cloudbuild

Overview

Usage

Basic usage of this module is as follows:

module "bootstrap" {
  source  = "terraform-google-modules/bootstrap/google//modules/cloudbuild"
  version = "~> 7.2"

  org_id         = "<ORGANIZATION_ID>"
  billing_account         = "<BILLING_ACCOUNT_ID>"
  group_org_admins        = "[email protected]"
  default_region          = "australia-southeast1"
  sa_enable_impersonation = true
  terraform_sa_email      = "<SERVICE_ACCOUNT_EMAIL>"
  terraform_sa_name       = "<SERVICE_ACCOUNT_NAME>"
  terraform_state_bucket  = "<GCS_STATE_BUCKET_NAME>"
}

Functional examples and sample Cloud Build definitions are included in the examples directory.

Features

1. Create a new GCP cloud build project using project_prefix
2. Enable APIs in the cloud build project using activate_apis
3. Build a Terraform docker image for Cloud Build, including terraform-validator.
4. Create a GCS bucket for Cloud Build Artifacts using project_prefix
5. Create Cloud Source Repos for pipelines using list of repos in cloud_source_repos
   1. Create Cloud Build trigger for terraform apply on master branch
   2. Create Cloud Build trigger for terrafor plan on all other branches
6. Create KMS Keyring and key for encryption
   1. Grant access to decrypt to Cloud Build service account and terraform_sa_email
   2. Grant access to encrypt to group_org_admins
7. Optionally give Cloud Build service account permissions to impersonate terraform service account using sa_enable_impersonation and supplied value for terraform_sa_name

Resources created

• KMS Keyring and key for secrets, including IAM for Cloudbuild, Org Admins and Terraform service acocunt
• (optional) Cloudbuild impersonation permissions for a service account
• (optional) Cloud Source Repos, with triggers for terraform plan (all other branches) & terraform apply (master)

Inputs

Name	Description	Type	Default	Required
activate_apis	List of APIs to enable in the Cloudbuild project.	list(string)	[ "serviceusage.googleapis.com", "servicenetworking.googleapis.com", "compute.googleapis.com", "logging.googleapis.com", "bigquery.googleapis.com", "cloudresourcemanager.googleapis.com", "cloudbilling.googleapis.com", "iam.googleapis.com", "admin.googleapis.com", "appengine.googleapis.com", "storage-api.googleapis.com" ]	no
billing_account	The ID of the billing account to associate projects with.	string	n/a	yes
cloud_source_repos	List of Cloud Source Repos to create with CloudBuild triggers.	list(string)	[ "gcp-org", "gcp-networks", "gcp-projects" ]	no
cloudbuild_apply_filename	Path and name of Cloud Build YAML definition used for terraform apply.	string	"cloudbuild-tf-apply.yaml"	no
cloudbuild_plan_filename	Path and name of Cloud Build YAML definition used for terraform plan.	string	"cloudbuild-tf-plan.yaml"	no
create_cloud_source_repos	If shared Cloud Source Repos should be created.	bool	true	no
default_region	Default region to create resources where applicable.	string	"us-central1"	no
folder_id	The ID of a folder to host this project	string	""	no
gar_repo_name	Custom name to use for GAR repo.	string	""	no
gcloud_version	Default gcloud image version.	string	"388.0.0-slim"	no
group_org_admins	Google Group for GCP Organization Administrators	string	n/a	yes
impersonate_service_account	The service account to impersonate while running the gcloud builds submit command.	string	""	no
org_id	GCP Organization ID	string	n/a	yes
project_id	Custom project ID to use for project created.	string	""	no
project_labels	Labels to apply to the project.	map(string)	{}	no
project_prefix	Name prefix to use for projects created.	string	"cft"	no
random_suffix	Appends a 4 character random suffix to project ID and GCS bucket name.	bool	true	no
sa_enable_impersonation	Allow org_admins group to impersonate service account & enable APIs required.	bool	false	no
storage_bucket_labels	Labels to apply to the storage bucket.	map(string)	{}	no
terraform_apply_branches	List of git branches configured to run terraform apply Cloud Build trigger. All other branches will run plan by default.	list(string)	[ "main" ]	no
terraform_sa_email	Email for terraform service account.	string	n/a	yes
terraform_sa_name	Fully-qualified name of the terraform service account.	string	n/a	yes
terraform_state_bucket	Default state bucket, used in Cloud Build substitutions.	string	n/a	yes
terraform_version	Default terraform version.	string	"1.0.2"	no
terraform_version_sha256sum	sha256sum for default terraform version.	string	"7329f887cc5a5bda4bedaec59c439a4af7ea0465f83e3c1b0f4d04951e1181f4"	no

Outputs

Name	Description
cloudbuild_project_id	Project where CloudBuild configuration and terraform container image will reside.
csr_repos	List of Cloud Source Repos created by the module, linked to Cloud Build triggers.
gcs_bucket_cloudbuild_artifacts	Bucket used to store Cloud/Build artifacts in CloudBuild project.
gcs_bucket_cloudbuild_logs	Bucket used to store Cloud/Build logs in CloudBuild project.
tf_runner_artifact_repo	GAR Repo created to store runner images

Requirements

Software

• gcloud sdk >= 206.0.0
• Terraform >= 0.13.0
• [terraform-provider-google] plugin 3.50.x

Permissions

• roles/billing.user on supplied billing account
• roles/resourcemanager.organizationAdmin on GCP Organization
• roles/resourcemanager.projectCreator on GCP Organization or folder

APIs

A project with the following APIs enabled must be used to host the resources of this module:

• Google Cloud Resource Manager API: cloudresourcemanager.googleapis.com
• Google Cloud Billing API: cloudbilling.googleapis.com
• Google Cloud IAM API: iam.googleapis.com
• Google Cloud Storage API storage-api.googleapis.com
• Google Cloud Service Usage API: serviceusage.googleapis.com
• Google Cloud Build API: cloudbuild.googleapis.com
• Google Cloud Source Repo API: sourcerepo.googleapis.com
• Google Cloud KMS API: cloudkms.googleapis.com

This API can be enabled in the default project created during establishing an organization.

Contributing

Refer to the contribution guidelines for information on contributing to this module.