Skip to content

Commit

Permalink
fix: split out ICR handling (#450)
Browse files Browse the repository at this point in the history
  • Loading branch information
@huayuenh
huayuenh authored Jul 25, 2024
1 parent 665b7c9 commit 02b7c53
Show file tree
Hide file tree
Showing 12 changed files with 112 additions and 126 deletions.
5 changes: 4 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,8 +81,10 @@ statement instead the previous block.
| [ibm_cd_tekton_pipeline_trigger_property.ci_pipeline_webhook_branch_property](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cd_tekton_pipeline_trigger_property) | resource |
| [ibm_cd_tekton_pipeline_trigger_property.ci_pipeline_webhook_name_property](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cd_tekton_pipeline_trigger_property) | resource |
| [ibm_cd_tekton_pipeline_trigger_property.ci_pipeline_webhook_repo_url_property](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cd_tekton_pipeline_trigger_property) | resource |
| [ibm_cr_namespace.cr_namespace](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cr_namespace) | resource |
| [ibm_resource_instance.cd_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource |
| [null_resource.ci_pipeline_run](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [random_string.resource_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
| [random_string.webhook_secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
| [ibm_resource_group.resource_group](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/resource_group) | data source |

Expand Down Expand Up @@ -547,7 +549,7 @@ statement instead the previous block.
| <a name="input_create_ci_toolchain"></a> [create\_ci\_toolchain](#input\_create\_ci\_toolchain) | Flag which determines if the DevSecOps CI toolchain is created. If this toolchain is not created then values must be set for the following variables, evidence\_repo\_url, issues\_repo\_url and inventory\_repo\_url. | `bool` | `true` | no |
| <a name="input_create_cos_api_key"></a> [create\_cos\_api\_key](#input\_create\_cos\_api\_key) | Set to `true` to create and add a `cos-api-key` to the Secrets Provider. | `bool` | `false` | no |
| <a name="input_create_ibmcloud_api_key"></a> [create\_ibmcloud\_api\_key](#input\_create\_ibmcloud\_api\_key) | Set to `true` to create and add an `ibmcloud-api-key` to the Secrets Provider. | `bool` | `false` | no |
| <a name="input_create_icr_namespace"></a> [create\_icr\_namespace](#input\_create\_icr\_namespace) | Set to `true` to create the namespace. | `bool` | `false` | no |
| <a name="input_create_icr_namespace"></a> [create\_icr\_namespace](#input\_create\_icr\_namespace) | Set to `true` to have Terraform create the registry namespace. Setting to `false` will have the CI pipeline create the namespace if it does not already exist. Note: If a Terraform destroy is used, the ICR namespace along with all images will be removed. | `bool` | `false` | no |
| <a name="input_create_secret_group"></a> [create\_secret\_group](#input\_create\_secret\_group) | Set to `true` to create the specified Secrets Manager secret group. | `bool` | `false` | no |
| <a name="input_create_signing_certificate"></a> [create\_signing\_certificate](#input\_create\_signing\_certificate) | Set to `true` to create and add the `signing-certificate` to the Secrets Provider. | `bool` | `false` | no |
| <a name="input_create_signing_key"></a> [create\_signing\_key](#input\_create\_signing\_key) | Set to `true` to create and add a `signing_key`to the Secrets Provider. | `bool` | `false` | no |
Expand Down Expand Up @@ -646,6 +648,7 @@ statement instead the previous block.
| <a name="output_compliance_ci_toolchain_id"></a> [compliance\_ci\_toolchain\_id](#output\_compliance\_ci\_toolchain\_id) | The ID of the Compliance CI Toolchain |
| <a name="output_compliance_ci_toolchain_url"></a> [compliance\_ci\_toolchain\_url](#output\_compliance\_ci\_toolchain\_url) | The Compliance CI Toolchain URL |
| <a name="output_evidence_repo_url"></a> [evidence\_repo\_url](#output\_evidence\_repo\_url) | The Evidence Repo URL |
| <a name="output_icr_namespace_name"></a> [icr\_namespace\_name](#output\_icr\_namespace\_name) | The name of the targets ICR namespace. |
| <a name="output_inventory_repo_url"></a> [inventory\_repo\_url](#output\_inventory\_repo\_url) | The Inventory Repo URL |
| <a name="output_issues_repo_url"></a> [issues\_repo\_url](#output\_issues\_repo\_url) | The Issues Repo URL |
| <a name="output_key_protect_instance_id"></a> [key\_protect\_instance\_id](#output\_key\_protect\_instance\_id) | The Key Protect Instance ID |
Expand Down
30 changes: 22 additions & 8 deletions code-engine/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,14 +62,33 @@ locals {
cd_repositories_prefix = (var.cd_repositories_prefix == "") ? var.repositories_prefix : var.cd_repositories_prefix
cc_repositories_prefix = (var.cc_repositories_prefix == "") ? var.repositories_prefix : var.cc_repositories_prefix

enable_prereqs = ((var.create_icr_namespace == true) || (var.create_signing_certificate == true) || (var.create_secret_group == true) ||
enable_prereqs = ((var.create_signing_certificate == true) || (var.create_secret_group == true) ||
(var.create_ibmcloud_api_key == true) || (var.create_cos_api_key == true) || (var.create_signing_key == true)) ? true : false

registry_namespace_suffix = (var.add_container_name_suffix) ? format("%s-%s", var.registry_namespace, random_string.resource_suffix[0].result) : var.registry_namespace
registry_namespace = (var.prefix == "") ? local.registry_namespace_suffix : format("%s-%s", var.prefix, local.registry_namespace_suffix)
}

data "ibm_resource_group" "resource_group" {
name = var.toolchain_resource_group
}

#################### ICR ###########################

resource "random_string" "resource_suffix" {
count = (var.add_container_name_suffix) ? 1 : 0
length = 4
special = false
upper = false
}

resource "ibm_cr_namespace" "cr_namespace" {
count = ((var.registry_namespace != "") && (var.create_icr_namespace == true)) ? 1 : 0
name = local.registry_namespace
resource_group_id = data.ibm_resource_group.resource_group.id
}

################ Experimental #####################
resource "ibm_resource_instance" "cd_instance" {
count = (var.create_cd_instance) ? 1 : 0
name = (var.prefix == "") ? var.cd_instance_name : format("${var.prefix}-%s", var.cd_instance_name)
Expand All @@ -82,25 +101,20 @@ resource "ibm_resource_instance" "cd_instance" {
module "prereqs" {
count = (local.enable_prereqs) ? 1 : 0
source = "../prereqs"
depends_on = [data.ibm_resource_group.resource_group]
create_icr_namespace = var.create_icr_namespace
create_ibmcloud_api_key = var.create_ibmcloud_api_key
create_cos_api_key = var.create_cos_api_key
create_signing_key = var.create_signing_key
create_signing_certificate = var.create_signing_certificate
add_container_name_suffix = var.add_container_name_suffix
sm_name = var.sm_name
sm_location = var.sm_location
sm_secret_group_name = var.sm_secret_group
registry_namespace = var.registry_namespace
resource_group_id = data.ibm_resource_group.resource_group.id
sm_resource_group = var.sm_resource_group
create_secret_group = var.create_secret_group
cos_api_key_secret_name = var.cos_api_key_secret_name
iam_api_key_secret_name = var.pipeline_ibmcloud_api_key_secret_name
signing_key_secret_name = var.ci_signing_key_secret_name
signing_certifcate_secret_name = var.cd_code_signing_cert_secret_name
sm_exists = var.enable_secrets_manager
prefix = var.prefix
}

module "devsecops_ci_toolchain" {
Expand All @@ -112,7 +126,7 @@ module "devsecops_ci_toolchain" {
toolchain_region = (var.ci_toolchain_region == "") ? var.toolchain_region : replace(replace(var.ci_toolchain_region, "ibm:yp:", ""), "ibm:ys1:", "")
toolchain_resource_group = (var.ci_toolchain_resource_group == "") ? var.toolchain_resource_group : var.ci_toolchain_resource_group
toolchain_description = var.ci_toolchain_description
registry_namespace = (local.enable_prereqs) ? module.prereqs[0].registry_namespace : var.registry_namespace
registry_namespace = local.registry_namespace
ibmcloud_api = var.ibmcloud_api
compliance_base_image = (var.ci_compliance_base_image == "") ? var.compliance_base_image : var.ci_compliance_base_image
ci_pipeline_branch = (var.ci_compliance_pipeline_branch == "") ? var.compliance_pipeline_branch : var.ci_compliance_pipeline_branch
Expand Down
6 changes: 6 additions & 0 deletions code-engine/outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,4 +86,10 @@ output "pr_pipeline_id" {
description = "The PR pipeline Id"
value = try(module.devsecops_ci_toolchain[0].pr_pipeline_id, "")
}

output "icr_namespace_name" {
description = "The name of the targets ICR namespace."
value = (var.prefix == "") ? local.registry_namespace_suffix : local.registry_namespace
}

#############################################################################
2 changes: 1 addition & 1 deletion code-engine/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3922,7 +3922,7 @@ variable "create_signing_certificate" {

variable "create_icr_namespace" {
type = bool
description = "Set to `true` to create the namespace."
description = "Set to `true` to have Terraform create the registry namespace. Setting to `false` will have the CI pipeline create the namespace if it does not already exist. Note: If a Terraform destroy is used, the ICR namespace along with all images will be removed."
default = false
}

Expand Down
81 changes: 41 additions & 40 deletions ibm_catalog.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,66 +32,66 @@
{
"profile": {
"name": "IBM Cloud Framework for Financial Services",
"version": "1.5.0"
"version": "1.6.0"
},
"names": [
"CM-2(0)",
"CM-2",
"CM-2(1)(a)",
"CM-2(1)(b)",
"CM-2(1)(c)",
"CM-2(2)(0)",
"CM-2(3)(0)",
"CM-2(2)",
"CM-2(3)",
"CM-3(a)",
"CM-3(b)",
"CM-3(c)",
"CM-3(d)",
"CM-3(e)",
"CM-3(f)",
"CM-3(g)",
"CM-3(2)(0)",
"CM-4(0)",
"CM-4(1)(0)",
"CM-5(0)",
"CM-3(2)",
"CM-4",
"CM-4(1)",
"CM-5",
"CM-6(a)",
"CM-6(b)",
"CM-6(c)",
"CM-6(d)",
"CM-6(1)(0)",
"CM-6(1)",
"CM-7(b)",
"CM-7(1)(a)",
"CM-8(a)",
"CM-8(b)",
"CM-8(1)(0)",
"CM-8(2)(0)",
"CM-8(1)",
"CM-8(2)",
"CM-9(a)",
"CM-9(b)",
"CM-9(c)",
"CM-9(d)",
"CM-10(1)(0)",
"CM-10(1)",
"RA-5(a)",
"RA-5(b)",
"RA-5(c)",
"RA-5(d)",
"RA-5(1)(0)",
"RA-5(2)(0)",
"RA-5(3)(0)",
"RA-5(1)",
"RA-5(2)",
"RA-5(3)",
"SA-3(a)",
"SA-3(d)",
"SA-8(0)",
"SA-8",
"SA-10(a)",
"SA-10(b)",
"SA-10(c)",
"SA-10(d)",
"SA-10(e)",
"SA-10(1)(0)",
"SA-10(1)",
"SA-15(a)",
"SI-2(a)",
"SI-2(b)",
"SI-2(c)",
"SI-2(d)",
"SI-2(2)(0)",
"SI-7(0)",
"SI-10(0)"
"SI-2(2)",
"SI-7",
"SI-10"
]
}
]
Expand Down Expand Up @@ -3953,66 +3953,67 @@
{
"profile": {
"name": "IBM Cloud Framework for Financial Services",
"version": "1.5.0"
"version": "1.6.0"
},
"names": [
"CM-2(0)",
"CM-2",
"CM-2(1)(a)",
"CM-2(1)(b)",
"CM-2(1)(c)",
"CM-2(2)(0)",
"CM-2(3)(0)",
"CM-2(2)",
"CM-2(3)",
"CM-3(a)",
"CM-3(b)",
"CM-3(c)",
"CM-3(d)",
"CM-3(e)",
"CM-3(f)",
"CM-3(g)",
"CM-3(2)(0)",
"CM-4(0)",
"CM-4(1)(0)",
"CM-5(0)",
"CM-3(2)",
"CM-4",
"CM-4(1)",
"SA-4(3)",
"CM-5",
"CM-6(a)",
"CM-6(b)",
"CM-6(c)",
"CM-6(d)",
"CM-6(1)(0)",
"CM-6(1)",
"CM-7(b)",
"CM-7(1)(a)",
"CM-8(a)",
"CM-8(b)",
"CM-8(1)(0)",
"CM-8(2)(0)",
"CM-8(1)",
"CM-8(2)",
"CM-9(a)",
"CM-9(b)",
"CM-9(c)",
"CM-9(d)",
"CM-10(1)(0)",
"CM-10(1)",
"RA-5(a)",
"RA-5(b)",
"RA-5(c)",
"RA-5(d)",
"RA-5(1)(0)",
"RA-5(2)(0)",
"RA-5(3)(0)",
"RA-5(1)",
"RA-5(2)",
"RA-5(3)",
"SA-3(a)",
"SA-3(d)",
"SA-8(0)",
"SA-8",
"SA-10(a)",
"SA-10(b)",
"SA-10(c)",
"SA-10(d)",
"SA-10(e)",
"SA-10(1)(0)",
"SA-10(1)",
"SA-15(a)",
"SI-2(a)",
"SI-2(b)",
"SI-2(c)",
"SI-2(d)",
"SI-2(2)(0)",
"SI-7(0)",
"SI-10(0)"
"SI-2(2)",
"SI-7",
"SI-10"
]
}
]
Expand Down
30 changes: 22 additions & 8 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,8 +45,11 @@ locals {
cd_repositories_prefix = (var.cd_repositories_prefix == "") ? var.repositories_prefix : var.cd_repositories_prefix
cc_repositories_prefix = (var.cc_repositories_prefix == "") ? var.repositories_prefix : var.cc_repositories_prefix

enable_prereqs = ((var.create_icr_namespace == true) || (var.create_signing_certificate == true) || (var.create_secret_group == true) ||
enable_prereqs = ((var.create_signing_certificate == true) || (var.create_secret_group == true) ||
(var.create_ibmcloud_api_key == true) || (var.create_cos_api_key == true) || (var.create_signing_key == true)) ? true : false

registry_namespace_suffix = (var.add_container_name_suffix) ? format("%s-%s", var.registry_namespace, random_string.resource_suffix[0].result) : var.registry_namespace
registry_namespace = (var.prefix == "") ? local.registry_namespace_suffix : format("%s-%s", var.prefix, local.registry_namespace_suffix)
}


Expand All @@ -63,28 +66,39 @@ resource "ibm_resource_instance" "cd_instance" {
resource_group_id = data.ibm_resource_group.resource_group.id
}

#################### ICR ###########################

resource "random_string" "resource_suffix" {
count = (var.add_container_name_suffix) ? 1 : 0
length = 4
special = false
upper = false
}

resource "ibm_cr_namespace" "cr_namespace" {
count = ((var.registry_namespace != "") && (var.create_icr_namespace == true)) ? 1 : 0
name = local.registry_namespace
resource_group_id = data.ibm_resource_group.resource_group.id
}

################ Experimental #####################
module "prereqs" {
count = (local.enable_prereqs) ? 1 : 0
source = "./prereqs"
depends_on = [data.ibm_resource_group.resource_group]
create_icr_namespace = var.create_icr_namespace
create_ibmcloud_api_key = var.create_ibmcloud_api_key
create_cos_api_key = var.create_cos_api_key
create_signing_key = var.create_signing_key
create_signing_certificate = var.create_signing_certificate
add_container_name_suffix = var.add_container_name_suffix
sm_name = var.sm_name
sm_location = var.sm_location
sm_secret_group_name = var.sm_secret_group
registry_namespace = var.registry_namespace
resource_group_id = data.ibm_resource_group.resource_group.id
sm_resource_group = var.sm_resource_group
create_secret_group = var.create_secret_group
cos_api_key_secret_name = var.cos_api_key_secret_name
iam_api_key_secret_name = var.pipeline_ibmcloud_api_key_secret_name
signing_key_secret_name = var.ci_signing_key_secret_name
signing_certifcate_secret_name = var.cd_code_signing_cert_secret_name
sm_exists = var.enable_secrets_manager
prefix = var.prefix
}

module "devsecops_ci_toolchain" {
Expand All @@ -96,7 +110,7 @@ module "devsecops_ci_toolchain" {
toolchain_region = (var.ci_toolchain_region == "") ? var.toolchain_region : replace(replace(var.ci_toolchain_region, "ibm:yp:", ""), "ibm:ys1:", "")
toolchain_resource_group = (var.ci_toolchain_resource_group == "") ? var.toolchain_resource_group : var.ci_toolchain_resource_group
toolchain_description = var.ci_toolchain_description
registry_namespace = (local.enable_prereqs) ? module.prereqs[0].registry_namespace : var.registry_namespace
registry_namespace = local.registry_namespace
ibmcloud_api = var.ibmcloud_api
compliance_base_image = (var.ci_compliance_base_image == "") ? var.compliance_base_image : var.ci_compliance_base_image
ci_pipeline_branch = (var.ci_compliance_pipeline_branch == "") ? var.compliance_pipeline_branch : var.ci_compliance_pipeline_branch
Expand Down
6 changes: 6 additions & 0 deletions outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,4 +86,10 @@ output "pr_pipeline_id" {
description = "The PR pipeline Id"
value = try(module.devsecops_ci_toolchain[0].pr_pipeline_id, "")
}

output "icr_namespace_name" {
description = "The name of the targets ICR namespace."
value = (var.prefix == "") ? local.registry_namespace_suffix : local.registry_namespace
}

#############################################################################
Loading

0 comments on commit 02b7c53

Please sign in to comment.