Basic usage of this module is as follows:
module "bootstrap" {
source = "terraform-google-modules/bootstrap/google//modules/cloudbuild"
version = "~> 11.0"
org_id = "<ORGANIZATION_ID>"
billing_account = "<BILLING_ACCOUNT_ID>"
group_org_admins = "[email protected]"
default_region = "australia-southeast1"
sa_enable_impersonation = true
terraform_sa_email = "<SERVICE_ACCOUNT_EMAIL>"
terraform_sa_name = "<SERVICE_ACCOUNT_NAME>"
terraform_state_bucket = "<GCS_STATE_BUCKET_NAME>"
}
Functional examples and sample Cloud Build definitions are included in the examples directory.
- Create a new GCP cloud build project using
project_prefix
- Enable APIs in the cloud build project using
activate_apis
- Build a Terraform docker image for Cloud Build, including terraform-validator.
- Create a GCS bucket for Cloud Build Artifacts using
project_prefix
- Create Cloud Source Repos for pipelines using list of repos in
cloud_source_repos
- Create Cloud Build trigger for terraform apply on master branch
- Create Cloud Build trigger for terrafor plan on all other branches
- Create KMS Keyring and key for encryption
- Grant access to decrypt to Cloud Build service account and
terraform_sa_email
- Grant access to encrypt to
group_org_admins
- Grant access to decrypt to Cloud Build service account and
- Optionally give Cloud Build service account permissions to impersonate terraform service account using
sa_enable_impersonation
and supplied value forterraform_sa_name
- KMS Keyring and key for secrets, including IAM for Cloudbuild, Org Admins and Terraform service acocunt
- (optional) Cloudbuild impersonation permissions for a service account
- (optional) Cloud Source Repos, with triggers for terraform plan (all other branches) & terraform apply (master)
Name | Description | Type | Default | Required |
---|---|---|---|---|
activate_apis | List of APIs to enable in the Cloudbuild project. | list(string) |
[ |
no |
billing_account | The ID of the billing account to associate projects with. | string |
n/a | yes |
cloud_source_repos | List of Cloud Source Repos to create with CloudBuild triggers. | list(string) |
[ |
no |
cloudbuild_apply_filename | Path and name of Cloud Build YAML definition used for terraform apply. | string |
"cloudbuild-tf-apply.yaml" |
no |
cloudbuild_plan_filename | Path and name of Cloud Build YAML definition used for terraform plan. | string |
"cloudbuild-tf-plan.yaml" |
no |
create_cloud_source_repos | If shared Cloud Source Repos should be created. | bool |
true |
no |
default_region | Default region to create resources where applicable. | string |
"us-central1" |
no |
folder_id | The ID of a folder to host this project | string |
"" |
no |
force_destroy | If supplied, the logs and artifacts buckets will be deleted even while containing objects. | bool |
false |
no |
gar_repo_name | Custom name to use for GAR repo. | string |
"" |
no |
gcloud_version | Default gcloud image version. | string |
"504.0.0-slim" |
no |
group_org_admins | Google Group for GCP Organization Administrators | string |
n/a | yes |
impersonate_service_account | The service account to impersonate while running the gcloud builds submit command. | string |
"" |
no |
org_id | GCP Organization ID | string |
n/a | yes |
project_auto_create_network | Create the default network for the project created. | bool |
false |
no |
project_deletion_policy | The deletion policy for the project created. | string |
"PREVENT" |
no |
project_id | Custom project ID to use for project created. | string |
"" |
no |
project_labels | Labels to apply to the project. | map(string) |
{} |
no |
project_prefix | Name prefix to use for projects created. | string |
"cft" |
no |
random_suffix | Appends a 4 character random suffix to project ID and GCS bucket name. | bool |
true |
no |
sa_enable_impersonation | Allow org_admins group to impersonate service account & enable APIs required. | bool |
false |
no |
storage_bucket_labels | Labels to apply to the storage bucket. | map(string) |
{} |
no |
terraform_apply_branches | List of git branches configured to run terraform apply Cloud Build trigger. All other branches will run plan by default. | list(string) |
[ |
no |
terraform_sa_email | Email for terraform service account. | string |
n/a | yes |
terraform_sa_name | Fully-qualified name of the terraform service account. | string |
n/a | yes |
terraform_state_bucket | Default state bucket, used in Cloud Build substitutions. | string |
n/a | yes |
terraform_version | Default terraform version. | string |
"1.0.2" |
no |
terraform_version_sha256sum | sha256sum for default terraform version. | string |
"7329f887cc5a5bda4bedaec59c439a4af7ea0465f83e3c1b0f4d04951e1181f4" |
no |
Name | Description |
---|---|
cloudbuild_project_id | Project where CloudBuild configuration and terraform container image will reside. |
csr_repos | List of Cloud Source Repos created by the module, linked to Cloud Build triggers. |
gcs_bucket_cloudbuild_artifacts | Bucket used to store Cloud/Build artifacts in CloudBuild project. |
gcs_bucket_cloudbuild_logs | Bucket used to store Cloud/Build logs in CloudBuild project. |
tf_runner_artifact_repo | GAR Repo created to store runner images |
- gcloud sdk >= 206.0.0
- Terraform >= 1.3
- [terraform-provider-google] plugin 3.50.x
roles/billing.user
on supplied billing accountroles/resourcemanager.organizationAdmin
on GCP Organizationroles/resourcemanager.projectCreator
on GCP Organization or folder
A project with the following APIs enabled must be used to host the resources of this module:
- Google Cloud Resource Manager API:
cloudresourcemanager.googleapis.com
- Google Cloud Billing API:
cloudbilling.googleapis.com
- Google Cloud IAM API:
iam.googleapis.com
- Google Cloud Storage API
storage-api.googleapis.com
- Google Cloud Service Usage API:
serviceusage.googleapis.com
- Google Cloud Build API:
cloudbuild.googleapis.com
- Google Cloud KMS API:
cloudkms.googleapis.com
If using Cloud Source Repositories, Google Cloud Source Repo API: sourcerepo.googleapis.com
must also be enabled.
This API can be enabled in the default project created during establishing an organization.
Refer to the contribution guidelines for information on contributing to this module.