Skip to content

Commit

Permalink
CI/CD support for Source Repository and Cloud Build (#669)
Browse files Browse the repository at this point in the history
* add id to outputs

* initial cloud build implementation for stage 0

* comments

* stage 0

* stage 1, untested

* add support for IAM and CB triggers to source repository module

* refactor stage 0 to use sourcerepo module

* refactor stage 1 to use sourcerepo module

* file descriptions

* fix gitlab pipeline
  • Loading branch information
ludoo authored Jun 8, 2022
1 parent 0d670af commit 44ae267
Show file tree
Hide file tree
Showing 31 changed files with 1,093 additions and 403 deletions.
2 changes: 1 addition & 1 deletion fast/assets/templates/workflow-github.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ jobs:
name: Terraform plan
continue-on-error: true
run: |
terraform plan -out ../plan.out -no-color
terraform plan -input=false -out ../plan.out -no-color
- id: tf-apply
if: github.event.pull_request.merged == true
Expand Down
26 changes: 13 additions & 13 deletions fast/assets/templates/workflow-gitlab.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@

default:
image:
name: registry.gitlab.com/gitlab-org/terraform-images/releases/1.1
name: registry.gitlab.com/gitlab-org/terraform-images/releases/1.1

variables:
FAST_OUTPUTS_BUCKET: ${outputs_bucket}
Expand Down Expand Up @@ -116,7 +116,7 @@ tf-init:
- gcp-auth

# Terraform Validate
tf-validate:
tf-validate:
stage: tf-validate
script:
- |
Expand All @@ -134,17 +134,17 @@ tf-validate:
# Terraform Plan
tf-plan:
stage: tf-plan
script:
- |
ssh-agent -a $SSH_AUTH_SOCK > /dev/null
echo "$CICD_MODULES_KEY" | tr -d '\r' | ssh-add - > /dev/null
mkdir -p ~/.ssh
ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
cd "$${TF_ROOT}"
cp -R .tf-setup/. .
gitlab-terraform plan
gitlab-terraform plan-json
script:
- |
ssh-agent -a $SSH_AUTH_SOCK > /dev/null
echo "$CICD_MODULES_KEY" | tr -d '\r' | ssh-add - > /dev/null
mkdir -p ~/.ssh
ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
cd "$${TF_ROOT}"
cp -R .tf-setup/. .
gitlab-terraform plan
gitlab-terraform plan-json
dependencies:
- gcp-auth
artifacts:
Expand Down
98 changes: 98 additions & 0 deletions fast/assets/templates/workflow-sourcerepo.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

steps:
- name: alpine:3
id: tf-download
entrypoint: sh
args:
- -eEuo
- pipefail
- -c
- |-
mkdir -p /builder/home/.local/bin
wget https://releases.hashicorp.com/terraform/$${_TF_VERSION}/terraform_$${_TF_VERSION}_linux_amd64.zip
unzip terraform_$${_TF_VERSION}_linux_amd64.zip -d /builder/home/.local/bin
rm terraform_$${_TF_VERSION}_linux_amd64.zip
chmod 755 /builder/home/.local/bin/terraform
- name: alpine:3
id: tf-check-format
entrypoint: sh
args:
- -eEuo
- pipefail
- -c
- |-
terraform fmt -recursive -check /workspace/
- name: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine
id: tf-files
entrypoint: bash
args:
- -eEuo
- pipefail
- -c
- |-
/google-cloud-sdk/bin/gsutil cp \
gs://$${_FAST_OUTPUTS_BUCKET}/providers/$${_TF_PROVIDERS_FILE} ./
/google-cloud-sdk/bin/gsutil cp -r \
gs://$${_FAST_OUTPUTS_BUCKET}/tfvars ./
for f in $${_TF_VAR_FILES}; do
ln -s tfvars/$f ./
done
- name: alpine:3
id: tf-init
entrypoint: sh
args:
- -eEuo
- pipefail
- -c
- |-
terraform init -no-color
- name: alpine:3
id: tf-check-validate
entrypoint: sh
args:
- -eEuo
- pipefail
- -c
- |-
terraform validate -no-color
- name: alpine:3
id: tf-plan
entrypoint: sh
args:
- -eEuo
- pipefail
- -c
- |-
terraform plan -no-color -input=false -out plan.out
# store artifact and ask for approval here if needed
- name: alpine:3
id: tf-apply
entrypoint: sh
args:
- -eEuo
- pipefail
- -c
- |-
terraform apply -no-color -input=false -auto-approve plan.out
options:
env:
- PATH=/usr/local/bin:/usr/bin:/bin:/builder/home/.local/bin
logging: CLOUD_LOGGING_ONLY
substitutions:
_FAST_OUTPUTS_BUCKET: ${outputs_bucket}
_TF_PROVIDERS_FILE: ${tf_providers_file}
_TF_VAR_FILES: ${tf_var_files == [] ? "''" : join("\n ", tf_var_files)}
_TF_VERSION: 1.1.7
47 changes: 27 additions & 20 deletions fast/stages/00-bootstrap/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -385,6 +385,8 @@ cicd_repositories = {
}
```

The `type` attribute can be set to one of the supported repository types: `github`, `gitlab`, or `sourcerepo`.

Once the stage is applied the generated output files will contain pre-configured workflow files for each repository, that will use Workload Identity Federation via a dedicated service account for each repository to impersonate the automation service account for the stage.

The remaining configuration is manual, as it regards the repositories themselves:
Expand All @@ -396,6 +398,10 @@ The remaining configuration is manual, as it regards the repositories themselves
- create a key pair
- create a [deploy key](https://docs.github.com/en/developers/overview/managing-deploy-keys#deploy-keys) in the modules repository with the public key
- create a `CICD_MODULES_KEY` secret with the private key in each of the repositories that need to access modules
- for Gitlab
- TODO
- for Source Repositories
- assign the reader role to the CI/CD service accounts
- create one repository for each stage
- clone and populate them with the stage source
- edit the modules source to match your modules repository
Expand All @@ -405,6 +411,7 @@ The remaining configuration is manual, as it regards the repositories themselves
- copy the generated workflow file for the stage from the GCS output files bucket or from the local clone if enabled
- for GitHub, place it in a `.github/workflows` folder in the repository root
- for Gitlab, rename it to `.gitlab-ci.yml` and place it in the repository root
- for Source Repositories, place it in `.cloudbuild/workflow.yaml`

<!-- TFDOC OPTS files:1 show_extra:1 -->
<!-- BEGIN TFDOC -->
Expand All @@ -415,7 +422,7 @@ The remaining configuration is manual, as it regards the repositories themselves
|---|---|---|---|
| [automation.tf](./automation.tf) | Automation project and resources. | <code>gcs</code> · <code>iam-service-account</code> · <code>project</code> | |
| [billing.tf](./billing.tf) | Billing export project and dataset. | <code>bigquery-dataset</code> · <code>organization</code> · <code>project</code> | <code>google_billing_account_iam_member</code> · <code>google_organization_iam_binding</code> |
| [cicd.tf](./cicd.tf) | Workload Identity Federation configurations for CI/CD. | <code>iam-service-account</code> | |
| [cicd.tf](./cicd.tf) | Workload Identity Federation configurations for CI/CD. | <code>iam-service-account</code> · <code>source-repository</code> | |
| [identity-providers.tf](./identity-providers.tf) | Workload Identity Federation provider definitions. | | <code>google_iam_workload_identity_pool</code> · <code>google_iam_workload_identity_pool_provider</code> |
| [log-export.tf](./log-export.tf) | Audit log project and sink. | <code>bigquery-dataset</code> · <code>gcs</code> · <code>logging-bucket</code> · <code>project</code> · <code>pubsub</code> | |
| [main.tf](./main.tf) | Module-level locals and resources. | | |
Expand All @@ -430,31 +437,31 @@ The remaining configuration is manual, as it regards the repositories themselves
| name | description | type | required | default | producer |
|---|---|:---:|:---:|:---:|:---:|
| [billing_account](variables.tf#L17) | Billing account id and organization id ('nnnnnnnn' or null). | <code title="object&#40;&#123;&#10; id &#61; string&#10; organization_id &#61; number&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> || | |
| [organization](variables.tf#L146) | Organization details. | <code title="object&#40;&#123;&#10; domain &#61; string&#10; id &#61; number&#10; customer_id &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> || | |
| [prefix](variables.tf#L161) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> || | |
| [organization](variables.tf#L152) | Organization details. | <code title="object&#40;&#123;&#10; domain &#61; string&#10; id &#61; number&#10; customer_id &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> || | |
| [prefix](variables.tf#L167) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> || | |
| [bootstrap_user](variables.tf#L25) | Email of the nominal user running this stage for the first time. | <code>string</code> | | <code>null</code> | |
| [cicd_repositories](variables.tf#L31) | CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | <code title="object&#40;&#123;&#10; bootstrap &#61; object&#40;&#123;&#10; branch &#61; string&#10; identity_provider &#61; string&#10; name &#61; string&#10; type &#61; string&#10; &#125;&#41;&#10; resman &#61; object&#40;&#123;&#10; branch &#61; string&#10; identity_provider &#61; string&#10; name &#61; string&#10; type &#61; string&#10; &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | |
| [custom_role_names](variables.tf#L71) | Names of custom roles defined at the org level. | <code title="object&#40;&#123;&#10; organization_iam_admin &#61; string&#10; service_project_network_admin &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; organization_iam_admin &#61; &#34;organizationIamAdmin&#34;&#10; service_project_network_admin &#61; &#34;serviceProjectNetworkAdmin&#34;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [federated_identity_providers](variables.tf#L83) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | <code title="map&#40;object&#40;&#123;&#10; attribute_condition &#61; string&#10; issuer &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> | |
| [groups](variables.tf#L93) | Group names to grant organization-level permissions. | <code>map&#40;string&#41;</code> | | <code title="&#123;&#10; gcp-billing-admins &#61; &#34;gcp-billing-admins&#34;,&#10; gcp-devops &#61; &#34;gcp-devops&#34;,&#10; gcp-network-admins &#61; &#34;gcp-network-admins&#34;&#10; gcp-organization-admins &#61; &#34;gcp-organization-admins&#34;&#10; gcp-security-admins &#61; &#34;gcp-security-admins&#34;&#10; gcp-support &#61; &#34;gcp-support&#34;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [iam](variables.tf#L107) | Organization-level custom IAM settings in role => [principal] format. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> | |
| [iam_additive](variables.tf#L113) | Organization-level custom IAM settings in role => [principal] format for non-authoritative bindings. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> | |
| [log_sinks](variables.tf#L121) | Org-level log sinks, in name => {type, filter} format. | <code title="map&#40;object&#40;&#123;&#10; filter &#61; string&#10; type &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; audit-logs &#61; &#123;&#10; filter &#61; &#34;logName:&#92;&#34;&#47;logs&#47;cloudaudit.googleapis.com&#37;2Factivity&#92;&#34; OR logName:&#92;&#34;&#47;logs&#47;cloudaudit.googleapis.com&#37;2Fsystem_event&#92;&#34;&#34;&#10; type &#61; &#34;bigquery&#34;&#10; &#125;&#10; vpc-sc &#61; &#123;&#10; filter &#61; &#34;protoPayload.metadata.&#64;type&#61;&#92;&#34;type.googleapis.com&#47;google.cloud.audit.VpcServiceControlAuditMetadata&#92;&#34;&#34;&#10; type &#61; &#34;bigquery&#34;&#10; &#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [outputs_location](variables.tf#L155) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable | <code>string</code> | | <code>null</code> | |
| [custom_role_names](variables.tf#L77) | Names of custom roles defined at the org level. | <code title="object&#40;&#123;&#10; organization_iam_admin &#61; string&#10; service_project_network_admin &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; organization_iam_admin &#61; &#34;organizationIamAdmin&#34;&#10; service_project_network_admin &#61; &#34;serviceProjectNetworkAdmin&#34;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [federated_identity_providers](variables.tf#L89) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | <code title="map&#40;object&#40;&#123;&#10; attribute_condition &#61; string&#10; issuer &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> | |
| [groups](variables.tf#L99) | Group names to grant organization-level permissions. | <code>map&#40;string&#41;</code> | | <code title="&#123;&#10; gcp-billing-admins &#61; &#34;gcp-billing-admins&#34;,&#10; gcp-devops &#61; &#34;gcp-devops&#34;,&#10; gcp-network-admins &#61; &#34;gcp-network-admins&#34;&#10; gcp-organization-admins &#61; &#34;gcp-organization-admins&#34;&#10; gcp-security-admins &#61; &#34;gcp-security-admins&#34;&#10; gcp-support &#61; &#34;gcp-support&#34;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [iam](variables.tf#L113) | Organization-level custom IAM settings in role => [principal] format. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> | |
| [iam_additive](variables.tf#L119) | Organization-level custom IAM settings in role => [principal] format for non-authoritative bindings. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> | |
| [log_sinks](variables.tf#L127) | Org-level log sinks, in name => {type, filter} format. | <code title="map&#40;object&#40;&#123;&#10; filter &#61; string&#10; type &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; audit-logs &#61; &#123;&#10; filter &#61; &#34;logName:&#92;&#34;&#47;logs&#47;cloudaudit.googleapis.com&#37;2Factivity&#92;&#34; OR logName:&#92;&#34;&#47;logs&#47;cloudaudit.googleapis.com&#37;2Fsystem_event&#92;&#34;&#34;&#10; type &#61; &#34;bigquery&#34;&#10; &#125;&#10; vpc-sc &#61; &#123;&#10; filter &#61; &#34;protoPayload.metadata.&#64;type&#61;&#92;&#34;type.googleapis.com&#47;google.cloud.audit.VpcServiceControlAuditMetadata&#92;&#34;&#34;&#10; type &#61; &#34;bigquery&#34;&#10; &#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [outputs_location](variables.tf#L161) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable | <code>string</code> | | <code>null</code> | |

## Outputs

| name | description | sensitive | consumers |
|---|---|:---:|---|
| [automation](outputs.tf#L93) | Automation resources. | | |
| [billing_dataset](outputs.tf#L98) | BigQuery dataset prepared for billing export. | | |
| [cicd_repositories](outputs.tf#L103) | CI/CD repository configurations. | | |
| [custom_roles](outputs.tf#L115) | Organization-level custom roles. | | |
| [federated_identity](outputs.tf#L120) | Workload Identity Federation pool and providers. | | |
| [outputs_bucket](outputs.tf#L130) | GCS bucket where generated output files are stored. | | |
| [project_ids](outputs.tf#L135) | Projects created by this stage. | | |
| [providers](outputs.tf#L154) | Terraform provider files for this stage and dependent stages. || <code>stage-01</code> |
| [service_accounts](outputs.tf#L144) | Automation service accounts created by this stage. | | |
| [tfvars](outputs.tf#L163) | Terraform variable files for the following stages. || |
| [automation](outputs.tf#L81) | Automation resources. | | |
| [billing_dataset](outputs.tf#L86) | BigQuery dataset prepared for billing export. | | |
| [cicd_repositories](outputs.tf#L91) | CI/CD repository configurations. | | |
| [custom_roles](outputs.tf#L103) | Organization-level custom roles. | | |
| [federated_identity](outputs.tf#L108) | Workload Identity Federation pool and providers. | | |
| [outputs_bucket](outputs.tf#L118) | GCS bucket where generated output files are stored. | | |
| [project_ids](outputs.tf#L123) | Projects created by this stage. | | |
| [providers](outputs.tf#L142) | Terraform provider files for this stage and dependent stages. || <code>stage-01</code> |
| [service_accounts](outputs.tf#L132) | Automation service accounts created by this stage. | | |
| [tfvars](outputs.tf#L151) | Terraform variable files for the following stages. || |

<!-- END TFDOC -->
6 changes: 5 additions & 1 deletion fast/stages/00-bootstrap/automation.tf
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ module "automation-project" {
"bigquerystorage.googleapis.com",
"billingbudgets.googleapis.com",
"cloudbilling.googleapis.com",
"cloudbuild.googleapis.com",
"cloudkms.googleapis.com",
"cloudresourcemanager.googleapis.com",
"container.googleapis.com",
Expand All @@ -65,14 +66,15 @@ module "automation-project" {
"pubsub.googleapis.com",
"servicenetworking.googleapis.com",
"serviceusage.googleapis.com",
"sourcerepo.googleapis.com",
"stackdriver.googleapis.com",
"storage-component.googleapis.com",
"storage.googleapis.com",
"sts.googleapis.com"
]
}

# outputt files bucket
# output files bucket

module "automation-tf-output-gcs" {
source = "../../../modules/gcs"
Expand Down Expand Up @@ -100,6 +102,7 @@ module "automation-tf-bootstrap-sa" {
name = "bootstrap-0"
description = "Terraform organization bootstrap service account."
prefix = local.prefix
# allow SA used by CI/CD workflow to impersonate this SA
iam = {
"roles/iam.serviceAccountTokenCreator" = compact([
try(module.automation-tf-cicd-sa["bootstrap"].iam_email, null)
Expand Down Expand Up @@ -130,6 +133,7 @@ module "automation-tf-resman-sa" {
name = "resman-0"
description = "Terraform stage 1 resman service account."
prefix = local.prefix
# allow SA used by CI/CD workflow to impersonate this SA
iam = {
"roles/iam.serviceAccountTokenCreator" = compact([
try(module.automation-tf-cicd-sa["resman"].iam_email, null)
Expand Down
Loading

0 comments on commit 44ae267

Please sign in to comment.