feat: Add GAR in infra pipelines and tests (#395)

* Updating infra pipelines to use GAR * Fixing lint * Switching infra_pipelines to use GAR * Adding tests for artifact register * Adding end to fix loop * Fixing lint * Adding shared.auto.tfvars in README.md * Changed compare section for artifact register test in gcloud_projects.rb * Removed condition to test stderr * adding browser and network folder permissions in infra-pipelines * adding default region fix value * removing default_region variable * enabling artifact register api * adding gcp-policies steps on README * enabling apis in example_based_shared_vpc * Fix code review feedback Co-authored-by: Daniel da Silva Andrade <dandrade@ciandt.com>
terraform-google-modules · Apr 9, 2021 · 2a2e4fe · 2a2e4fe
1 parent 11c05af
commit 2a2e4fe
Show file tree

Hide file tree

Showing 29 changed files with 312 additions and 24 deletions.
diff --git a/4-projects/README.md b/4-projects/README.md
@@ -48,6 +48,7 @@ Change the `BRANCH_NAME` from `development` to `non-production` or `production`
 1. Copy terraform wrapper script `cp ../terraform-example-foundation/build/tf-wrapper.sh . ` to the root of your new repository (modify accordingly based on your current directory).
 1. Ensure wrapper script can be executed `chmod 755 ./tf-wrapper.sh`.
 1. Rename `common.auto.example.tfvars` to `common.auto.tfvars` and update the file with values from your environment and bootstrap.
+1. Rename `shared.auto.example.tfvars` to `shared.auto.tfvars` and update the file with values from your environment and bootstrap.
 1. Rename `development.auto.example.tfvars` to `development.auto.tfvars` and update the file with the `perimeter_name` that starts with `sp_d_shared_restricted`.
 1. Rename `non-production.auto.example.tfvars` to `non-production.auto.tfvars` and update the file with the `perimeter_name` that starts with `sp_n_shared_restricted`.
 1. Rename `production.auto.example.tfvars` to `production.auto.tfvars` and update the file with the `perimeter_name` that starts with `sp_p_shared_restricted`.
@@ -88,6 +89,7 @@ Change the `BRANCH_NAME` from `development` to `non-production` or `production`
 1. Copy terraform wrapper script `cp ../terraform-example-foundation/build/tf-wrapper.sh . ` to the root of your new repository (modify accordingly based on your current directory).
 1. Ensure wrapper script can be executed `chmod 755 ./tf-wrapper.sh`.
 1. Rename `common.auto.example.tfvars` to `common.auto.tfvars` and update the file with values from your environment and bootstrap.
+1. Rename `shared.auto.example.tfvars` to `shared.auto.tfvars` and update the file with values from your environment and bootstrap.
 1. Rename `development.auto.example.tfvars` to `development.auto.tfvars` and update the file with the `perimeter_name` that starts with `sp_d_shared_restricted`.
 1. Rename `non-production.auto.example.tfvars` to `non-production.auto.tfvars` and update the file with the `perimeter_name` that starts with `sp_n_shared_restricted`.
 1. Rename `production.auto.example.tfvars` to `production.auto.tfvars` and update the file with the `perimeter_name` that starts with `sp_p_shared_restricted`.
@@ -111,6 +113,7 @@ Change the `BRANCH_NAME` from `development` to `non-production` or `production`
 1. Run `cp ../build/tf-wrapper.sh .`
 1. Run `chmod 755 ./tf-wrapper.sh`.
 1. Rename `common.auto.example.tfvars` to `common.auto.tfvars` and update the file with values from your environment and bootstrap.
+1. Rename `shared.auto.example.tfvars` to `shared.auto.tfvars` and update the file with values from your environment and bootstrap.
 1. Rename `development.auto.example.tfvars` to `development.auto.tfvars` and update the file with the `perimeter_name` that starts with `sp_d_shared_restricted`.
 1. Rename `non-production.auto.example.tfvars` to `non-production.auto.tfvars` and update the file with the `perimeter_name` that starts with `sp_n_shared_restricted`.
 1. Rename `production.auto.example.tfvars` to `production.auto.tfvars` and update the file with the `perimeter_name` that starts with `sp_p_shared_restricted`.

diff --git a/4-projects/business_unit_1/development/example_base_shared_vpc_project.tf b/4-projects/business_unit_1/development/example_base_shared_vpc_project.tf
@@ -30,6 +30,10 @@ module "base_shared_vpc_project" {
   sa_roles                    = ["roles/editor"]
   enable_cloudbuild_deploy    = true
   cloudbuild_sa               = var.app_infra_pipeline_cloudbuild_sa
+  activate_apis = [
+    "iam.googleapis.com",
+    "cloudresourcemanager.googleapis.com"
+  ]
 
   # Metadata
   project_suffix    = "sample-base"

diff --git a/4-projects/business_unit_1/non-production/example_base_shared_vpc_project.tf b/4-projects/business_unit_1/non-production/example_base_shared_vpc_project.tf
@@ -30,6 +30,10 @@ module "base_shared_vpc_project" {
   sa_roles                    = ["roles/editor"]
   enable_cloudbuild_deploy    = true
   cloudbuild_sa               = var.app_infra_pipeline_cloudbuild_sa
+  activate_apis = [
+    "iam.googleapis.com",
+    "cloudresourcemanager.googleapis.com"
+  ]
 
   # Metadata
   project_suffix    = "sample-base"

diff --git a/4-projects/business_unit_1/production/example_base_shared_vpc_project.tf b/4-projects/business_unit_1/production/example_base_shared_vpc_project.tf
@@ -30,6 +30,10 @@ module "base_shared_vpc_project" {
   sa_roles                    = ["roles/editor"]
   enable_cloudbuild_deploy    = true
   cloudbuild_sa               = var.app_infra_pipeline_cloudbuild_sa
+  activate_apis = [
+    "iam.googleapis.com",
+    "cloudresourcemanager.googleapis.com"
+  ]
 
   # Metadata
   project_suffix    = "sample-base"

diff --git a/4-projects/business_unit_1/shared/README.md b/4-projects/business_unit_1/shared/README.md
@@ -7,6 +7,7 @@
 | alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded | `list(number)` | <pre>[<br>  0.5,<br>  0.75,<br>  0.9,<br>  0.95<br>]</pre> | no |
 | billing\_account | The ID of the billing account to associated this project with | `string` | n/a | yes |
 | budget\_amount | The amount to use as the budget | `number` | `1000` | no |
+| default\_region | Default region to create resources where applicable. | `string` | `"us-central1"` | no |
 | folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no |
 | org\_id | The organization id for the associated services | `string` | n/a | yes |
 | parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no |
@@ -21,8 +22,10 @@
 | artifact\_buckets | GCS Buckets to store Cloud Build Artifacts |
 | cloudbuild\_project\_id | n/a |
 | cloudbuild\_sa | Cloud Build service account |
+| default\_region | Default region to create resources where applicable. |
 | plan\_triggers | CB plan triggers |
 | repos | CSRs to store source code |
 | state\_buckets | GCS Buckets to store TF state |
+| tf\_runner\_artifact\_repo | GAR Repo created to store runner images |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/4-projects/business_unit_1/shared/example_infra_pipeline.tf b/4-projects/business_unit_1/shared/example_infra_pipeline.tf
@@ -25,7 +25,14 @@ module "app_infra_cloudbuild_project" {
   alert_pubsub_topic          = var.alert_pubsub_topic
   budget_amount               = var.budget_amount
   project_prefix              = var.project_prefix
-  activate_apis               = ["cloudbuild.googleapis.com", "sourcerepo.googleapis.com", "cloudkms.googleapis.com"]
+  activate_apis = [
+    "cloudbuild.googleapis.com",
+    "sourcerepo.googleapis.com",
+    "cloudkms.googleapis.com",
+    "iam.googleapis.com",
+    "artifactregistry.googleapis.com",
+    "cloudresourcemanager.googleapis.com"
+  ]
 
   # Metadata
   project_suffix    = "infra-pipeline"
@@ -39,7 +46,9 @@ module "app_infra_cloudbuild_project" {
 module "infra_pipelines" {
   source                = "../../modules/infra_pipelines"
   cloudbuild_project_id = module.app_infra_cloudbuild_project.project_id
+  project_prefix        = var.project_prefix
   billing_account       = var.billing_account
+  default_region        = var.default_region
   app_infra_repos       = ["bu1-example-app"]
 }
 
diff --git a/4-projects/business_unit_1/shared/outputs.tf b/4-projects/business_unit_1/shared/outputs.tf
@@ -14,6 +14,16 @@
  * limitations under the License.
  */
 
+output "default_region" {
+  description = "Default region to create resources where applicable."
+  value       = module.infra_pipelines.default_region
+}
+
+output "tf_runner_artifact_repo" {
+  description = "GAR Repo created to store runner images"
+  value       = module.infra_pipelines.tf_runner_artifact_repo
+}
+
 output "cloudbuild_project_id" {
   value = module.app_infra_cloudbuild_project.project_id
 }

diff --git a/4-projects/business_unit_1/shared/shared.auto.tfvars b/4-projects/business_unit_1/shared/shared.auto.tfvars
@@ -0,0 +1 @@
+../../shared.auto.tfvars
diff --git a/4-projects/business_unit_1/shared/variables.tf b/4-projects/business_unit_1/shared/variables.tf
@@ -14,6 +14,12 @@
  * limitations under the License.
  */
 
+variable "default_region" {
+  description = "Default region to create resources where applicable."
+  type        = string
+  default     = "us-central1"
+}
+
 variable "terraform_service_account" {
   description = "Service account email of the account to impersonate to run Terraform"
   type        = string

diff --git a/4-projects/business_unit_2/development/example_base_shared_vpc_project.tf b/4-projects/business_unit_2/development/example_base_shared_vpc_project.tf
@@ -30,6 +30,10 @@ module "base_shared_vpc_project" {
   sa_roles                    = ["roles/editor"]
   enable_cloudbuild_deploy    = true
   cloudbuild_sa               = var.app_infra_pipeline_cloudbuild_sa
+  activate_apis = [
+    "iam.googleapis.com",
+    "cloudresourcemanager.googleapis.com"
+  ]
 
   # Metadata
   project_suffix    = "sample-base"

diff --git a/4-projects/business_unit_2/non-production/example_base_shared_vpc_project.tf b/4-projects/business_unit_2/non-production/example_base_shared_vpc_project.tf
@@ -30,6 +30,10 @@ module "base_shared_vpc_project" {
   sa_roles                    = ["roles/editor"]
   enable_cloudbuild_deploy    = true
   cloudbuild_sa               = var.app_infra_pipeline_cloudbuild_sa
+  activate_apis = [
+    "iam.googleapis.com",
+    "cloudresourcemanager.googleapis.com"
+  ]
 
   # Metadata
   project_suffix    = "sample-base"

diff --git a/4-projects/business_unit_2/production/example_base_shared_vpc_project.tf b/4-projects/business_unit_2/production/example_base_shared_vpc_project.tf
@@ -30,6 +30,10 @@ module "base_shared_vpc_project" {
   sa_roles                    = ["roles/editor"]
   enable_cloudbuild_deploy    = true
   cloudbuild_sa               = var.app_infra_pipeline_cloudbuild_sa
+  activate_apis = [
+    "iam.googleapis.com",
+    "cloudresourcemanager.googleapis.com"
+  ]
 
   # Metadata
   project_suffix    = "sample-base"

diff --git a/4-projects/business_unit_2/shared/README.md b/4-projects/business_unit_2/shared/README.md
@@ -7,6 +7,7 @@
 | alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded | `list(number)` | <pre>[<br>  0.5,<br>  0.75,<br>  0.9,<br>  0.95<br>]</pre> | no |
 | billing\_account | The ID of the billing account to associated this project with | `string` | n/a | yes |
 | budget\_amount | The amount to use as the budget | `number` | `1000` | no |
+| default\_region | Default region to create resources where applicable. | `string` | `"us-central1"` | no |
 | folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no |
 | org\_id | The organization id for the associated services | `string` | n/a | yes |
 | parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no |
@@ -21,8 +22,10 @@
 | artifact\_buckets | GCS Buckets to store Cloud Build Artifacts |
 | cloudbuild\_project\_id | n/a |
 | cloudbuild\_sa | Cloud Build service account |
+| default\_region | Default region to create resources where applicable. |
 | plan\_triggers | CB plan triggers |
 | repos | CSRs to store source code |
 | state\_buckets | GCS Buckets to store TF state |
+| tf\_runner\_artifact\_repo | GAR Repo created to store runner images |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/4-projects/business_unit_2/shared/example_infra_pipeline.tf b/4-projects/business_unit_2/shared/example_infra_pipeline.tf
@@ -25,8 +25,14 @@ module "app_infra_cloudbuild_project" {
   alert_pubsub_topic          = var.alert_pubsub_topic
   budget_amount               = var.budget_amount
   project_prefix              = var.project_prefix
-  activate_apis               = ["cloudbuild.googleapis.com", "sourcerepo.googleapis.com", "cloudkms.googleapis.com"]
-
+  activate_apis = [
+    "cloudbuild.googleapis.com",
+    "sourcerepo.googleapis.com",
+    "cloudkms.googleapis.com",
+    "iam.googleapis.com",
+    "artifactregistry.googleapis.com",
+    "cloudresourcemanager.googleapis.com"
+  ]
   # Metadata
   project_suffix    = "infra-pipeline"
   application_name  = "app-infra-pipelines"
@@ -39,7 +45,9 @@ module "app_infra_cloudbuild_project" {
 module "infra_pipelines" {
   source                = "../../modules/infra_pipelines"
   cloudbuild_project_id = module.app_infra_cloudbuild_project.project_id
+  project_prefix        = var.project_prefix
   billing_account       = var.billing_account
+  default_region        = var.default_region
   app_infra_repos       = ["bu2-example-app"]
 }
 
diff --git a/4-projects/business_unit_2/shared/outputs.tf b/4-projects/business_unit_2/shared/outputs.tf
@@ -14,6 +14,16 @@
  * limitations under the License.
  */
 
+output "default_region" {
+  description = "Default region to create resources where applicable."
+  value       = module.infra_pipelines.default_region
+}
+
+output "tf_runner_artifact_repo" {
+  description = "GAR Repo created to store runner images"
+  value       = module.infra_pipelines.tf_runner_artifact_repo
+}
+
 output "cloudbuild_project_id" {
   value = module.app_infra_cloudbuild_project.project_id
 }

diff --git a/4-projects/business_unit_2/shared/shared.auto.tfvars b/4-projects/business_unit_2/shared/shared.auto.tfvars
@@ -0,0 +1 @@
+../../shared.auto.tfvars
diff --git a/4-projects/business_unit_2/shared/variables.tf b/4-projects/business_unit_2/shared/variables.tf
@@ -14,6 +14,12 @@
  * limitations under the License.
  */
 
+variable "default_region" {
+  description = "Default region to create resources where applicable."
+  type        = string
+  default     = "us-central1"
+}
+
 variable "terraform_service_account" {
   description = "Service account email of the account to impersonate to run Terraform"
   type        = string

diff --git a/4-projects/modules/infra_pipelines/README.md b/4-projects/modules/infra_pipelines/README.md
@@ -9,6 +9,9 @@
 | cloudbuild\_apply\_filename | Path and name of Cloud Build YAML definition used for terraform apply. | `string` | `"cloudbuild-tf-apply.yaml"` | no |
 | cloudbuild\_plan\_filename | Path and name of Cloud Build YAML definition used for terraform plan. | `string` | `"cloudbuild-tf-plan.yaml"` | no |
 | cloudbuild\_project\_id | The project id where the pipelines and repos should be created | `string` | n/a | yes |
+| default\_region | Default region to create resources where applicable. | `string` | n/a | yes |
+| gar\_repo\_name | Custom name to use for GAR repo. | `string` | `""` | no |
+| project\_prefix | Name prefix to use for projects created. | `string` | `"prj"` | no |
 | terraform\_apply\_branches | List of git branches configured to run terraform apply Cloud Build trigger. All other branches will run plan by default. | `list(string)` | <pre>[<br>  "development",<br>  "non-production",<br>  "production"<br>]</pre> | no |
 | terraform\_validator\_release | Default terraform-validator release. | `string` | `"2021-03-22"` | no |
 | terraform\_version | Default terraform version. | `string` | `"0.13.6"` | no |
@@ -21,8 +24,11 @@
 | apply\_triggers | CB apply triggers |
 | artifact\_buckets | GCS Buckets to store Cloud Build Artifacts |
 | cloudbuild\_sa | Cloud Build service account |
+| default\_region | Default region to create resources where applicable. |
+| gar\_name | GAR Repo name created to store runner images |
 | plan\_triggers | CB plan triggers |
 | repos | CSRs to store source code |
 | state\_buckets | GCS Buckets to store TF state |
+| tf\_runner\_artifact\_repo | GAR Repo created to store runner images |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/4-projects/modules/infra_pipelines/cloudbuild_builder/cloudbuild.yaml b/4-projects/modules/infra_pipelines/cloudbuild_builder/cloudbuild.yaml
@@ -18,16 +18,16 @@ steps:
 - name: 'gcr.io/cloud-builders/docker'
   args: [
     'build',
-    '--tag=gcr.io/${PROJECT_ID}/terraform',
+    '--tag=${_REGION}-docker.pkg.dev/${PROJECT_ID}/${_REPOSITORY}/terraform',
     '--build-arg=TERRAFORM_VERSION=${_TERRAFORM_VERSION}',
     '--build-arg=TERRAFORM_VERSION_SHA256SUM=${_TERRAFORM_VERSION_SHA256SUM}',
     '--build-arg=TERRAFORM_VALIDATOR_RELEASE=${_TERRAFORM_VALIDATOR_RELEASE}',
     '.'
     ]
-- name: 'gcr.io/${PROJECT_ID}/terraform'
+- name: '${_REGION}-docker.pkg.dev/${PROJECT_ID}/${_REPOSITORY}/terraform'
   args: ['version']
 substitutions:
   _TERRAFORM_VERSION: '0.13.6' # default value
   _TERRAFORM_VERSION_SHA256SUM: '55f2db00b05675026be9c898bdd3e8230ff0c5c78dd12d743ca38032092abfc9' # default value
   _TERRAFORM_VALIDATOR_RELEASE: '2021-03-22'
-images: ['gcr.io/${PROJECT_ID}/terraform']
+images: ['${_REGION}-docker.pkg.dev/${PROJECT_ID}/${_REPOSITORY}/terraform']