fix: pass through labels (#38)

* fix: pass through labels
* fix: add artifact storage to CD target
* fix: update devtools
* fix: tflint fixes
* fix: docs
* fix: bump GKE module version
* fix: specify autoscaling location_policy value

Makefile

@@ -18,7 +18,7 @@
 # Make will use bash instead of sh
 SHELL := /usr/bin/env bash
 
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.4
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1
 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
 REGISTRY_URL := gcr.io/cloud-foundation-cicd
 

build/int.cloudbuild.yaml

@@ -122,4 +122,4 @@ tags:
 - 'deployment'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.4'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1'

build/lint.cloudbuild.yaml

@@ -21,4 +21,4 @@ tags:
 - 'lint'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.4'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1'

examples/app_cicd/README.md

@@ -133,7 +133,7 @@ done
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | deploy\_branch\_clusters | mapping of branch names to cluster deployments | <pre>map(object({<br>    cluster               = string<br>    project_id            = string<br>    location              = string<br>    required_attestations = list(string)<br>    env_attestation       = string<br>    next_env              = string<br>  }))</pre> | `{}` | no |
-| primary\_location | Region used for key-ring | `string` | n/a | yes |
+| primary\_location | Region used for key-ring | `string` | `"us-central1"` | no |
 | project\_id | Project ID for CICD Pipeline Project | `string` | n/a | yes |
 
 ## Outputs

examples/app_cicd/main.tf

@@ -24,7 +24,7 @@ module "ci_pipeline" {
   app_source_repo           = "app-source"
   cloudbuild_cd_repo        = "cloudbuild-cd-config"
   gar_repo_name_suffix      = "app-image-repo"
-  primary_location          = "us-central1"
+  primary_location          = var.primary_location
   attestor_names_prefix     = ["build", "security", "quality"]
   cache_bucket_name         = "app-cloudbuild"
   app_build_trigger_yaml    = "cloudbuild-ci.yaml"
@@ -37,7 +37,7 @@ module "ci_pipeline" {
 module "cd_pipeline" {
   source           = "../../modules/secure-cd"
   project_id       = var.project_id
-  primary_location = "us-central1"
+  primary_location = var.primary_location
 
   gar_repo_name             = module.ci_pipeline.app_artifact_repo
   cloudbuild_cd_repo        = "cloudbuild-cd-config"

examples/app_cicd/variables.tf

@@ -22,8 +22,10 @@ variable "project_id" {
 variable "primary_location" {
   type        = string
   description = "Region used for key-ring"
+  default     = "us-central1"
 }
 
+
 variable "deploy_branch_clusters" {
   type = map(object({
     cluster               = string

examples/standalone_single_project/cicd.tf

@@ -51,7 +51,7 @@ locals {
 # Secure-CI
 module "ci_pipeline" {
   source  = "GoogleCloudPlatform/secure-cicd/google//modules/secure-ci"
-  version = "0.2.0"
+  version = "~> 0.2"
 
   project_id                = var.project_id
   app_source_repo           = "${var.app_name}-source"
@@ -66,12 +66,13 @@ module "ci_pipeline" {
   cloudbuild_private_pool   = module.cloudbuild_private_pool.workerpool_id
   clouddeploy_pipeline_name = local.clouddeploy_pipeline_name
   skip_provisioners         = true
+  labels                    = var.labels
 }
 
 # Secure-CD
 module "cd_pipeline" {
   source  = "GoogleCloudPlatform/secure-cicd/google//modules/secure-cd"
-  version = "0.2.0"
+  version = "~> 0.2"
 
   project_id       = var.project_id
   primary_location = var.region
@@ -83,6 +84,7 @@ module "cd_pipeline" {
   cache_bucket_name         = module.ci_pipeline.cache_bucket_name
   cloudbuild_private_pool   = module.cloudbuild_private_pool.workerpool_id
   clouddeploy_pipeline_name = local.clouddeploy_pipeline_name
+  labels                    = var.labels
   depends_on = [
     module.ci_pipeline
   ]
@@ -91,7 +93,7 @@ module "cd_pipeline" {
 # Cloud Build Private Pool
 module "cloudbuild_private_pool" {
   source  = "GoogleCloudPlatform/secure-cicd/google//modules/cloudbuild-private-pool"
-  version = "0.2.0"
+  version = "~> 0.2"
 
   project_id                = var.project_id
   network_project_id        = var.project_id
@@ -103,4 +105,6 @@ module "cloudbuild_private_pool" {
 
   worker_address    = "10.39.0.0"
   worker_range_name = "cloudbuild-worker-range"
+
+  labels = var.labels
 }

examples/standalone_single_project/gke.tf

@@ -17,17 +17,17 @@
 locals {
   envs = [var.env1_name, var.env2_name, var.env3_name]
   ip_increment = {
-    "${var.env1_name}" = 1,
-    "${var.env2_name}" = 2,
-    "${var.env3_name}" = 3
+    (var.env1_name) = 1,
+    (var.env2_name) = 2,
+    (var.env3_name) = 3
   }
 }
 
 # Private GKE Clusters
 module "gke_cluster" {
   for_each = toset(local.envs)
   source   = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster"
-  version  = "~> 23.0.0"
+  version  = "~> 24.1.0"
 
   project_id                  = var.project_id
   name                        = "${var.app_name}-cluster-${each.value}"
@@ -64,6 +64,18 @@ module "gke_cluster" {
     }
   ]
 
+  node_pools = [
+    {
+      name            = "default-node-pool"
+      location_policy = "BALANCED"
+    }
+  ]
+
+  node_pools_labels = {
+    all = var.labels
+  }
+  cluster_resource_labels = var.labels
+
   depends_on = [
     module.vpc
   ]

examples/standalone_single_project/network.tf

@@ -64,7 +64,7 @@ resource "google_compute_network_peering_routes_config" "gke_peering_routes_conf
 # Cloud Build Workerpool <-> GKE HA VPNs
 module "gke_cloudbuild_vpn" {
   source  = "GoogleCloudPlatform/secure-cicd/google//modules/workerpool-gke-ha-vpn"
-  version = "0.2.0"
+  version = "~> 0.2"
 
   project_id = var.project_id
   location   = var.region
@@ -73,9 +73,9 @@ module "gke_cloudbuild_vpn" {
   gke_network  = module.vpc.network_name
   gke_location = var.region
   gke_control_plane_cidrs = {
-    "${module.gke_cluster[var.env1_name].master_ipv4_cidr_block}" = "GKE ${var.env1_name} control plane"
-    "${module.gke_cluster[var.env2_name].master_ipv4_cidr_block}" = "GKE ${var.env2_name} control plane",
-    "${module.gke_cluster[var.env3_name].master_ipv4_cidr_block}" = "GKE ${var.env3_name} control plane",
+    (module.gke_cluster[var.env1_name].master_ipv4_cidr_block) = "GKE ${var.env1_name} control plane"
+    (module.gke_cluster[var.env2_name].master_ipv4_cidr_block) = "GKE ${var.env2_name} control plane",
+    (module.gke_cluster[var.env3_name].master_ipv4_cidr_block) = "GKE ${var.env3_name} control plane",
   }
 
   workerpool_network = module.cloudbuild_private_pool.workerpool_network
@@ -84,4 +84,6 @@ module "gke_cloudbuild_vpn" {
   gateway_2_asn      = 65002
   bgp_range_1        = "169.254.1.0/30"
   bgp_range_2        = "169.254.2.0/30"
+
+  labels = var.labels
 }

modules/cloudbuild-private-pool/README.md

@@ -59,8 +59,8 @@ module "cloudbuild_private_pool" {
 
 | Name | Description |
 |------|-------------|
-| workerpool\_id | n/a |
-| workerpool\_network | n/a |
-| workerpool\_range | n/a |
+| workerpool\_id | Cloud Build worker pool ID |
+| workerpool\_network | Self Link for Cloud Build workerpool VPC network |
+| workerpool\_range | IP Address range for Cloud Build worker pool |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/cloudbuild-private-pool/outputs.tf

@@ -15,13 +15,16 @@
  */
 
 output "workerpool_id" {
-  value = google_cloudbuild_worker_pool.pool.id
+  value       = google_cloudbuild_worker_pool.pool.id
+  description = "Cloud Build worker pool ID"
 }
 
 output "workerpool_range" {
-  value = "${google_compute_global_address.worker_range.address}/${google_compute_global_address.worker_range.prefix_length}"
+  value       = "${google_compute_global_address.worker_range.address}/${google_compute_global_address.worker_range.prefix_length}"
+  description = "IP Address range for Cloud Build worker pool"
 }
 
 output "workerpool_network" {
-  value = var.create_cloudbuild_network ? google_compute_network.private_pool_vpc[0].self_link : data.google_compute_network.workerpool_vpc[0].self_link
+  value       = var.create_cloudbuild_network ? google_compute_network.private_pool_vpc[0].self_link : data.google_compute_network.workerpool_vpc[0].self_link
+  description = "Self Link for Cloud Build workerpool VPC network"
 }

modules/cloudbuild-private-pool/versions.tf

@@ -15,11 +15,16 @@
  */
 
 terraform {
+  required_version = ">= 0.13.0"
   required_providers {
     google = {
       source  = "hashicorp/google"
       version = ">= 4.3.0" # google_cloudbuild_worker_pool in GA requires >= 4.3.0
     }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = ">= 4.3.0"
+    }
   }
 
   provider_meta "google" {

modules/secure-cd/main.tf

@@ -42,9 +42,10 @@ resource "google_clouddeploy_target" "deploy_target" {
   }
 
   execution_configs {
-    usages          = ["RENDER", "DEPLOY"]
-    worker_pool     = var.cloudbuild_private_pool
-    service_account = google_service_account.clouddeploy_execution_sa.email
+    usages           = ["RENDER", "DEPLOY"]
+    worker_pool      = var.cloudbuild_private_pool
+    artifact_storage = "gs://${var.cache_bucket_name}/clouddeploy-artifacts"
+    service_account  = google_service_account.clouddeploy_execution_sa.email
   }
 
   depends_on = [

modules/secure-ci/main.tf

@@ -102,10 +102,6 @@ resource "google_artifact_registry_repository" "image_repo" {
   labels        = var.labels
 }
 
-data "google_project" "app_cicd_project" {
-  project_id = var.project_id
-}
-
 resource "google_artifact_registry_repository_iam_member" "terraform-image-iam" {
   provider   = google-beta
   project    = var.project_id

modules/secure-ci/versions.tf

@@ -25,6 +25,10 @@ terraform {
       source  = "hashicorp/google-beta"
       version = ">= 3.45"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.3.2"
+    }
   }
 
   provider_meta "google" {

modules/workerpool-gke-ha-vpn/README.md

@@ -195,11 +195,11 @@ resource "google_compute_network_peering_routes_config" "gke_peering_routes_conf
 
 | Name | Description |
 |------|-------------|
-| vpn\_gateway\_cloudbuild | n/a |
-| vpn\_gateway\_gke | n/a |
-| vpn\_router\_cloudbuild\_names | n/a |
-| vpn\_router\_gke\_names | n/a |
-| vpn\_tunnel\_cloudbuild\_names | n/a |
-| vpn\_tunnel\_gke\_names | n/a |
+| vpn\_gateway\_cloudbuild | Name of HA VPN gateway on Cloud Build VPC |
+| vpn\_gateway\_gke | Name of HA VPN gateway on GKE VPC |
+| vpn\_router\_cloudbuild\_names | Names of HA VPN router on Cloud Build VPC |
+| vpn\_router\_gke\_names | Names of HA VPN router on GKE VPC |
+| vpn\_tunnel\_cloudbuild\_names | Names of HA VPN tunnels on Cloud Build VPC |
+| vpn\_tunnel\_gke\_names | Names of HA VPN tunnels on GKE VPC |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/workerpool-gke-ha-vpn/outputs.tf

@@ -15,25 +15,31 @@
  */
 
 output "vpn_gateway_cloudbuild" {
-  value = module.vpn_ha_1.name
+  value       = module.vpn_ha_1.name
+  description = "Name of HA VPN gateway on Cloud Build VPC"
 }
 
 output "vpn_gateway_gke" {
-  value = module.vpn_ha_2.name
+  value       = module.vpn_ha_2.name
+  description = "Name of HA VPN gateway on GKE VPC"
 }
 
 output "vpn_tunnel_cloudbuild_names" {
-  value = module.vpn_ha_1.tunnel_names
+  value       = module.vpn_ha_1.tunnel_names
+  description = "Names of HA VPN tunnels on Cloud Build VPC"
 }
 
 output "vpn_tunnel_gke_names" {
-  value = module.vpn_ha_2.tunnel_names
+  value       = module.vpn_ha_2.tunnel_names
+  description = "Names of HA VPN tunnels on GKE VPC"
 }
 
 output "vpn_router_cloudbuild_names" {
-  value = module.vpn_ha_1.router_name
+  value       = module.vpn_ha_1.router_name
+  description = "Names of HA VPN router on Cloud Build VPC"
 }
 
 output "vpn_router_gke_names" {
-  value = module.vpn_ha_2.router_name
+  value       = module.vpn_ha_2.router_name
+  description = "Names of HA VPN router on GKE VPC"
 }