From 6cbf00eed293e9913cbec65e075d7ecf82f9cb17 Mon Sep 17 00:00:00 2001
From: huayuenh <48723418+huayuenh@users.noreply.github.com>
Date: Tue, 12 Nov 2024 09:35:29 +0000
Subject: [PATCH] fix: optionally include compliance pipeline repo in group
repo settings (#509)
---
README.md | 4 +++
ibm_catalog.json | 56 ++++++++++++++++++++++++++++++
main.tf | 44 ++++++++++++-----------
prereqs/main.tf | 43 ++++++++++++++---------
solutions/code-engine/README.md | 4 +++
solutions/code-engine/main.tf | 4 +++
solutions/code-engine/variables.tf | 24 +++++++++++++
solutions/kubernetes/README.md | 4 +++
solutions/kubernetes/main.tf | 4 +++
solutions/kubernetes/variables.tf | 24 +++++++++++++
variables.tf | 24 +++++++++++++
11 files changed, 197 insertions(+), 38 deletions(-)
diff --git a/README.md b/README.md
index 8c68a9f..ebaf3e3 100644
--- a/README.md
+++ b/README.md
@@ -468,11 +468,15 @@ statement instead the previous block.
| [compliance\_pipeline\_existing\_repo\_url](#input\_compliance\_pipeline\_existing\_repo\_url) | The URL of an existing compliance pipelines repository. | `string` | `""` | no |
| [compliance\_pipeline\_group](#input\_compliance\_pipeline\_group) | Specify user or group for compliance pipline repository. | `string` | `""` | no |
| [compliance\_pipeline\_repo\_auth\_type](#input\_compliance\_pipeline\_repo\_auth\_type) | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to `oauth` when unset. `pat` is a git `personal access token`. | `string` | `""` | no |
+| [compliance\_pipeline\_repo\_blind\_connection](#input\_compliance\_pipeline\_repo\_blind\_connection) | Setting this value to `true` means the server is not addressable on the public internet. IBM Cloud will not be able to validate the connection details you provide. Certain functionality that requires API access to the git server will be disabled. Delivery pipeline will only work using a private worker that has network access to the git server. | `string` | `""` | no |
| [compliance\_pipeline\_repo\_git\_id](#input\_compliance\_pipeline\_repo\_git\_id) | Set this value to `github` for github.com, or to the ID of a custom GitHub Enterprise server. | `string` | `""` | no |
| [compliance\_pipeline\_repo\_git\_provider](#input\_compliance\_pipeline\_repo\_git\_provider) | Git provider for compliance pipeline repo. If not set will default to `hostedgit`. | `string` | `""` | no |
| [compliance\_pipeline\_repo\_git\_token\_secret\_crn](#input\_compliance\_pipeline\_repo\_git\_token\_secret\_crn) | The CRN of the Git token used for accessing the sample application repository. | `string` | `""` | no |
| [compliance\_pipeline\_repo\_git\_token\_secret\_name](#input\_compliance\_pipeline\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider used for accessing the compliance pipelines repository. | `string` | `""` | no |
+| [compliance\_pipeline\_repo\_root\_url](#input\_compliance\_pipeline\_repo\_root\_url) | (Optional) The Root URL of the server. e.g. https://git.example.com. | `string` | `""` | no |
| [compliance\_pipeline\_repo\_secret\_group](#input\_compliance\_pipeline\_repo\_secret\_group) | Secret group for the Compliance Pipeline repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |
+| [compliance\_pipeline\_repo\_title](#input\_compliance\_pipeline\_repo\_title) | (Optional) The title of the server. e.g. My Git Enterprise Server. | `string` | `""` | no |
+| [compliance\_pipeline\_repo\_use\_group\_settings](#input\_compliance\_pipeline\_repo\_use\_group\_settings) | Set to `true` to apply group level repository settings to the compliance pipeline repository. See `repo_git_provider` as an example. | `bool` | `false` | no |
| [compliance\_pipeline\_source\_repo\_url](#input\_compliance\_pipeline\_source\_repo\_url) | The URL of a compliance pipelines repository to clone. | `string` | `""` | no |
| [continuous\_delivery\_service\_name](#input\_continuous\_delivery\_service\_name) | The name of the Continuous Delivery service instance. | `string` | `"cd-devsecops"` | no |
| [cos\_api\_key\_secret\_crn](#input\_cos\_api\_key\_secret\_crn) | The CRN of the Cloud Object Storage apikey. Applies to the CI, CD and CC toolchains. Can beset independently using `ci_cos_api_key_secret_crn`,`cd_cos_api_key_secret_crn`,`cc_cos_api_key_secret_crn`. | `string` | `""` | no |
diff --git a/ibm_catalog.json b/ibm_catalog.json
index a2f9694..83a4ea0 100644
--- a/ibm_catalog.json
+++ b/ibm_catalog.json
@@ -397,6 +397,34 @@
"description": "Set to use an existing issues repository.",
"required": false
},
+ {
+ "key": "compliance_pipeline_repo_use_group_settings",
+ "type": "boolean",
+ "default_value": true,
+ "description": "Set to `true` to apply group level repository settings to the compliance pipeline repository. See `repo_git_provider` as an example.",
+ "required": false
+ },
+ {
+ "key": "compliance_pipeline_repo_title",
+ "type": "string",
+ "default_value": "",
+ "description": "(Optional) The title of the server. e.g. My Git Enterprise Server.",
+ "required": false
+ },
+ {
+ "key": "compliance_pipeline_repo_root_url",
+ "type": "string",
+ "default_value": "",
+ "description": "(Optional) The Root URL of the server. e.g. https://git.example.com.",
+ "required": false
+ },
+ {
+ "key": "compliance_pipeline_repo_blind_connection",
+ "type": "string",
+ "default_value": "false",
+ "description": "Setting this value to `true` means the server is not addressable on the public internet. IBM Cloud will not be able to validate the connection details you provide. Certain functionality that requires API access to the git server will be disabled. Delivery pipeline will only work using a private worker that has network access to the git server.",
+ "required": false
+ },
{
"key": "compliance_pipeline_repo_git_provider",
"type": "string",
@@ -2312,6 +2340,34 @@
"description": "Set to use an existing issues repository.",
"required": false
},
+ {
+ "key": "compliance_pipeline_repo_use_group_settings",
+ "type": "boolean",
+ "default_value": true,
+ "description": "Set to `true` to apply group level repository settings to the compliance pipeline repository. See `repo_git_provider` as an example.",
+ "required": false
+ },
+ {
+ "key": "compliance_pipeline_repo_title",
+ "type": "string",
+ "default_value": "",
+ "description": "(Optional) The title of the server. e.g. My Git Enterprise Server.",
+ "required": false
+ },
+ {
+ "key": "compliance_pipeline_repo_root_url",
+ "type": "string",
+ "default_value": "",
+ "description": "(Optional) The Root URL of the server. e.g. https://git.example.com.",
+ "required": false
+ },
+ {
+ "key": "compliance_pipeline_repo_blind_connection",
+ "type": "string",
+ "default_value": "false",
+ "description": "Setting this value to `true` means the server is not addressable on the public internet. IBM Cloud will not be able to validate the connection details you provide. Certain functionality that requires API access to the git server will be disabled. Delivery pipeline will only work using a private worker that has network access to the git server.",
+ "required": false
+ },
{
"key": "compliance_pipeline_repo_git_provider",
"type": "string",
diff --git a/main.tf b/main.tf
index dd211f7..c69a4fb 100644
--- a/main.tf
+++ b/main.tf
@@ -54,7 +54,7 @@ locals {
cd_repositories_prefix = (var.cd_repositories_prefix == "") ? var.repositories_prefix : var.cd_repositories_prefix
cc_repositories_prefix = (var.cc_repositories_prefix == "") ? var.repositories_prefix : var.cc_repositories_prefix
- enable_prereqs = ((var.create_secret_group == true) || (var.create_ibmcloud_api_key == true) || (var.create_cos_api_key == true) || (var.create_signing_key == true)) ? true : false
+ enable_prereqs = ((var.create_secret_group == true) || (var.create_ibmcloud_api_key == true) || (var.create_cos_api_key == true) || (var.create_signing_key == true)) || (var.create_git_token == true) ? true : false
registry_namespace_suffix = (var.add_container_name_suffix) ? format("%s-%s", var.registry_namespace, random_string.resource_suffix[0].result) : var.registry_namespace
registry_namespace = (var.prefix == "") ? local.registry_namespace_suffix : format("%s-%s", var.prefix, local.registry_namespace_suffix)
@@ -79,6 +79,7 @@ locals {
cc_compliance_pipeline_group = (var.cc_compliance_pipeline_group == "") ? var.compliance_pipeline_group : var.cc_compliance_pipeline_group
compliance_pipeline_repo_existing_git_provider = (
(var.compliance_pipeline_repo_git_provider != "") ? var.compliance_pipeline_repo_git_provider :
+ (var.compliance_pipeline_repo_use_group_settings == false) ? "hostedgit" :
(var.repo_git_provider != "") ? var.repo_git_provider : "hostedgit"
)
@@ -372,7 +373,7 @@ module "devsecops_ci_toolchain" {
issues_repo_auth_type = (local.ci_issues_repo_auth_type == "") ? local.repo_auth_type : local.ci_issues_repo_auth_type
evidence_repo_auth_type = (local.ci_evidence_repo_auth_type == "") ? local.repo_auth_type : local.ci_evidence_repo_auth_type
app_repo_auth_type = (local.ci_app_repo_auth_type == "") ? local.repo_auth_type : local.ci_app_repo_auth_type
- compliance_pipeline_repo_auth_type = (local.ci_compliance_pipeline_repo_auth_type == "") ? local.repo_auth_type : local.ci_compliance_pipeline_repo_auth_type
+ compliance_pipeline_repo_auth_type = (var.compliance_pipeline_repo_use_group_settings) ? local.repo_auth_type : local.ci_compliance_pipeline_repo_auth_type
#GROUPS/USERS FOR REPOS
app_group = (local.ci_app_group == "") ? var.repo_group : local.ci_app_group
@@ -380,7 +381,7 @@ module "devsecops_ci_toolchain" {
inventory_group = (local.ci_inventory_group == "") ? var.repo_group : local.ci_inventory_group
evidence_group = (local.ci_evidence_group == "") ? var.repo_group : local.ci_evidence_group
pipeline_config_group = (local.ci_pipeline_config_group == "") ? var.repo_group : local.ci_pipeline_config_group
- compliance_pipeline_group = (local.ci_compliance_pipeline_group == "") ? var.repo_group : local.ci_compliance_pipeline_group
+ compliance_pipeline_group = (var.compliance_pipeline_repo_use_group_settings) ? var.repo_group : local.ci_compliance_pipeline_group
#APP REPO
app_repo_clone_from_url = (local.ci_app_repo_clone_from_url == "") ? local.app_source_repo_url : local.ci_app_repo_clone_from_url
@@ -395,11 +396,11 @@ module "devsecops_ci_toolchain" {
app_repo_title = var.repo_title
#COMPLIANCE PIPELINE REPO
- compliance_pipelines_repo_blind_connection = var.repo_blind_connection
- compliance_pipelines_repo_root_url = var.repo_root_url
- compliance_pipelines_repo_title = var.repo_title
+ compliance_pipelines_repo_blind_connection = (var.compliance_pipeline_repo_use_group_settings) ? var.repo_blind_connection : var.compliance_pipeline_repo_blind_connection
+ compliance_pipelines_repo_root_url = (var.compliance_pipeline_repo_use_group_settings) ? var.repo_root_url : var.compliance_pipeline_repo_root_url
+ compliance_pipelines_repo_title = (var.compliance_pipeline_repo_use_group_settings) ? var.repo_title : var.compliance_pipeline_repo_title
compliance_pipeline_repo_git_provider = local.compliance_pipeline_repo_existing_git_provider
- compliance_pipelines_repo_git_id = var.compliance_pipeline_repo_git_id
+ compliance_pipelines_repo_git_id = (var.compliance_pipeline_repo_use_group_settings) ? var.repo_git_id : var.compliance_pipeline_repo_git_id
compliance_pipeline_existing_repo_url = var.compliance_pipeline_existing_repo_url
compliance_pipeline_source_repo_url = var.compliance_pipeline_source_repo_url
@@ -608,7 +609,7 @@ module "devsecops_cd_toolchain" {
issues_repo_auth_type = (local.cd_issues_repo_auth_type == "") ? local.repo_auth_type : local.cd_issues_repo_auth_type
evidence_repo_auth_type = (local.cd_evidence_repo_auth_type == "") ? local.repo_auth_type : local.cd_evidence_repo_auth_type
deployment_repo_auth_type = (var.cd_deployment_repo_auth_type == "") ? local.repo_auth_type : var.cd_deployment_repo_auth_type
- compliance_pipeline_repo_auth_type = (local.cd_compliance_pipeline_repo_auth_type == "") ? local.repo_auth_type : local.cd_compliance_pipeline_repo_auth_type
+ compliance_pipeline_repo_auth_type = (var.compliance_pipeline_repo_use_group_settings) ? local.repo_auth_type : local.cd_compliance_pipeline_repo_auth_type
change_management_repo_auth_type = (var.cd_change_management_repo_auth_type == "") ? local.repo_auth_type : var.cd_change_management_repo_auth_type
#GROUPS/USERS FOR REPOS
@@ -616,16 +617,16 @@ module "devsecops_cd_toolchain" {
inventory_group = (local.cd_inventory_group == "") ? var.repo_group : local.cd_inventory_group
evidence_group = (local.cd_evidence_group == "") ? var.repo_group : local.cd_evidence_group
pipeline_config_group = (local.cd_pipeline_config_group == "") ? var.repo_group : local.cd_pipeline_config_group
- compliance_pipeline_group = (local.cd_compliance_pipeline_group == "") ? var.repo_group : local.cd_compliance_pipeline_group
+ compliance_pipeline_group = (var.compliance_pipeline_repo_use_group_settings) ? var.repo_group : local.cd_compliance_pipeline_group
deployment_group = (var.cd_deployment_group == "") ? var.repo_group : var.cd_deployment_group
change_management_group = (var.cd_change_management_group == "") ? var.repo_group : var.cd_change_management_group
#COMPLIANCE PIPELINE REPO
- compliance_pipelines_repo_blind_connection = var.repo_blind_connection
- compliance_pipelines_repo_root_url = var.repo_root_url
- compliance_pipelines_repo_title = var.repo_title
+ compliance_pipelines_repo_blind_connection = (var.compliance_pipeline_repo_use_group_settings) ? var.repo_blind_connection : var.compliance_pipeline_repo_blind_connection
+ compliance_pipelines_repo_root_url = (var.compliance_pipeline_repo_use_group_settings) ? var.repo_root_url : var.compliance_pipeline_repo_root_url
+ compliance_pipelines_repo_title = (var.compliance_pipeline_repo_use_group_settings) ? var.repo_title : var.compliance_pipeline_repo_title
compliance_pipeline_repo_git_provider = local.compliance_pipeline_repo_existing_git_provider
- compliance_pipelines_repo_git_id = var.compliance_pipeline_repo_git_id
+ compliance_pipelines_repo_git_id = (var.compliance_pipeline_repo_use_group_settings) ? var.repo_git_id : var.compliance_pipeline_repo_git_id
compliance_pipeline_existing_repo_url = var.compliance_pipeline_existing_repo_url
compliance_pipeline_source_repo_url = var.compliance_pipeline_source_repo_url
@@ -853,24 +854,24 @@ module "devsecops_cc_toolchain" {
issues_repo_auth_type = (local.cc_issues_repo_auth_type == "") ? local.repo_auth_type : local.cc_issues_repo_auth_type
evidence_repo_auth_type = (local.cc_evidence_repo_auth_type == "") ? local.repo_auth_type : local.cc_evidence_repo_auth_type
app_repo_auth_type = (local.cc_app_repo_auth_type == "") ? local.repo_auth_type : local.cc_app_repo_auth_type
- compliance_pipeline_repo_auth_type = (local.cc_compliance_pipeline_repo_auth_type == "") ? local.repo_auth_type : local.cc_compliance_pipeline_repo_auth_type
+ compliance_pipeline_repo_auth_type = (var.compliance_pipeline_repo_use_group_settings) ? local.repo_auth_type : local.cc_compliance_pipeline_repo_auth_type
#GROUPS/USERS FOR REPOS
issues_group = (local.cc_issues_group == "") ? var.repo_group : local.cc_issues_group
inventory_group = (local.cc_inventory_group == "") ? var.repo_group : local.cc_inventory_group
evidence_group = (local.cc_evidence_group == "") ? var.repo_group : local.cc_evidence_group
pipeline_config_group = (local.cc_pipeline_config_group == "") ? var.repo_group : local.cc_pipeline_config_group
- compliance_pipeline_group = (local.cc_compliance_pipeline_group == "") ? var.repo_group : local.cc_compliance_pipeline_group
+ compliance_pipeline_group = (var.compliance_pipeline_repo_use_group_settings) ? var.repo_group : local.cc_compliance_pipeline_group
app_group = (local.cc_app_group == "") ? var.repo_group : local.cc_app_group
link_to_doi_toolchain = var.cc_link_to_doi_toolchain
#COMPLIANCE PIPELINE REPO
- compliance_pipelines_repo_blind_connection = var.repo_blind_connection
- compliance_pipelines_repo_root_url = var.repo_root_url
- compliance_pipelines_repo_title = var.repo_title
+ compliance_pipelines_repo_blind_connection = (var.compliance_pipeline_repo_use_group_settings) ? var.repo_blind_connection : var.compliance_pipeline_repo_blind_connection
+ compliance_pipelines_repo_root_url = (var.compliance_pipeline_repo_use_group_settings) ? var.repo_root_url : var.compliance_pipeline_repo_root_url
+ compliance_pipelines_repo_title = (var.compliance_pipeline_repo_use_group_settings) ? var.repo_title : var.compliance_pipeline_repo_title
compliance_pipeline_repo_git_provider = local.compliance_pipeline_repo_existing_git_provider
- compliance_pipelines_repo_git_id = var.compliance_pipeline_repo_git_id
+ compliance_pipelines_repo_git_id = (var.compliance_pipeline_repo_use_group_settings) ? var.repo_git_id : var.compliance_pipeline_repo_git_id
compliance_pipeline_existing_repo_url = var.compliance_pipeline_existing_repo_url
compliance_pipeline_source_repo_url = var.compliance_pipeline_source_repo_url
@@ -992,6 +993,7 @@ module "devsecops_cc_toolchain" {
# Random string for webhook token
resource "random_string" "webhook_secret" {
+ count = (var.autostart) ? 1 : 0
depends_on = [module.devsecops_ci_toolchain[0].ci_pipeline_id, module.devsecops_ci_toolchain[0].app_repo_url]
length = 48
special = false
@@ -1010,7 +1012,7 @@ resource "ibm_cd_tekton_pipeline_trigger" "ci_pipeline_webhook" {
type = "token_matches"
source = "payload"
key_name = "webhook-token"
- value = random_string.webhook_secret.result
+ value = random_string.webhook_secret[0].result
}
}
@@ -1060,7 +1062,7 @@ resource "null_resource" "ci_pipeline_run" {
}
provisioner "local-exec" {
- command = "${path.root}/../../scripts/ci_start.sh \"${ibm_cd_tekton_pipeline_trigger.ci_pipeline_webhook[0].webhook_url}\" \"${random_string.webhook_secret.result}\""
+ command = "${path.root}/../../scripts/ci_start.sh \"${ibm_cd_tekton_pipeline_trigger.ci_pipeline_webhook[0].webhook_url}\" \"${random_string.webhook_secret[0].result}\""
interpreter = ["/bin/bash", "-c"]
quiet = true
}
diff --git a/prereqs/main.tf b/prereqs/main.tf
index f929936..9bb58f2 100644
--- a/prereqs/main.tf
+++ b/prereqs/main.tf
@@ -31,25 +31,30 @@ resource "time_static" "timestamp" {
####### SECRET GROUP ########################
resource "ibm_iam_service_id" "pipeline_service_id" {
- name = var.service_name_pipeline
+ count = (local.create_pipeline_api_key) ? 1 : 0
+ name = var.service_name_pipeline
}
resource "ibm_iam_service_id" "cos_service_id" {
- name = var.service_name_cos
+ count = (local.create_cos_api_key) ? 1 : 0
+ name = var.service_name_cos
}
data "ibm_iam_service_id" "pipeline_service_id" {
+ count = (local.create_pipeline_api_key) ? 1 : 0
depends_on = [ibm_iam_service_id.pipeline_service_id]
name = var.service_name_pipeline
}
data "ibm_iam_service_id" "cos_service_id" {
+ count = (local.create_cos_api_key) ? 1 : 0
depends_on = [ibm_iam_service_id.cos_service_id]
name = var.service_name_cos
}
resource "ibm_iam_service_policy" "cos_policy" {
- iam_service_id = ibm_iam_service_id.cos_service_id.id
+ count = (local.create_cos_api_key) ? 1 : 0
+ iam_service_id = ibm_iam_service_id.cos_service_id[0].id
roles = ["Reader", "Object Writer"]
resources {
@@ -59,7 +64,8 @@ resource "ibm_iam_service_policy" "cos_policy" {
}
resource "ibm_iam_service_policy" "pipeline_policy" {
- iam_service_id = ibm_iam_service_id.pipeline_service_id.id
+ count = (local.create_pipeline_api_key) ? 1 : 0
+ iam_service_id = ibm_iam_service_id.pipeline_service_id[0].id
roles = ["Editor"]
resources {
@@ -69,7 +75,8 @@ resource "ibm_iam_service_policy" "pipeline_policy" {
}
resource "ibm_iam_service_policy" "toolchain_policy" {
- iam_service_id = ibm_iam_service_id.pipeline_service_id.id
+ count = (local.create_pipeline_api_key) ? 1 : 0
+ iam_service_id = ibm_iam_service_id.pipeline_service_id[0].id
roles = ["Viewer", "Operator"]
resources {
service = "toolchain"
@@ -78,7 +85,8 @@ resource "ibm_iam_service_policy" "toolchain_policy" {
}
resource "ibm_iam_service_policy" "cr_policy" {
- iam_service_id = ibm_iam_service_id.pipeline_service_id.id
+ count = (local.create_pipeline_api_key) ? 1 : 0
+ iam_service_id = ibm_iam_service_id.pipeline_service_id[0].id
roles = ["Manager"]
resources {
service = "container-registry"
@@ -86,7 +94,8 @@ resource "ibm_iam_service_policy" "cr_policy" {
}
resource "ibm_iam_service_policy" "cd_policy" {
- iam_service_id = ibm_iam_service_id.pipeline_service_id.id
+ count = (local.create_pipeline_api_key) ? 1 : 0
+ iam_service_id = ibm_iam_service_id.pipeline_service_id[0].id
roles = ["Writer"]
resources {
service = "continuous-delivery"
@@ -95,8 +104,8 @@ resource "ibm_iam_service_policy" "cd_policy" {
}
resource "ibm_iam_service_policy" "kube_policy" {
- count = (var.create_kubernetes_access_policy) ? 1 : 0
- iam_service_id = ibm_iam_service_id.pipeline_service_id.id
+ count = ((var.create_kubernetes_access_policy == true) && (local.create_pipeline_api_key == true)) ? 1 : 0
+ iam_service_id = ibm_iam_service_id.pipeline_service_id[0].id
roles = ["Editor"]
resources {
service = "kubernetes"
@@ -105,8 +114,8 @@ resource "ibm_iam_service_policy" "kube_policy" {
}
resource "ibm_iam_service_policy" "ce_policy" {
- count = (var.create_code_engine_access_policy) ? 1 : 0
- iam_service_id = ibm_iam_service_id.pipeline_service_id.id
+ count = ((var.create_code_engine_access_policy) && (local.create_pipeline_api_key == true)) ? 1 : 0
+ iam_service_id = ibm_iam_service_id.pipeline_service_id[0].id
roles = ["Editor"]
resources {
service = "code-engine"
@@ -224,7 +233,7 @@ resource "ibm_sm_iam_credentials_configuration" "iam_credentials_configuration"
resource "ibm_sm_iam_credentials_secret" "iam_pipeline_apikey_credentials_secret" {
count = (local.create_pipeline_api_key) ? 1 : 0
- depends_on = [ibm_sm_secret_group.sm_secret_group, ibm_sm_iam_credentials_configuration.iam_credentials_configuration]
+ depends_on = [ibm_sm_secret_group.sm_secret_group, data.ibm_sm_secret_group.existing_sm_secret_group, ibm_sm_iam_credentials_configuration.iam_credentials_configuration]
instance_id = data.ibm_resource_instance.sm_instance[0].guid
region = var.sm_location
name = var.iam_api_key_secret_name
@@ -234,14 +243,14 @@ resource "ibm_sm_iam_credentials_secret" "iam_pipeline_apikey_credentials_secret
interval = var.rotation_period
unit = "day"
}
- secret_group_id = ibm_sm_secret_group.sm_secret_group[0].secret_group_id
- service_id = data.ibm_iam_service_id.pipeline_service_id.service_ids[0].id
+ secret_group_id = (var.create_secret_group) ? ibm_sm_secret_group.sm_secret_group[0].secret_group_id : data.ibm_sm_secret_group.existing_sm_secret_group[0].secret_group_id
+ service_id = data.ibm_iam_service_id.pipeline_service_id[0].service_ids[0].id
ttl = "7776000"
}
resource "ibm_sm_iam_credentials_secret" "iam_cos_apikey_credentials_secret" {
count = (local.create_cos_api_key) ? 1 : 0
- depends_on = [ibm_sm_secret_group.sm_secret_group, ibm_sm_iam_credentials_configuration.iam_credentials_configuration]
+ depends_on = [ibm_sm_secret_group.sm_secret_group, data.ibm_sm_secret_group.existing_sm_secret_group, ibm_sm_iam_credentials_configuration.iam_credentials_configuration]
instance_id = data.ibm_resource_instance.sm_instance[0].guid
region = var.sm_location
name = var.cos_api_key_secret_name
@@ -251,7 +260,7 @@ resource "ibm_sm_iam_credentials_secret" "iam_cos_apikey_credentials_secret" {
interval = var.rotation_period
unit = "day"
}
- secret_group_id = ibm_sm_secret_group.sm_secret_group[0].secret_group_id
- service_id = data.ibm_iam_service_id.cos_service_id.service_ids[0].id
+ secret_group_id = (var.create_secret_group) ? ibm_sm_secret_group.sm_secret_group[0].secret_group_id : data.ibm_sm_secret_group.existing_sm_secret_group[0].secret_group_id
+ service_id = data.ibm_iam_service_id.cos_service_id[0].service_ids[0].id
ttl = "7776000"
}
diff --git a/solutions/code-engine/README.md b/solutions/code-engine/README.md
index ff6dc70..01e8b8a 100644
--- a/solutions/code-engine/README.md
+++ b/solutions/code-engine/README.md
@@ -452,11 +452,15 @@ No resources.
| [compliance\_pipeline\_existing\_repo\_url](#input\_compliance\_pipeline\_existing\_repo\_url) | The URL of an existing compliance pipelines repository. | `string` | `""` | no |
| [compliance\_pipeline\_group](#input\_compliance\_pipeline\_group) | Specify user or group for compliance pipline repository. | `string` | `""` | no |
| [compliance\_pipeline\_repo\_auth\_type](#input\_compliance\_pipeline\_repo\_auth\_type) | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to `oauth` when unset. `pat` is a git `personal access token`. | `string` | `""` | no |
+| [compliance\_pipeline\_repo\_blind\_connection](#input\_compliance\_pipeline\_repo\_blind\_connection) | Setting this value to `true` means the server is not addressable on the public internet. IBM Cloud will not be able to validate the connection details you provide. Certain functionality that requires API access to the git server will be disabled. Delivery pipeline will only work using a private worker that has network access to the git server. | `string` | `""` | no |
| [compliance\_pipeline\_repo\_git\_id](#input\_compliance\_pipeline\_repo\_git\_id) | Set this value to `github` for github.com, or to the ID of a custom GitHub Enterprise server. | `string` | `""` | no |
| [compliance\_pipeline\_repo\_git\_provider](#input\_compliance\_pipeline\_repo\_git\_provider) | Git provider for pipeline repo | `string` | `""` | no |
| [compliance\_pipeline\_repo\_git\_token\_secret\_crn](#input\_compliance\_pipeline\_repo\_git\_token\_secret\_crn) | The CRN of the Git token used for accessing the sample application repository. | `string` | `""` | no |
| [compliance\_pipeline\_repo\_git\_token\_secret\_name](#input\_compliance\_pipeline\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider used for accessing the compliance pipelines repository. | `string` | `""` | no |
+| [compliance\_pipeline\_repo\_root\_url](#input\_compliance\_pipeline\_repo\_root\_url) | (Optional) The Root URL of the server. e.g. https://git.example.com. | `string` | `""` | no |
| [compliance\_pipeline\_repo\_secret\_group](#input\_compliance\_pipeline\_repo\_secret\_group) | Secret group for the Compliance Pipeline repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |
+| [compliance\_pipeline\_repo\_title](#input\_compliance\_pipeline\_repo\_title) | (Optional) The title of the server. e.g. My Git Enterprise Server. | `string` | `""` | no |
+| [compliance\_pipeline\_repo\_use\_group\_settings](#input\_compliance\_pipeline\_repo\_use\_group\_settings) | Set to `true` to apply group level repository settings to the compliance pipeline repository. See `repo_git_provider` as an example. | `bool` | `true` | no |
| [compliance\_pipeline\_source\_repo\_url](#input\_compliance\_pipeline\_source\_repo\_url) | The URL of a compliance pipelines repository to clone. | `string` | `""` | no |
| [continuous\_delivery\_service\_name](#input\_continuous\_delivery\_service\_name) | The name of the CD instance. | `string` | `"cd-devsecops"` | no |
| [cos\_api\_key\_secret\_crn](#input\_cos\_api\_key\_secret\_crn) | The CRN of the Cloud Object Storage apikey. Applies to the CI, CD and CC toolchains. Can beset independently using `ci_cos_api_key_secret_crn`,`cd_cos_api_key_secret_crn`,`cc_cos_api_key_secret_crn`. | `string` | `""` | no |
diff --git a/solutions/code-engine/main.tf b/solutions/code-engine/main.tf
index 37e72ee..2171324 100644
--- a/solutions/code-engine/main.tf
+++ b/solutions/code-engine/main.tf
@@ -26,11 +26,15 @@ module "devsecops_da" {
compliance_pipeline_existing_repo_url = var.compliance_pipeline_existing_repo_url
compliance_pipeline_group = var.compliance_pipeline_group
compliance_pipeline_repo_auth_type = var.compliance_pipeline_repo_auth_type
+ compliance_pipeline_repo_blind_connection = var.compliance_pipeline_repo_blind_connection
compliance_pipeline_repo_git_id = var.compliance_pipeline_repo_git_id
compliance_pipeline_repo_git_provider = var.compliance_pipeline_repo_git_provider
compliance_pipeline_repo_git_token_secret_crn = var.compliance_pipeline_repo_git_token_secret_crn
compliance_pipeline_repo_git_token_secret_name = var.compliance_pipeline_repo_git_token_secret_name
+ compliance_pipeline_repo_root_url = var.compliance_pipeline_repo_root_url
+ compliance_pipeline_repo_use_group_settings = var.compliance_pipeline_repo_use_group_settings
compliance_pipeline_repo_secret_group = var.compliance_pipeline_repo_secret_group
+ compliance_pipeline_repo_title = var.compliance_pipeline_repo_title
compliance_pipeline_source_repo_url = var.compliance_pipeline_source_repo_url
cos_api_key_secret_crn = var.cos_api_key_secret_crn
cos_api_key_secret_group = var.cos_api_key_secret_group
diff --git a/solutions/code-engine/variables.tf b/solutions/code-engine/variables.tf
index e1f60f6..7f76454 100644
--- a/solutions/code-engine/variables.tf
+++ b/solutions/code-engine/variables.tf
@@ -147,6 +147,30 @@ variable "compliance_pipeline_repo_git_id" {
default = ""
}
+variable "compliance_pipeline_repo_blind_connection" {
+ type = string
+ description = "Setting this value to `true` means the server is not addressable on the public internet. IBM Cloud will not be able to validate the connection details you provide. Certain functionality that requires API access to the git server will be disabled. Delivery pipeline will only work using a private worker that has network access to the git server."
+ default = ""
+}
+
+variable "compliance_pipeline_repo_root_url" {
+ type = string
+ description = "(Optional) The Root URL of the server. e.g. https://git.example.com."
+ default = ""
+}
+
+variable "compliance_pipeline_repo_use_group_settings" {
+ type = bool
+ description = "Set to `true` to apply group level repository settings to the compliance pipeline repository. See `repo_git_provider` as an example."
+ default = true
+}
+
+variable "compliance_pipeline_repo_title" {
+ type = string
+ description = "(Optional) The title of the server. e.g. My Git Enterprise Server."
+ default = ""
+}
+
variable "compliance_pipeline_repo_git_provider" {
type = string
default = ""
diff --git a/solutions/kubernetes/README.md b/solutions/kubernetes/README.md
index d3a23af..1573cb7 100644
--- a/solutions/kubernetes/README.md
+++ b/solutions/kubernetes/README.md
@@ -452,11 +452,15 @@ No resources.
| [compliance\_pipeline\_existing\_repo\_url](#input\_compliance\_pipeline\_existing\_repo\_url) | The URL of an existing compliance pipelines repository. | `string` | `""` | no |
| [compliance\_pipeline\_group](#input\_compliance\_pipeline\_group) | Specify user or group for compliance pipline repository. | `string` | `""` | no |
| [compliance\_pipeline\_repo\_auth\_type](#input\_compliance\_pipeline\_repo\_auth\_type) | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to `oauth` when unset. `pat` is a git `personal access token`. | `string` | `""` | no |
+| [compliance\_pipeline\_repo\_blind\_connection](#input\_compliance\_pipeline\_repo\_blind\_connection) | Setting this value to `true` means the server is not addressable on the public internet. IBM Cloud will not be able to validate the connection details you provide. Certain functionality that requires API access to the git server will be disabled. Delivery pipeline will only work using a private worker that has network access to the git server. | `string` | `""` | no |
| [compliance\_pipeline\_repo\_git\_id](#input\_compliance\_pipeline\_repo\_git\_id) | Set this value to `github` for github.com, or to the ID of a custom GitHub Enterprise server. | `string` | `""` | no |
| [compliance\_pipeline\_repo\_git\_provider](#input\_compliance\_pipeline\_repo\_git\_provider) | Git provider for pipeline repo | `string` | `""` | no |
| [compliance\_pipeline\_repo\_git\_token\_secret\_crn](#input\_compliance\_pipeline\_repo\_git\_token\_secret\_crn) | The CRN of the Git token used for accessing the sample application repository. | `string` | `""` | no |
| [compliance\_pipeline\_repo\_git\_token\_secret\_name](#input\_compliance\_pipeline\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider used for accessing the compliance pipelines repository. | `string` | `""` | no |
+| [compliance\_pipeline\_repo\_root\_url](#input\_compliance\_pipeline\_repo\_root\_url) | (Optional) The Root URL of the server. e.g. https://git.example.com. | `string` | `""` | no |
| [compliance\_pipeline\_repo\_secret\_group](#input\_compliance\_pipeline\_repo\_secret\_group) | Secret group for the Compliance Pipeline repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |
+| [compliance\_pipeline\_repo\_title](#input\_compliance\_pipeline\_repo\_title) | (Optional) The title of the server. e.g. My Git Enterprise Server. | `string` | `""` | no |
+| [compliance\_pipeline\_repo\_use\_group\_settings](#input\_compliance\_pipeline\_repo\_use\_group\_settings) | Set to `true` to apply group level repository settings to the compliance pipeline repository. See `repo_git_provider` as an example. | `bool` | `true` | no |
| [compliance\_pipeline\_source\_repo\_url](#input\_compliance\_pipeline\_source\_repo\_url) | The URL of a compliance pipelines repository to clone. | `string` | `""` | no |
| [continuous\_delivery\_service\_name](#input\_continuous\_delivery\_service\_name) | The name of the CD instance. | `string` | `"cd-devsecops"` | no |
| [cos\_api\_key\_secret\_crn](#input\_cos\_api\_key\_secret\_crn) | The CRN of the Cloud Object Storage apikey. Applies to the CI, CD and CC toolchains. Can beset independently using `ci_cos_api_key_secret_crn`,`cd_cos_api_key_secret_crn`,`cc_cos_api_key_secret_crn`. | `string` | `""` | no |
diff --git a/solutions/kubernetes/main.tf b/solutions/kubernetes/main.tf
index cf0fb83..2fb712f 100644
--- a/solutions/kubernetes/main.tf
+++ b/solutions/kubernetes/main.tf
@@ -26,11 +26,15 @@ module "devsecops_da" {
compliance_pipeline_existing_repo_url = var.compliance_pipeline_existing_repo_url
compliance_pipeline_group = var.compliance_pipeline_group
compliance_pipeline_repo_auth_type = var.compliance_pipeline_repo_auth_type
+ compliance_pipeline_repo_blind_connection = var.compliance_pipeline_repo_blind_connection
compliance_pipeline_repo_git_id = var.compliance_pipeline_repo_git_id
compliance_pipeline_repo_git_provider = var.compliance_pipeline_repo_git_provider
compliance_pipeline_repo_git_token_secret_crn = var.compliance_pipeline_repo_git_token_secret_crn
compliance_pipeline_repo_git_token_secret_name = var.compliance_pipeline_repo_git_token_secret_name
+ compliance_pipeline_repo_root_url = var.compliance_pipeline_repo_root_url
+ compliance_pipeline_repo_use_group_settings = var.compliance_pipeline_repo_use_group_settings
compliance_pipeline_repo_secret_group = var.compliance_pipeline_repo_secret_group
+ compliance_pipeline_repo_title = var.compliance_pipeline_repo_title
compliance_pipeline_source_repo_url = var.compliance_pipeline_source_repo_url
cos_api_key_secret_crn = var.cos_api_key_secret_crn
cos_api_key_secret_group = var.cos_api_key_secret_group
diff --git a/solutions/kubernetes/variables.tf b/solutions/kubernetes/variables.tf
index 2460071..8697e75 100644
--- a/solutions/kubernetes/variables.tf
+++ b/solutions/kubernetes/variables.tf
@@ -147,6 +147,30 @@ variable "compliance_pipeline_repo_git_id" {
default = ""
}
+variable "compliance_pipeline_repo_blind_connection" {
+ type = string
+ description = "Setting this value to `true` means the server is not addressable on the public internet. IBM Cloud will not be able to validate the connection details you provide. Certain functionality that requires API access to the git server will be disabled. Delivery pipeline will only work using a private worker that has network access to the git server."
+ default = ""
+}
+
+variable "compliance_pipeline_repo_root_url" {
+ type = string
+ description = "(Optional) The Root URL of the server. e.g. https://git.example.com."
+ default = ""
+}
+
+variable "compliance_pipeline_repo_use_group_settings" {
+ type = bool
+ description = "Set to `true` to apply group level repository settings to the compliance pipeline repository. See `repo_git_provider` as an example."
+ default = true
+}
+
+variable "compliance_pipeline_repo_title" {
+ type = string
+ description = "(Optional) The title of the server. e.g. My Git Enterprise Server."
+ default = ""
+}
+
variable "compliance_pipeline_repo_git_provider" {
type = string
default = ""
diff --git a/variables.tf b/variables.tf
index 3e3b5fd..39fa768 100644
--- a/variables.tf
+++ b/variables.tf
@@ -145,6 +145,30 @@ variable "compliance_pipeline_repo_auth_type" {
default = ""
}
+variable "compliance_pipeline_repo_blind_connection" {
+ type = string
+ description = "Setting this value to `true` means the server is not addressable on the public internet. IBM Cloud will not be able to validate the connection details you provide. Certain functionality that requires API access to the git server will be disabled. Delivery pipeline will only work using a private worker that has network access to the git server."
+ default = ""
+}
+
+variable "compliance_pipeline_repo_root_url" {
+ type = string
+ description = "(Optional) The Root URL of the server. e.g. https://git.example.com."
+ default = ""
+}
+
+variable "compliance_pipeline_repo_use_group_settings" {
+ type = bool
+ description = "Set to `true` to apply group level repository settings to the compliance pipeline repository. See `repo_git_provider` as an example."
+ default = false
+}
+
+variable "compliance_pipeline_repo_title" {
+ type = string
+ description = "(Optional) The title of the server. e.g. My Git Enterprise Server."
+ default = ""
+}
+
variable "compliance_pipeline_repo_git_provider" {
type = string
default = ""