fix: Do not create secret versions when using Cloud Build repositores…

… second gen (#324)

Co-authored-by: Andrew Peabody <[email protected]>

README.md

@@ -63,6 +63,7 @@ For the cloudbuild submodule, see the README [cloudbuild](./modules/cloudbuild).
 | org\_id | GCP Organization ID | `string` | n/a | yes |
 | org\_project\_creators | Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. | `list(string)` | `[]` | no |
 | parent\_folder | GCP parent folder ID in the form folders/{id} | `string` | `""` | no |
+| project\_auto\_create\_network | Create the default network for the project created. | `bool` | `false` | no |
 | project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no |
 | project\_id | Custom project ID to use for project created. If not supplied, the default id is {project\_prefix}-seed-{random suffix}. | `string` | `""` | no |
 | project\_labels | Labels to apply to the project. | `map(string)` | `{}` | no |

build/int.cloudbuild.yaml

@@ -113,11 +113,6 @@ steps:
       - apply-tfbuilder
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestTFCloudBuildBuilder --stage verify --verbose']
-- id: teardown-tfbuilder
-  waitFor:
-      - verify-tfbuilder
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestTFCloudBuildBuilder --stage teardown --verbose']
 
 - id: apply-tfbuilder-github
   waitFor:
@@ -131,12 +126,6 @@ steps:
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestTFCloudBuildBuilderGitHub --stage verify --verbose']
   secretEnv: ['IM_GITHUB_PAT']
-- id: teardown-tfbuilder-github
-  waitFor:
-      - verify-tfbuilder-github
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestTFCloudBuildBuilderGitHub --stage teardown --verbose']
-  secretEnv: ['IM_GITHUB_PAT']
 
 - id: apply-tfbuilder-gitlab
   waitFor:
@@ -150,8 +139,26 @@ steps:
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestTFCloudBuildBuilderGitLab --stage verify --verbose']
   secretEnv: ['IM_GITLAB_PAT']
+
+- id: teardown-tfbuilder
+  waitFor:
+      - verify-tfbuilder
+      - verify-tfbuilder-github
+      - verify-tfbuilder-gitlab
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestTFCloudBuildBuilder --stage teardown --verbose']
+- id: teardown-tfbuilder-github
+  waitFor:
+      - verify-tfbuilder
+      - verify-tfbuilder-github
+      - verify-tfbuilder-gitlab
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestTFCloudBuildBuilderGitHub --stage teardown --verbose']
+  secretEnv: ['IM_GITHUB_PAT']
 - id: teardown-tfbuilder-gitlab
   waitFor:
+      - verify-tfbuilder
+      - verify-tfbuilder-github
       - verify-tfbuilder-gitlab
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestTFCloudBuildBuilderGitLab --stage teardown --verbose']

examples/cloudbuild_repo_connection_github/README.md

@@ -10,6 +10,8 @@ For GitHub connections you will need:
 
 - Install the [Cloud Build App](https://github.com/apps/google-cloud-build) on Github.
 - Create a [Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) on Github with [scopes](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes) `repo` and `read:user` (or if app is installed in a organization use `read:org`).
+- Create two [Google Secret Manager](https://cloud.google.com/secret-manager/docs/overview) secrets, one for the Cloud Build App and one for the Personal Access Token.
+- Populate the corresponding [secret versions](https://cloud.google.com/secret-manager/docs/add-secret-version) of each one of the secrets.
 
 For more information on this topic refer to the Cloud Build repositories (2nd gen) documentation for
 [Connect to a GitHub repository](https://cloud.google.com/build/docs/automating-builds/github/connect-repo-github?generation=2nd-gen).
@@ -19,8 +21,8 @@ For more information on this topic refer to the Cloud Build repositories (2nd ge
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| github\_app\_id | The application ID for the Cloudbuild GitHub app. | `string` | n/a | yes |
-| github\_pat | The personal access token for authenticating with GitHub. | `string` | n/a | yes |
+| github\_app\_id\_secret\_id | The secret ID for the application ID for the Cloudbuild GitHub app. | `string` | n/a | yes |
+| github\_pat\_secret\_id | The secret ID for the personal access token for authenticating with GitHub. | `string` | n/a | yes |
 | project\_id | The ID of the project in which to provision resources. | `string` | n/a | yes |
 | repository\_name | The name of the test repository. | `string` | n/a | yes |
 | repository\_url | The HTTPS clone URL of the repository, ending with .git. | `string` | n/a | yes |

examples/cloudbuild_repo_connection_github/main.tf

@@ -14,15 +14,15 @@
  * limitations under the License.
  */
 
-module "github_connection" {
+module "git_repo_connection" {
   source  = "terraform-google-modules/bootstrap/google//modules/cloudbuild_repo_connection"
-  version = "~> 9.0"
+  version = "~> 8.0"
 
   project_id = var.project_id
-  credential_config = {
-    credential_type = "GITHUBv2"
-    github_pat      = var.github_pat
-    github_app_id   = var.github_app_id
+  connection_config = {
+    connection_type         = "GITHUBv2"
+    github_secret_id        = var.github_pat_secret_id
+    github_app_id_secret_id = var.github_app_id_secret_id
   }
 
   cloud_build_repositories = {

examples/cloudbuild_repo_connection_github/outputs.tf

@@ -16,11 +16,11 @@
 
 output "cloud_build_repositories_2nd_gen_connection" {
   description = "Cloudbuild connection created."
-  value       = module.github_connection.cloud_build_repositories_2nd_gen_connection
+  value       = module.git_repo_connection.cloud_build_repositories_2nd_gen_connection
 }
 
 output "cloud_build_repositories_2nd_gen_repositories" {
   description = "Created repositories."
-  value       = module.github_connection.cloud_build_repositories_2nd_gen_repositories
+  value       = module.git_repo_connection.cloud_build_repositories_2nd_gen_repositories
 }
 

examples/cloudbuild_repo_connection_github/variables.tf

@@ -19,13 +19,13 @@ variable "project_id" {
   type        = string
 }
 
-variable "github_pat" {
-  description = "The personal access token for authenticating with GitHub."
+variable "github_pat_secret_id" {
+  description = "The secret ID for the personal access token for authenticating with GitHub."
   type        = string
 }
 
-variable "github_app_id" {
-  description = "The application ID for the Cloudbuild GitHub app."
+variable "github_app_id_secret_id" {
+  description = "The secret ID for the application ID for the Cloudbuild GitHub app."
   type        = string
 }
 
@@ -38,4 +38,3 @@ variable "repository_name" {
   description = "The name of the test repository."
   type        = string
 }
-

examples/cloudbuild_repo_connection_gitlab/README.md

@@ -4,7 +4,15 @@ The example will create Cloud Build repositories (2nd gen) using a Gitlab connec
 
 ## Gitlab Requirements for Cloud Build Connection
 
-When using a Cloud Build repositories (2nd gen) GitLab repository, a Cloud Build connection to your repository provider will be needed.
+When using a Cloud Build repositories (2nd gen) GitLab repository, a Cloud Build connection to your repository provider will be created.
+
+For GitLab connections you will need:
+
+- Create a [Personal Access Token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) on GitLab with [scope](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#personal-access-token-scopes) `api`.
+- Create a [Personal Access Token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) on GitLab with [scope](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#personal-access-token-scopes) `read_api`.
+- Create a [webhook](https://docs.gitlab.com/ee/user/project/integrations/webhooks.html)
+- Create three [Google Secret Manager](https://cloud.google.com/secret-manager/docs/overview) secrets, one for the `api` token, one for the `read_api` token, and one for the `webhook`.
+- Populate the corresponding [secret versions](https://cloud.google.com/secret-manager/docs/add-secret-version) of each one of the secrets.
 
 For more information on this topic refer to the Cloud Build repositories (2nd gen) documentation:
 - [Connect to a GitLab host](https://cloud.google.com/build/docs/automating-builds/gitlab/connect-host-gitlab)
@@ -15,8 +23,9 @@ For more information on this topic refer to the Cloud Build repositories (2nd ge
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| gitlab\_authorizer\_credential | Credential for GitLab authorizer | `string` | n/a | yes |
-| gitlab\_read\_authorizer\_credential | Credential for GitLab read authorizer | `string` | n/a | yes |
+| gitlab\_authorizer\_secret\_id | The secret ID for the credential for GitLab authorizer | `string` | n/a | yes |
+| gitlab\_read\_authorizer\_secret\_id | The secret ID for the credential for GitLab read authorizer | `string` | n/a | yes |
+| gitlab\_webhook\_secret\_id | The secret ID for the WebHook for GitLab | `string` | n/a | yes |
 | project\_id | The ID of the project in which to provision resources. | `string` | n/a | yes |
 | repository\_name | The name of the test repository. | `string` | n/a | yes |
 | repository\_url | The HTTPS clone URL of the repository, ending with .git. | `string` | n/a | yes |

examples/cloudbuild_repo_connection_gitlab/main.tf

@@ -14,14 +14,16 @@
  * limitations under the License.
  */
 
-module "gitlab_connection" {
-  source = "../../modules/cloudbuild_repo_connection"
+module "git_repo_connection" {
+  source  = "terraform-google-modules/bootstrap/google//modules/cloudbuild_repo_connection"
+  version = "~> 8.0"
 
   project_id = var.project_id
-  credential_config = {
-    credential_type                   = "GITLABv2"
-    gitlab_authorizer_credential      = var.gitlab_authorizer_credential
-    gitlab_read_authorizer_credential = var.gitlab_read_authorizer_credential
+  connection_config = {
+    connection_type                             = "GITLABv2"
+    gitlab_authorizer_credential_secret_id      = var.gitlab_authorizer_secret_id
+    gitlab_read_authorizer_credential_secret_id = var.gitlab_read_authorizer_secret_id
+    gitlab_webhook_secret_id                    = var.gitlab_webhook_secret_id
   }
 
   cloud_build_repositories = {

examples/cloudbuild_repo_connection_gitlab/outputs.tf

@@ -16,10 +16,10 @@
 
 output "cloud_build_repositories_2nd_gen_connection" {
   description = "Cloudbuild connection created."
-  value       = module.gitlab_connection.cloud_build_repositories_2nd_gen_connection
+  value       = module.git_repo_connection.cloud_build_repositories_2nd_gen_connection
 }
 
 output "cloud_build_repositories_2nd_gen_repositories" {
   description = "Created repositories."
-  value       = module.gitlab_connection.cloud_build_repositories_2nd_gen_repositories
+  value       = module.git_repo_connection.cloud_build_repositories_2nd_gen_repositories
 }

examples/cloudbuild_repo_connection_gitlab/variables.tf

@@ -29,13 +29,17 @@ variable "repository_name" {
   type        = string
 }
 
-variable "gitlab_authorizer_credential" {
-  description = "Credential for GitLab authorizer"
+variable "gitlab_authorizer_secret_id" {
+  description = "The secret ID for the credential for GitLab authorizer"
   type        = string
 }
 
-variable "gitlab_read_authorizer_credential" {
-  description = "Credential for GitLab read authorizer"
+variable "gitlab_read_authorizer_secret_id" {
+  description = "The secret ID for the credential for GitLab read authorizer"
   type        = string
 }
 
+variable "gitlab_webhook_secret_id" {
+  description = "The secret ID for the WebHook for GitLab"
+  type        = string
+}

examples/im_cloudbuild_workspace_github/main.tf

@@ -15,7 +15,8 @@
  */
 
 module "im_workspace" {
-  source = "../../modules/im_cloudbuild_workspace"
+  source  = "terraform-google-modules/bootstrap/google//modules/im_cloudbuild_workspace"
+  version = "~> 8.0"
 
   project_id    = var.project_id
   deployment_id = "im-example-github-deployment"

examples/im_cloudbuild_workspace_gitlab/main.tf

@@ -15,7 +15,8 @@
  */
 
 module "im_workspace" {
-  source = "../../modules/im_cloudbuild_workspace"
+  source  = "terraform-google-modules/bootstrap/google//modules/im_cloudbuild_workspace"
+  version = "~> 8.0"
 
   project_id    = var.project_id
   deployment_id = "im-example-gitlab-deployment"

examples/tf_cloudbuild_builder_simple/main.tf

@@ -22,6 +22,7 @@ module "cloudbuilder" {
   dockerfile_repo_uri = google_sourcerepo_repository.builder_dockerfile_repo.url
   trigger_location    = "us-central1"
   gar_repo_location   = "us-central1"
+  build_timeout       = "1200s"
   # allow logs bucket to be destroyed
   cb_logs_bucket_force_destroy = true
 }
@@ -36,7 +37,9 @@ resource "google_sourcerepo_repository" "builder_dockerfile_repo" {
 module "bootstrap_csr_repo" {
   source  = "terraform-google-modules/gcloud/google"
   version = "~> 3.1"
-  upgrade = false
+
+  upgrade           = false
+  module_depends_on = [module.cloudbuilder]
 
   create_cmd_entrypoint = "${path.module}/scripts/push-to-repo.sh"
   create_cmd_body       = "${module.enabled_google_apis.project_id} ${split("/", google_sourcerepo_repository.builder_dockerfile_repo.id)[3]} ${path.module}/Dockerfile"

examples/tf_cloudbuild_builder_simple_github/README.md

@@ -6,6 +6,8 @@ For GitHub connections you will need:
 
 - Install the [Cloud Build App](https://github.com/apps/google-cloud-build) on Github.
 - Create a [Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) on Github with [scopes](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes) `repo` and `read:user` (or if app is installed in a organization use `read:org`).
+- Create two [Google Secret Manager](https://cloud.google.com/secret-manager/docs/overview) secrets, one for the Cloud Build App and one for the Personal Access Token.
+- Populate the corresponding [secret versions](https://cloud.google.com/secret-manager/docs/add-secret-version) of each one of the secrets.
 
 For more information on this topic refer to the Cloud Build repositories (2nd gen) documentation for
 [Connect to a GitHub repository](https://cloud.google.com/build/docs/automating-builds/github/connect-repo-github?generation=2nd-gen).
@@ -15,7 +17,8 @@ For more information on this topic refer to the Cloud Build repositories (2nd ge
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| github\_pat | GitHub personal access token. | `string` | n/a | yes |
+| github\_app\_id\_secret\_id | The secret ID for the application ID for the Cloudbuild GitHub app. | `string` | n/a | yes |
+| github\_pat\_secret\_id | The secret ID for the personal access token for authenticating with GitHub. | `string` | n/a | yes |
 | project\_id | The ID of the project in which to provision resources. | `string` | n/a | yes |
 | repository\_uri | The URI of the GitHub repository where the Terraform configs are stored. | `string` | n/a | yes |