](./cicd-project-factory.tf) | CI/CD resources for the teams branch. | <code>iam-service-account</code> · <code>source-repository</code> | |
|
||||
| [cicd-security.tf](./cicd-security.tf) | CI/CD resources for the security branch. | <code>iam-service-account</code> · <code>source-repository</code> | |
|
||||
|
@ -181,31 +182,31 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
|
|||
|---|---|:---:|:---:|:---:|:---:|
|
||||
| [automation](variables.tf#L20) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string project_id = string project_number = string federated_identity_pool = string federated_identity_providers = map(object({ issuer = string issuer_uri = string name = string principal_tpl = string principalset_tpl = string })) })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [billing_account](variables.tf#L38) | Billing account id and organization id ('nnnnnnnn' or null). | <code title="object({ id = string organization_id = number })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [organization](variables.tf#L179) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [prefix](variables.tf#L203) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [cicd_repositories](variables.tf#L47) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | <code title="object({ data_platform_dev = object({ branch = string identity_provider = string name = string type = string }) data_platform_prod = object({ branch = string identity_provider = string name = string type = string }) networking = object({ branch = string identity_provider = string name = string type = string }) project_factory_dev = object({ branch = string identity_provider = string name = string type = string }) project_factory_prod = object({ branch = string identity_provider = string name = string type = string }) security = object({ branch = string identity_provider = string name = string type = string }) })">object({…})</code> | | <code>null</code> | |
|
||||
| [custom_roles](variables.tf#L117) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>00-bootstrap</code> |
|
||||
| [fast_features](variables.tf#L126) | Selective control for top-level FAST features. | <code title="object({ data_platform = bool gke = bool project_factory = bool sandbox = bool teams = bool })">object({…})</code> | | <code title="{ data_platform = true gke = true project_factory = true sandbox = true teams = true }">{…}</code> | <code>00-bootstrap</code> |
|
||||
| [groups](variables.tf#L146) | Group names to grant organization-level permissions. | <code>map(string)</code> | | <code title="{ gcp-billing-admins = "gcp-billing-admins", gcp-devops = "gcp-devops", gcp-network-admins = "gcp-network-admins" gcp-organization-admins = "gcp-organization-admins" gcp-security-admins = "gcp-security-admins" gcp-support = "gcp-support" }">{…}</code> | <code>00-bootstrap</code> |
|
||||
| [locations](variables.tf#L161) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object({ bq = string gcs = string logging = string pubsub = list(string) })">object({…})</code> | | <code title="{ bq = "EU" gcs = "EU" logging = "global" pubsub = [] }">{…}</code> | <code>00-bootstrap</code> |
|
||||
| [organization_policy_configs](variables.tf#L189) | Organization policies customization. | <code title="object({ allowed_policy_member_domains = list(string) })">object({…})</code> | | <code>null</code> | |
|
||||
| [outputs_location](variables.tf#L197) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable | <code>string</code> | | <code>null</code> | |
|
||||
| [tag_names](variables.tf#L214) | Customized names for resource management tags. | <code title="object({ context = string environment = string })">object({…})</code> | | <code title="{ context = "context" environment = "environment" }">{…}</code> | |
|
||||
| [team_folders](variables.tf#L231) | Team folders to be created. Format is described in a code comment. | <code title="map(object({ descriptive_name = string group_iam = map(list(string)) impersonation_groups = list(string) }))">map(object({…}))</code> | | <code>null</code> | |
|
||||
| [organization](variables.tf#L191) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [prefix](variables.tf#L215) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [cicd_repositories](variables.tf#L47) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | <code title="object({ data_platform_dev = object({ branch = string identity_provider = string name = string type = string }) data_platform_prod = object({ branch = string identity_provider = string name = string type = string }) gke_dev = object({ branch = string identity_provider = string name = string type = string }) gke_prod = object({ branch = string identity_provider = string name = string type = string }) networking = object({ branch = string identity_provider = string name = string type = string }) project_factory_dev = object({ branch = string identity_provider = string name = string type = string }) project_factory_prod = object({ branch = string identity_provider = string name = string type = string }) security = object({ branch = string identity_provider = string name = string type = string }) })">object({…})</code> | | <code>null</code> | |
|
||||
| [custom_roles](variables.tf#L129) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>00-bootstrap</code> |
|
||||
| [fast_features](variables.tf#L138) | Selective control for top-level FAST features. | <code title="object({ data_platform = bool gke = bool project_factory = bool sandbox = bool teams = bool })">object({…})</code> | | <code title="{ data_platform = true gke = true project_factory = true sandbox = true teams = true }">{…}</code> | <code>00-bootstrap</code> |
|
||||
| [groups](variables.tf#L158) | Group names to grant organization-level permissions. | <code>map(string)</code> | | <code title="{ gcp-billing-admins = "gcp-billing-admins", gcp-devops = "gcp-devops", gcp-network-admins = "gcp-network-admins" gcp-organization-admins = "gcp-organization-admins" gcp-security-admins = "gcp-security-admins" gcp-support = "gcp-support" }">{…}</code> | <code>00-bootstrap</code> |
|
||||
| [locations](variables.tf#L173) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object({ bq = string gcs = string logging = string pubsub = list(string) })">object({…})</code> | | <code title="{ bq = "EU" gcs = "EU" logging = "global" pubsub = [] }">{…}</code> | <code>00-bootstrap</code> |
|
||||
| [organization_policy_configs](variables.tf#L201) | Organization policies customization. | <code title="object({ allowed_policy_member_domains = list(string) })">object({…})</code> | | <code>null</code> | |
|
||||
| [outputs_location](variables.tf#L209) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable | <code>string</code> | | <code>null</code> | |
|
||||
| [tag_names](variables.tf#L226) | Customized names for resource management tags. | <code title="object({ context = string environment = string })">object({…})</code> | | <code title="{ context = "context" environment = "environment" }">{…}</code> | |
|
||||
| [team_folders](variables.tf#L243) | Team folders to be created. Format is described in a code comment. | <code title="map(object({ descriptive_name = string group_iam = map(list(string)) impersonation_groups = list(string) }))">map(object({…}))</code> | | <code>null</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive | consumers |
|
||||
|---|---|:---:|---|
|
||||
| [cicd_repositories](outputs.tf#L188) | WIF configuration for CI/CD repositories. | | |
|
||||
| [dataplatform](outputs.tf#L202) | Data for the Data Platform stage. | | |
|
||||
| [gke_multitenant](outputs.tf#L274) | Data for the GKE multitenant stage. | | <code>03-gke-multitenant</code> |
|
||||
| [networking](outputs.tf#L218) | Data for the networking stage. | | |
|
||||
| [project_factories](outputs.tf#L227) | Data for the project factories stage. | | |
|
||||
| [providers](outputs.tf#L243) | Terraform provider files for this stage and dependent stages. | ✓ | <code>02-networking</code> · <code>02-security</code> · <code>03-dataplatform</code> · <code>xx-sandbox</code> · <code>xx-teams</code> |
|
||||
| [sandbox](outputs.tf#L250) | Data for the sandbox stage. | | <code>xx-sandbox</code> |
|
||||
| [security](outputs.tf#L264) | Data for the networking stage. | | <code>02-security</code> |
|
||||
| [teams](outputs.tf#L295) | Data for the teams stage. | | |
|
||||
| [tfvars](outputs.tf#L308) | Terraform variable files for the following stages. | ✓ | |
|
||||
| [cicd_repositories](outputs.tf#L197) | WIF configuration for CI/CD repositories. | | |
|
||||
| [dataplatform](outputs.tf#L211) | Data for the Data Platform stage. | | |
|
||||
| [gke_multitenant](outputs.tf#L283) | Data for the GKE multitenant stage. | | <code>03-gke-multitenant</code> |
|
||||
| [networking](outputs.tf#L227) | Data for the networking stage. | | |
|
||||
| [project_factories](outputs.tf#L236) | Data for the project factories stage. | | |
|
||||
| [providers](outputs.tf#L252) | Terraform provider files for this stage and dependent stages. | ✓ | <code>02-networking</code> · <code>02-security</code> · <code>03-dataplatform</code> · <code>xx-sandbox</code> · <code>xx-teams</code> |
|
||||
| [sandbox](outputs.tf#L259) | Data for the sandbox stage. | | <code>xx-sandbox</code> |
|
||||
| [security](outputs.tf#L273) | Data for the networking stage. | | <code>02-security</code> |
|
||||
| [teams](outputs.tf#L304) | Data for the teams stage. | | |
|
||||
| [tfvars](outputs.tf#L317) | Terraform variable files for the following stages. | ✓ | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -16,11 +16,6 @@
|
|||
|
||||
# tfdoc:file:description Data Platform stages resources.
|
||||
|
||||
moved {
|
||||
from = module.branch-dp-folder
|
||||
to = module.branch-dp-folder.0
|
||||
}
|
||||
|
||||
module "branch-dp-folder" {
|
||||
source = "../../../modules/folder"
|
||||
count = var.fast_features.data_platform ? 1 : 0
|
||||
|
@ -33,11 +28,6 @@ module "branch-dp-folder" {
|
|||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-dp-dev-folder
|
||||
to = module.branch-dp-dev-folder.0
|
||||
}
|
||||
|
||||
module "branch-dp-dev-folder" {
|
||||
source = "../../../modules/folder"
|
||||
count = var.fast_features.data_platform ? 1 : 0
|
||||
|
@ -62,11 +52,6 @@ module "branch-dp-dev-folder" {
|
|||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-dp-prod-folder
|
||||
to = module.branch-dp-prod-folder.0
|
||||
}
|
||||
|
||||
module "branch-dp-prod-folder" {
|
||||
source = "../../../modules/folder"
|
||||
count = var.fast_features.data_platform ? 1 : 0
|
||||
|
@ -91,11 +76,6 @@ module "branch-dp-prod-folder" {
|
|||
|
||||
# automation service accounts and buckets
|
||||
|
||||
moved {
|
||||
from = module.branch-dp-dev-sa
|
||||
to = module.branch-dp-dev-sa.0
|
||||
}
|
||||
|
||||
module "branch-dp-dev-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
count = var.fast_features.data_platform ? 1 : 0
|
||||
|
@ -113,11 +93,6 @@ module "branch-dp-dev-sa" {
|
|||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-dp-prod-sa
|
||||
to = module.branch-dp-prod-sa.0
|
||||
}
|
||||
|
||||
module "branch-dp-prod-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
count = var.fast_features.data_platform ? 1 : 0
|
||||
|
@ -135,11 +110,6 @@ module "branch-dp-prod-sa" {
|
|||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-dp-dev-gcs
|
||||
to = module.branch-dp-dev-gcs.0
|
||||
}
|
||||
|
||||
module "branch-dp-dev-gcs" {
|
||||
source = "../../../modules/gcs"
|
||||
count = var.fast_features.data_platform ? 1 : 0
|
||||
|
@ -154,11 +124,6 @@ module "branch-dp-dev-gcs" {
|
|||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-dp-prod-gcs
|
||||
to = module.branch-dp-prod-gcs.0
|
||||
}
|
||||
|
||||
module "branch-dp-prod-gcs" {
|
||||
source = "../../../modules/gcs"
|
||||
count = var.fast_features.data_platform ? 1 : 0
|
||||
|
|
|
@ -16,11 +16,6 @@
|
|||
|
||||
# tfdoc:file:description GKE multitenant stage resources.
|
||||
|
||||
moved {
|
||||
from = module.branch-gke-folder
|
||||
to = module.branch-gke-folder.0
|
||||
}
|
||||
|
||||
module "branch-gke-folder" {
|
||||
source = "../../../modules/folder"
|
||||
count = var.fast_features.gke ? 1 : 0
|
||||
|
@ -33,11 +28,6 @@ module "branch-gke-folder" {
|
|||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-gke-dev-folder
|
||||
to = module.branch-gke-dev-folder.0
|
||||
}
|
||||
|
||||
module "branch-gke-dev-folder" {
|
||||
source = "../../../modules/folder"
|
||||
count = var.fast_features.gke ? 1 : 0
|
||||
|
@ -58,11 +48,6 @@ module "branch-gke-dev-folder" {
|
|||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-gke-prod-folder
|
||||
to = module.branch-gke-prod-folder.0
|
||||
}
|
||||
|
||||
module "branch-gke-prod-folder" {
|
||||
source = "../../../modules/folder"
|
||||
count = var.fast_features.gke ? 1 : 0
|
||||
|
@ -83,11 +68,6 @@ module "branch-gke-prod-folder" {
|
|||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-gke-dev-sa
|
||||
to = module.branch-gke-dev-sa.0
|
||||
}
|
||||
|
||||
module "branch-gke-dev-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
count = var.fast_features.gke ? 1 : 0
|
||||
|
@ -96,18 +76,18 @@ module "branch-gke-dev-sa" {
|
|||
description = "Terraform gke multitenant dev service account."
|
||||
prefix = var.prefix
|
||||
iam = {
|
||||
"roles/iam.serviceAccountTokenCreator" = ["group:${local.groups.gcp-devops}"]
|
||||
"roles/iam.serviceAccountTokenCreator" = concat(
|
||||
["group:${local.groups.gcp-devops}"],
|
||||
compact([
|
||||
try(module.branch-gke-dev-sa-cicd.0.iam_email, null)
|
||||
])
|
||||
)
|
||||
}
|
||||
iam_storage_roles = {
|
||||
(var.automation.outputs_bucket) = ["roles/storage.admin"]
|
||||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-gke-prod-sa
|
||||
to = module.branch-gke-prod-sa.0
|
||||
}
|
||||
|
||||
module "branch-gke-prod-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
count = var.fast_features.gke ? 1 : 0
|
||||
|
@ -116,18 +96,18 @@ module "branch-gke-prod-sa" {
|
|||
description = "Terraform gke multitenant prod service account."
|
||||
prefix = var.prefix
|
||||
iam = {
|
||||
"roles/iam.serviceAccountTokenCreator" = ["group:${local.groups.gcp-devops}"]
|
||||
"roles/iam.serviceAccountTokenCreator" = concat(
|
||||
["group:${local.groups.gcp-devops}"],
|
||||
compact([
|
||||
try(module.branch-gke-prod-sa-cicd.0.iam_email, null)
|
||||
])
|
||||
)
|
||||
}
|
||||
iam_storage_roles = {
|
||||
(var.automation.outputs_bucket) = ["roles/storage.admin"]
|
||||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-gke-dev-gcs
|
||||
to = module.branch-gke-dev-gcs.0
|
||||
}
|
||||
|
||||
module "branch-gke-dev-gcs" {
|
||||
source = "../../../modules/gcs"
|
||||
count = var.fast_features.gke ? 1 : 0
|
||||
|
@ -140,11 +120,6 @@ module "branch-gke-dev-gcs" {
|
|||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-gke-prod-gcs
|
||||
to = module.branch-gke-prod-gcs.0
|
||||
}
|
||||
|
||||
module "branch-gke-prod-gcs" {
|
||||
source = "../../../modules/gcs"
|
||||
count = var.fast_features.gke ? 1 : 0
|
||||
|
|
|
@ -16,11 +16,6 @@
|
|||
|
||||
# tfdoc:file:description Project factory stage resources.
|
||||
|
||||
moved {
|
||||
from = module.branch-teams-dev-pf-sa
|
||||
to = module.branch-pf-dev-sa.0
|
||||
}
|
||||
|
||||
module "branch-pf-dev-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
count = var.fast_features.project_factory ? 1 : 0
|
||||
|
@ -39,11 +34,6 @@ module "branch-pf-dev-sa" {
|
|||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-teams-prod-pf-sa
|
||||
to = module.branch-pf-prod-sa.0
|
||||
}
|
||||
|
||||
module "branch-pf-prod-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
count = var.fast_features.project_factory ? 1 : 0
|
||||
|
@ -62,11 +52,6 @@ module "branch-pf-prod-sa" {
|
|||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-teams-dev-pf-gcs
|
||||
to = module.branch-pf-dev-gcs.0
|
||||
}
|
||||
|
||||
module "branch-pf-dev-gcs" {
|
||||
source = "../../../modules/gcs"
|
||||
count = var.fast_features.project_factory ? 1 : 0
|
||||
|
@ -81,11 +66,6 @@ module "branch-pf-dev-gcs" {
|
|||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-teams-prod-pf-gcs
|
||||
to = module.branch-pf-prod-gcs.0
|
||||
}
|
||||
|
||||
module "branch-pf-prod-gcs" {
|
||||
source = "../../../modules/gcs"
|
||||
count = var.fast_features.project_factory ? 1 : 0
|
||||
|
|
|
@ -16,11 +16,6 @@
|
|||
|
||||
# tfdoc:file:description Team stage resources.
|
||||
|
||||
moved {
|
||||
from = module.branch-teams-folder
|
||||
to = module.branch-teams-folder.0
|
||||
}
|
||||
|
||||
# TODO(ludo): add support for CI/CD
|
||||
|
||||
############### top-level Teams branch and automation resources ###############
|
||||
|
|
|
@ -0,0 +1,175 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
# tfdoc:file:description CI/CD resources for the data platform branch.
|
||||
|
||||
# source repositories
|
||||
|
||||
module "branch-gke-dev-cicd-repo" {
|
||||
source = "../../../modules/source-repository"
|
||||
for_each = (
|
||||
try(local.cicd_repositories.gke_dev.type, null) == "sourcerepo"
|
||||
? { 0 = local.cicd_repositories.gke_dev }
|
||||
: {}
|
||||
)
|
||||
project_id = var.automation.project_id
|
||||
name = each.value.name
|
||||
iam = {
|
||||
"roles/source.admin" = compact([
|
||||
try(module.branch-gke-dev-sa.0.iam_email, "")
|
||||
])
|
||||
"roles/source.reader" = compact([
|
||||
try(module.branch-gke-dev-sa-cicd.0.iam_email, "")
|
||||
])
|
||||
}
|
||||
triggers = {
|
||||
fast-03-gke-dev = {
|
||||
filename = ".cloudbuild/workflow.yaml"
|
||||
included_files = [
|
||||
"**/*json", "**/*tf", "**/*yaml", ".cloudbuild/workflow.yaml"
|
||||
]
|
||||
service_account = module.branch-gke-dev-sa-cicd.0.id
|
||||
substitutions = {}
|
||||
template = {
|
||||
project_id = null
|
||||
branch_name = each.value.branch
|
||||
repo_name = each.value.name
|
||||
tag_name = null
|
||||
}
|
||||
}
|
||||
}
|
||||
depends_on = [module.branch-gke-dev-sa-cicd]
|
||||
}
|
||||
|
||||
module "branch-gke-prod-cicd-repo" {
|
||||
source = "../../../modules/source-repository"
|
||||
for_each = (
|
||||
try(local.cicd_repositories.gke_prod.type, null) == "sourcerepo"
|
||||
? { 0 = local.cicd_repositories.gke_prod }
|
||||
: {}
|
||||
)
|
||||
project_id = var.automation.project_id
|
||||
name = each.value.name
|
||||
iam = {
|
||||
"roles/source.admin" = [module.branch-gke-prod-sa.0.iam_email]
|
||||
"roles/source.reader" = [module.branch-gke-prod-sa-cicd.0.iam_email]
|
||||
}
|
||||
triggers = {
|
||||
fast-03-gke-prod = {
|
||||
filename = ".cloudbuild/workflow.yaml"
|
||||
included_files = [
|
||||
"**/*json", "**/*tf", "**/*yaml", ".cloudbuild/workflow.yaml"
|
||||
]
|
||||
service_account = module.branch-gke-prod-sa-cicd.0.id
|
||||
substitutions = {}
|
||||
template = {
|
||||
project_id = null
|
||||
branch_name = each.value.branch
|
||||
repo_name = each.value.name
|
||||
tag_name = null
|
||||
}
|
||||
}
|
||||
}
|
||||
depends_on = [module.branch-gke-prod-sa-cicd]
|
||||
}
|
||||
|
||||
# SAs used by CI/CD workflows to impersonate automation SAs
|
||||
|
||||
module "branch-gke-dev-sa-cicd" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
for_each = (
|
||||
try(local.cicd_repositories.gke_dev.name, null) != null
|
||||
? { 0 = local.cicd_repositories.gke_dev }
|
||||
: {}
|
||||
)
|
||||
project_id = var.automation.project_id
|
||||
name = "dev-resman-gke-1"
|
||||
description = "Terraform CI/CD GKE development service account."
|
||||
prefix = var.prefix
|
||||
iam = (
|
||||
each.value.type == "sourcerepo"
|
||||
# used directly from the cloud build trigger for source repos
|
||||
? {
|
||||
"roles/iam.serviceAccountUser" = local.automation_resman_sa
|
||||
}
|
||||
# impersonated via workload identity federation for external repos
|
||||
: {
|
||||
"roles/iam.workloadIdentityUser" = [
|
||||
each.value.branch == null
|
||||
? format(
|
||||
local.identity_providers[each.value.identity_provider].principalset_tpl,
|
||||
var.automation.federated_identity_pool,
|
||||
each.value.name
|
||||
)
|
||||
: format(
|
||||
local.identity_providers[each.value.identity_provider].principal_tpl,
|
||||
var.automation.federated_identity_pool,
|
||||
each.value.name,
|
||||
each.value.branch
|
||||
)
|
||||
]
|
||||
}
|
||||
)
|
||||
iam_project_roles = {
|
||||
(var.automation.project_id) = ["roles/logging.logWriter"]
|
||||
}
|
||||
iam_storage_roles = {
|
||||
(var.automation.outputs_bucket) = ["roles/storage.objectViewer"]
|
||||
}
|
||||
}
|
||||
|
||||
module "branch-gke-prod-sa-cicd" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
for_each = (
|
||||
try(local.cicd_repositories.gke_prod.name, null) != null
|
||||
? { 0 = local.cicd_repositories.gke_prod }
|
||||
: {}
|
||||
)
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-gke-1"
|
||||
description = "Terraform CI/CD GKE production service account."
|
||||
prefix = var.prefix
|
||||
iam = (
|
||||
each.value.type == "sourcerepo"
|
||||
# used directly from the cloud build trigger for source repos
|
||||
? {
|
||||
"roles/iam.serviceAccountUser" = local.automation_resman_sa
|
||||
}
|
||||
# impersonated via workload identity federation for external repos
|
||||
: {
|
||||
"roles/iam.workloadIdentityUser" = [
|
||||
each.value.branch == null
|
||||
? format(
|
||||
local.identity_providers[each.value.identity_provider].principalset_tpl,
|
||||
var.automation.federated_identity_pool,
|
||||
each.value.name
|
||||
)
|
||||
: format(
|
||||
local.identity_providers[each.value.identity_provider].principal_tpl,
|
||||
var.automation.federated_identity_pool,
|
||||
each.value.name,
|
||||
each.value.branch
|
||||
)
|
||||
]
|
||||
}
|
||||
)
|
||||
iam_project_roles = {
|
||||
(var.automation.project_id) = ["roles/logging.logWriter"]
|
||||
}
|
||||
iam_storage_roles = {
|
||||
(var.automation.outputs_bucket) = ["roles/storage.objectViewer"]
|
||||
}
|
||||
}
|
|
@ -37,8 +37,7 @@ locals {
|
|||
cicd_repositories = {
|
||||
for k, v in coalesce(var.cicd_repositories, {}) : k => v
|
||||
if(
|
||||
v != null
|
||||
&&
|
||||
v != null &&
|
||||
(
|
||||
try(v.type, null) == "sourcerepo"
|
||||
||
|
||||
|
@ -46,8 +45,7 @@ locals {
|
|||
keys(local.identity_providers),
|
||||
coalesce(try(v.identity_provider, null), ":")
|
||||
)
|
||||
)
|
||||
&&
|
||||
) &&
|
||||
fileexists("${path.module}/templates/workflow-${try(v.type, "")}.yaml")
|
||||
)
|
||||
}
|
||||
|
|
|
@ -27,7 +27,16 @@ locals {
|
|||
tf_providers_file = "03-data-platform-prod-providers.tf"
|
||||
tf_var_files = local.cicd_workflow_var_files.stage_3
|
||||
}
|
||||
# TODO(jccb): add gke here
|
||||
gke_dev = {
|
||||
service_account = try(module.branch-gke-dev-sa-cicd.0.email, null)
|
||||
tf_providers_file = "03-gke-dev-providers.tf"
|
||||
tf_var_files = local.cicd_workflow_var_files.stage_3
|
||||
}
|
||||
gke_prod = {
|
||||
service_account = try(module.branch-gke-prod-sa-cicd.0.email, null)
|
||||
tf_providers_file = "03-gke-prod-providers.tf"
|
||||
tf_var_files = local.cicd_workflow_var_files.stage_3
|
||||
}
|
||||
networking = {
|
||||
service_account = try(module.branch-network-sa-cicd.0.email, null)
|
||||
tf_providers_file = "02-networking-providers.tf"
|
||||
|
|
|
@ -59,6 +59,18 @@ variable "cicd_repositories" {
|
|||
name = string
|
||||
type = string
|
||||
})
|
||||
gke_dev = object({
|
||||
branch = string
|
||||
identity_provider = string
|
||||
name = string
|
||||
type = string
|
||||
})
|
||||
gke_prod = object({
|
||||
branch = string
|
||||
identity_provider = string
|
||||
name = string
|
||||
type = string
|
||||
})
|
||||
networking = object({
|
||||
branch = string
|
||||
identity_provider = string
|
||||
|
|
Loading…
Reference in New Issue