Remove support for source repositories from FAST CI/CD (GoogleCloudPl…

…atform#2352)

* stage 0

* stage 1

* stage 1 mt

* remove unused locals from resman

* remove unused locals from resman

* tfdoc

fast/stages/0-bootstrap/automation.tf

@@ -145,7 +145,6 @@ module "automation-project" {
       "pubsub.googleapis.com",
       "servicenetworking.googleapis.com",
       "serviceusage.googleapis.com",
-      "sourcerepo.googleapis.com",
       "stackdriver.googleapis.com",
       "storage-component.googleapis.com",
       "storage.googleapis.com",

fast/stages/0-bootstrap/cicd.tf

@@ -36,13 +36,9 @@ locals {
     if(
       v != null
       &&
-      (
-        try(v.type, null) == "sourcerepo"
-        ||
-        contains(
-          keys(local.workload_identity_providers),
-          coalesce(try(v.identity_provider, null), ":")
-        )
+      contains(
+        keys(local.workload_identity_providers),
+        coalesce(try(v.identity_provider, null), ":")
       )
       &&
       fileexists(
@@ -71,44 +67,6 @@ locals {
   }
 }
 
-# source repository
-
-module "automation-tf-cicd-repo" {
-  source = "../../../modules/source-repository"
-  for_each = {
-    for k, v in local.cicd_repositories : k => v if v.type == "sourcerepo"
-  }
-  project_id = module.automation-project.project_id
-  name       = each.value.name
-  iam = {
-    "roles/source.admin" = [
-      each.key == "bootstrap"
-      ? module.automation-tf-bootstrap-sa.iam_email
-      : module.automation-tf-resman-sa.iam_email
-    ]
-    "roles/source.reader" = concat(
-      [module.automation-tf-cicd-sa[each.key].iam_email],
-      each.key == "bootstrap"
-      ? [module.automation-tf-bootstrap-r-sa.iam_email]
-      : [module.automation-tf-resman-r-sa.iam_email]
-    )
-  }
-  triggers = {
-    "fast-0-${each.key}" = {
-      filename        = ".cloudbuild/workflow.yaml"
-      included_files  = ["**/*tf", ".cloudbuild/workflow.yaml"]
-      service_account = module.automation-tf-cicd-sa[each.key].id
-      substitutions   = {}
-      template = {
-        project_id  = null
-        branch_name = each.value.branch
-        repo_name   = each.value.name
-        tag_name    = null
-      }
-    }
-  }
-}
-
 # SAs used by CI/CD workflows to impersonate automation SAs
 
 module "automation-tf-cicd-sa" {
@@ -118,28 +76,22 @@ module "automation-tf-cicd-sa" {
   name         = "${each.key}-1"
   display_name = "Terraform CI/CD ${each.key} service account."
   prefix       = local.prefix
-  iam = (
-    each.value.type == "sourcerepo"
-    # used directly from the cloud build trigger for source repos
-    ? {}
-    # impersonated via workload identity federation for external repos
-    : {
-      "roles/iam.workloadIdentityUser" = [
-        each.value.branch == null
-        ? format(
-          local.workload_identity_providers_defs[each.value.type].principal_repo,
-          google_iam_workload_identity_pool.default[0].name,
-          each.value.name
-        )
-        : format(
-          local.workload_identity_providers_defs[each.value.type].principal_branch,
-          google_iam_workload_identity_pool.default[0].name,
-          each.value.name,
-          each.value.branch
-        )
-      ]
-    }
-  )
+  iam = {
+    "roles/iam.workloadIdentityUser" = [
+      each.value.branch == null
+      ? format(
+        local.workload_identity_providers_defs[each.value.type].principal_repo,
+        google_iam_workload_identity_pool.default[0].name,
+        each.value.name
+      )
+      : format(
+        local.workload_identity_providers_defs[each.value.type].principal_branch,
+        google_iam_workload_identity_pool.default[0].name,
+        each.value.name,
+        each.value.branch
+      )
+    ]
+  }
   iam_project_roles = {
     (module.automation-project.project_id) = ["roles/logging.logWriter"]
   }
@@ -155,21 +107,15 @@ module "automation-tf-cicd-r-sa" {
   name         = "${each.key}-1r"
   display_name = "Terraform CI/CD ${each.key} service account (read-only)."
   prefix       = local.prefix
-  iam = (
-    each.value.type == "sourcerepo"
-    # build trigger for read-only SA is optionally defined by users
-    ? {}
-    # impersonated via workload identity federation for external repos
-    : {
-      "roles/iam.workloadIdentityUser" = [
-        format(
-          local.workload_identity_providers_defs[each.value.type].principal_repo,
-          google_iam_workload_identity_pool.default[0].name,
-          each.value.name
-        )
-      ]
-    }
-  )
+  iam = {
+    "roles/iam.workloadIdentityUser" = [
+      format(
+        local.workload_identity_providers_defs[each.value.type].principal_repo,
+        google_iam_workload_identity_pool.default[0].name,
+        each.value.name
+      )
+    ]
+  }
   iam_project_roles = {
     (module.automation-project.project_id) = ["roles/logging.logWriter"]
   }

fast/stages/0-bootstrap/variables.tf

@@ -63,22 +63,18 @@ variable "cicd_repositories" {
   validation {
     condition = alltrue([
       for k, v in coalesce(var.cicd_repositories, {}) :
-      v == null || (
-        try(v.identity_provider, null) != null
-        ||
-        try(v.type, null) == "sourcerepo"
-      )
+      v == null || try(v.identity_provider, null) != null
     ])
-    error_message = "Non-null repositories need a non-null provider unless type is 'sourcerepo'."
+    error_message = "Non-null repositories need a non-null provider."
   }
   validation {
     condition = alltrue([
       for k, v in coalesce(var.cicd_repositories, {}) :
       v == null || (
-        contains(["github", "gitlab", "sourcerepo"], coalesce(try(v.type, null), "null"))
+        contains(["github", "gitlab"], coalesce(try(v.type, null), "null"))
       )
     ])
-    error_message = "Invalid repository type, supported types: 'github' 'gitlab' or 'sourcerepo'."
+    error_message = "Invalid repository type, supported types: 'github' or 'gitlab'."
   }
 }