-yellowgreen){kind=icon}
A Terraform module for provisioning the DevSecOps CI, CD, and CC toolchains.
The Terraform CLI is a command line application from HashiCorp that runs the different Terraform commands.
Run the following to install the Hashicorp repository of Homebrew packages:
-
brew tap hashicorp/tap -
brew install hashicorp/tap/terraform
-
sudo yum install -y yum-utils -
sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/$release/hashicorp.repo -
yum install terraform
-
sudo apt-get update && sudo apt-get install -y gnupg software-properties-common -
wget -O- https://apt.releases.hashicorp.com/gpg | \ gpg --dearmor | \ sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg -
gpg --no-default-keyring \ --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg \ --fingerprint -
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] \ https://apt.releases.hashicorp.com $(lsb_release -cs) main" | \ sudo tee /etc/apt/sources.list.d/hashicorp.list -
sudo apt update -
sudo apt-get install terraform
Run terraform -help
For additional platforms, see Install Terraform.
terraform init- initialises the working directory containing the Terraform configuration files.terraform plan- provides a preview of the actions that Terraform will perform on your infrastructure.terraform apply- performs the infrastructure modifications outlined using theplancommand.terraform destroy- deletes all the resources managed by the Terraform project.terraform help- lists and describes Terraform CLI commands.
Set up an IBM Cloud account. Depending on your IBM Cloud account type, access to certain resources might be limited. Depending on your account plan limits, certain capabilities that are required by some DevSecOps toolchains might not be available. For more information, see Setting up your IBM Cloud account and Upgrading your account.
Ensure that all of the secret values that you need are stored in a secrets management vault. Managing IBM Cloud secrets can help you to choose from various secrets management and data protection offerings. If you don't already have an instance of the secrets management vault provider of your choice, create one. For information about IBM Cloud® Secrets Manager, see Getting started with Secrets Manager.
Create a Kubernetes cluster. While you are evaluating the service, you can use the Free pricing plan. The cluster might take some time to provision. As the cluster is created, it progresses through these stages: Deploying, Pending, and Ready. For more information, see Getting started with Container Registry.
Create an IBM Cloud® Container Registry namespace. IBM Cloud Container Registry provides a multi-tenant private image registry that you can use to store and share your container images with users in your IBM Cloud account. Select the location for your namespace, and click Create. For more information, see Getting started with Container Registry.
Create an image signing key with the proper encoding to sign your application docker images.
Create an IBM Cloud API key. Save the API key value by either copying, downloading it, or adding it to your vault.
Create an IBM Cloud Object Storage instance and bucket. For more information, see Configuring IBM Cloud Object Storage for storing evidence. For more information, see What is IBM Cloud Object Storage?.
See also Required IAM access policies.
The following steps create the out of the box setup for the CI, CD and CC toolchains. Read through the example tfvars for a quick set up and see the inputs for all modifiable settings. Variables that are prefixed with ci, cd, and cc indicate which toolchains the variables belong to. There are general variables at the end of the list which are non-prefixed and apply across all three toolchains. Prefixed variables take precendence over general variables.
- Clone terraform-ibm-devsecops-alm to a local directory
cdinto the cloned directory.- Run
terraform initto download the required modules and plugins. - Supply a
terraform.tfvarsfile with the required variables See thevariables.tfvars.examplein theexamplesdirectory - Rename the
variables.tfvars.exampletovariables.tfvars - The following snippet shows the minumum required details to set up the CI, CD, and CC toolchains. Read the notes in the sample tfvars file for more details.
- Run
terraform plan -var-files 'path-to-variables.tfvars'to generate a plan and check to for potential problems. - Run
terraform apply -var-files 'path-to-variables.tfvars'to execute the Terraform commands.
After a successful Terraform run, login into IBM Cloud and look at the Toolchains section to find your newly created DevSecOps toolchains.
ibmcloud_api_key = "{set your ibmcloud apikey}"
toolchain_region = "us-south"
ci_toolchain_name = "DevSecOps CI Toolchain - Terraform"
cd_toolchain_name = "DevSecOps CD Toolchain - Terraform"
cc_toolchain_name = "DevSecOps CC Toolchain - Terraform"
toolchain_resource_group = "Default"
ci_registry_namespace = "my-namespace"
ci_registry_region = "ibm:yp:us-south"
ci_cluster_name = "mycluster-free"
ci_cluster_namespace = "prod"
ci_dev_region = "ibm:yp:us-south"
ci_dev_resource_group = "Default"
cd_cluster_name = "mycluster-free"
cd_cluster_namespace = "prod"
sm_name = "sm-compliance-secrets"
sm_location = "eu-gb"
sm_resource_group = "Default"
sm_secret_group = "Default"You need the following permissions to run this module.
- Account Management
- IAM Services
| Platform Roles | Description of actions |
|---|---|
| Viewer | View toolchains and delivery pipelines. |
| Operator | Run toolchains and delivery pipelines. |
| Editor | Manage the toolchains, which includes creating and deleting toolchains along with performing all platform actions except managing the account and assigning access policies. |
| Administrator | Perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users. |
| Service Roles | Description of actions |
|---|---|
| Administrator, Writer | The IBM Cloud Object Storage service in your team's resource group. |
| Administrator, Writer | The IBM Cloud® Continuous Delivery service in your team's resource group. |
| Administrator | The toolchain service in your team's resource group. |
| Viewer, Reader, Writer | The IBM Cloud® Kubernetes Service. |
| Viewer, ReaderPlus | The Key Protect service in your team's resource group. |
| Viewer, SecretsReader | The Secrets Manager service in your team's resource group. |
| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| ibm | >=1.51.0 |
| Name | Source | Version |
|---|---|---|
| devsecops_cc_toolchain | Git: https://github.ibm.com/open-toolchain/terraform-ibm-devsecops-cc-toolchain.git | update-params |
| devsecops_cd_toolchain | Git: https://github.ibm.com/open-toolchain/terraform-ibm-devsecops-cd-toolchain.git | update-params |
| devsecops_ci_toolchain | Git: https://github.ibm.com/open-toolchain/terraform-ibm-devsecops-ci-toolchain.git | update-params |
No resources.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cc_app_group | Specify user/group for app repo | string |
"" |
no |
| cc_app_repo_auth_type | Select the method of authentication that will be used to access the git provider. 'oauth' or 'pat' | string |
"oauth" |
no |
| cc_app_branch | The default branch of the app repo | string |
master |
no |
| cc_app_repo_git_id | The Git Id of the repository | string |
hostedgit |
no |
| cc_app_repo_git_provider | The type of the Git provider | string |
hostedgit |
no |
| cc_app_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
| cc_authorization_policy_creation | Disable Toolchain service to Secrets Manager Service authorization policy creation. | string |
"" |
no |
| cc_compliance_base_image | Pipeline baseimage to run most of the built-in pipeline code. | string |
"" |
no |
| cc_compliance_pipeline_group | Specify user/group for compliance pipline repo. | string |
"" |
no |
| cc_compliance_pipeline_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
| cc_compliance_pipeline_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
| cc_cos_api_key_secret_name | Name of the COS API key secret in the secret provider. | string |
"cos-api-key" |
no |
| cc_cos_bucket_name | COS bucket name. | string |
"" |
no |
| cc_cos_endpoint | COS endpoint name. | string |
"" |
no |
| cc_doi_environment | DevOpsInsights environment for DevSecOps CD deployment. | string |
"" |
no |
| cc_doi_toolchain_id | DevOpsInsights toolchain ID to link to. | string |
"" |
no |
| cc_enable_key_protect | Enable the Key Protect integration. | bool |
false |
no |
| cc_enable_secrets_manager | Enable the Secrets Manager integration. | bool |
true |
no |
| cc_enable_slack | Default: false. Set to true to create the integration. | bool |
false |
no |
| cc_environment_tag | Tag name that represents the target environment in the inventory. Example: prod_latest. | string |
"prod_latest" |
no |
| cc_evidence_group | Specify Git group for evidence repository. | string |
"" |
no |
| cc_evidence_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
| cc_evidence_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
| cc_inventory_group | Specify Git group for inventory repository | string |
"" |
no |
| cc_inventory_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
| cc_inventory_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
| cc_issues_group | Specify Git group for issues repository. | string |
"" |
no |
| cc_issues_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
| cc_issues_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
| cc_kp_location | IBM Cloud location/region containing the Key Protect instance. | string |
"" |
no |
| cc_kp_name | Name of the Key Protect instance where the secrets are stored. | string |
"" |
no |
| cc_kp_resource_group | The resource group containing the Key Protect instance for your secrets. | string |
"" |
no |
| cc_link_to_doi_toolchain | Enable a link to a DevOpsInsights instance in another toolchain, true or false. | bool |
false |
no |
| cc_opt_in_auto_close | Enable auto-closing of issues coming from vulnerabilities, once the vulnerability is no longer detected by the CC pipeline run. | string |
"1" |
no |
| cc_opt_in_dynamic_api_scan | Enable the OWASP Zap API scan. '1' enable or '0' disable. | string |
"" |
no |
| cc_opt_in_dynamic_scan | Enable the OWASP Zap scan. '1' enable or '0' disable. | string |
"" |
no |
| cc_opt_in_dynamic_ui_scan | Enable the OWASP Zap UI scan. '1' enable or '0' disable. | string |
"" |
no |
| cc_pipeline_config_group | Specify user/group for pipeline config repo. | string |
"" |
no |
| cc_pipeline_config_path | The name and path of the pipeline-config.yaml file within the pipeline-config repo. | string |
".pipeline-config.yaml" |
no |
| cc_pipeline_config_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
| cc_pipeline_config_repo_branch | Specify the branch containing the custom pipeline-config.yaml file. | string |
"" |
no |
| cc_pipeline_config_repo_clone_from_url | Specify a repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
| cc_pipeline_config_repo_existing_url | Specify a repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
| cc_pipeline_config_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
| cc_pipeline_debug | '0' by default. Set to '1' to enable debug logging. | string |
"0" |
no |
| cc_pipeline_ibmcloud_api_key_secret_name | Name of the Cloud API key secret in the secret provider. | string |
"ibmcloud-api-key" |
no |
| cc_repositories_prefix | The prefix for the compliance repositories. | string |
"compliance-tf" |
no |
| cc_scc_enable_scc | Enable the SCC integration | bool |
false |
no |
| cc_scc_evidence_namespace | The kind of evidence to be displayed, cc or cd. | string |
"cc" |
no |
| cc_scc_ibmcloud_api_key_secret_name | Name of the Cloud API key secret in the secret provider. | string |
"ibmcloud-api-key" |
no |
| cc_scc_integration_name | The name of the SCC integration name. | string |
"Security and Compliance" |
no |
| cc_scc_profile | Security and Compliance Profile. | string |
"compliance-profile" |
no |
| cc_scc_scope | Security and Compliance Scope. | string |
"compliance-scope" |
no |
| cc_scc_trigger_scan | Can be set to 'enabled'. Note each scan may incur a charge. | string |
"disabled" |
no |
| cc_slack_channel_name | The Slack channel that notifications are posted to. | string |
"my-channel" |
no |
| cc_slack_notifications | The switch to turn the Slack integration on or off. | string |
"0" |
no |
| cc_slack_pipeline_fail | Generate pipeline failed notifications. | bool |
true |
no |
| cc_slack_pipeline_start | Generate pipeline start notifications. | bool |
true |
no |
| cc_slack_pipeline_success | Generate pipeline succeeded notifications. | bool |
true |
no |
| cc_slack_team_name | The Slack team name, which is the word or phrase before .slack.com in the team URL. | string |
"my-team" |
no |
| cc_slack_toolchain_bind | Generate tool added to toolchain notifications. | bool |
true |
no |
| cc_slack_toolchain_unbind | Generate tool removed from toolchain notifications. | bool |
true |
no |
| cc_slack_webhook_secret_name | Name of the webhook secret in the secret provider. | string |
"slack-webhook" |
no |
| cc_sm_location | IBM Cloud location/region containing the Secrets Manager instance. | string |
"" |
no |
| cc_sm_name | Name of the Secrets Manager instance where the secrets are stored. | string |
"" |
no |
| cc_sm_resource_group | The resource group containing the Secrets Manager instance for your secrets. | string |
"" |
no |
| cc_sm_secret_group | The Secrets Manager secret group containing your secrets. | string |
"Default" |
no |
| cc_sonarqube_config | Runs a SonarQube scan in an isolated Docker-in-Docker container (default configuration) or in an existing Kubernetes cluster (custom configuration). Options: default or custom. Default is default. | string |
"default" |
no |
| cc_toolchain_description | Description for the toolchain. | string |
"Toolchain created with terraform template for DevSecOps CC Best Practices" |
no |
| cc_toolchain_name | Name of the toolchain. | string |
"DevSecOps CC Toolchain - Terraform" |
no |
| cc_toolchain_region | The region containing the CI toolchain. | string |
"" |
no |
| cc_toolchain_resource_group | Resource group within which toolchain is created. | string |
"Default" |
no |
| cd_app_version | The version of the app to deploy. | string |
"v1" |
no |
| cd_authorization_policy_creation | Disable Toolchain Service to Secrets Manager Service auhorization policy creation. | string |
"" |
no |
| cd_change_management_group | Specify group for change management repository. | string |
"" |
no |
| cd_change_management_repo | This repository holds the change management requests created for the deployments. | string |
"" |
no |
| cd_change_management_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
| cd_change_management_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
| cd_change_repo_clone_from_url | Override the default management repo , which is cloned into the app repo. Note, using clone_if_not_exists mode, so if the app repo already exists the repo contents are unchanged. | string |
"" |
no |
| cd_change_request_id | The ID of an open change request. If this parameter is set to 'notAvailable' by default, a change request is automatically created by the continuous deployment pipeline. | string |
"notAvailable" |
no |
| cd_cluster_name | Name of the Kubernetes cluster where the application is deployed. | string |
"mycluster-free" |
no |
| cd_cluster_namespace | Name of the Kubernetes cluster namespace where the application is deployed. | string |
"prod" |
no |
| cd_cluster_region | Region of the Kubernetes cluster where the application is deployed. | string |
"ibm:yp:us-south" |
no |
| cd_compliance_base_image | Pipeline baseimage to run most of the built-in pipeline code. | string |
"" |
no |
| cd_compliance_pipeline_group | Specify user/group for compliance pipline repo. | string |
"" |
no |
| cd_compliance_pipeline_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
| cd_compliance_pipeline_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
| cd_cos_api_key_secret_name | Name of the COS API key secret in the secret provider. | string |
"cos-api-key" |
no |
| cd_cos_bucket_name | COS bucket name. | string |
"" |
no |
| cd_cos_endpoint | COS endpoint name. | string |
"" |
no |
| cd_customer_impact | Custom impact of the change request. | string |
"no_impact" |
no |
| cd_deployment_group | Specify group for deployment. | string |
"" |
no |
| cd_deployment_repo | This repository contains scripts to perform deployment of a docker container for simple Node.js microservice using reference DevSecOps toolchain templates. | string |
"" |
no |
| cd_deployment_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
| cd_deployment_repo_clone_from_branch | Used when deployment_repo_clone_from_url is provided, the default branch that is used by the CD build, usually either main or master. | string |
"" |
no |
| cd_deployment_repo_clone_from_url | Override the default sample app by providing your own sample deployment URL, which is cloned into the app repo. Note, using clone_if_not_exists mode, so if the app repo already exists the repo contents are unchanged. | string |
"" |
no |
| cd_deployment_repo_clone_to_git_id | By default absent, else custom server GUID, or other options for 'git_id' field in the browser UI. | string |
"" |
no |
| cd_deployment_repo_clone_to_git_provider | By default 'hostedgit', else use 'githubconsolidated' or 'gitlab'. | string |
"" |
no |
| cd_deployment_repo_existing_branch | Used when deployment_repo_existing_url is provided, the default branch that is used by the CD build, usually either main or master. | string |
"" |
no |
| cd_deployment_repo_existing_git_id | By default absent, else custom server GUID, or other options for 'git_id' field in the browser UI. | string |
"" |
no |
| cd_deployment_repo_existing_git_provider | By default 'hostedgit', else use 'githubconsolidated' or 'gitlab'. | string |
"hostedgit" |
no |
| cd_deployment_repo_existing_url | Override to bring your own existing deployment repository URL, which is used directly instead of cloning the default deployment sample. | string |
"" |
no |
| cd_deployment_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
| cd_doi_environment | DevOpsInsights environment for DevSecOps CD deployment. | string |
"" |
no |
| cd_doi_toolchain_id | DevOpsInsights toolchain ID to link to. | string |
"" |
no |
| cd_emergency_label | Identifies the pull request as an emergency. | string |
"EMERGENCY" |
no |
| cd_enable_key_protect | Use the Key Protect integration. | bool |
false |
no |
| cd_enable_secrets_manager | Use the Secrets Manager integration. | bool |
true |
no |
| cd_enable_slack | Default: false. Set to true to create the integration. | bool |
false |
no |
| cd_evidence_group | Specify Git group for evidence repository. | string |
"" |
no |
| cd_evidence_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
| cd_evidence_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
| cd_inventory_group | Specify Git group for inventory repository | string |
"" |
no |
| cd_inventory_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
| cd_inventory_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
| cd_issues_group | Specify Git group for issues repository. | string |
"" |
no |
| cd_issues_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
| cd_issues_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
| cd_kp_location | IBM Cloud location/region containing the Key Protect instance. | string |
"" |
no |
| cd_kp_name | Name of the Key Protect instance where the secrets are stored. | string |
"" |
no |
| cd_kp_resource_group | The resource group containing the Key Protect instance for your secrets. | string |
"" |
no |
| cd_link_to_doi_toolchain | Enable a link to a DevOpsInsights instance in another toolchain, true or false. | bool |
false |
no |
| cd_merge_cra_sbom | Merge the SBOM. | string |
"1" |
no |
| cd_opt_out_v1_evidence | Opt out of evidence v1. | string |
"1" |
no |
| cd_pipeline_config_group | Specify user/group for pipeline config repo. | string |
"" |
no |
| cd_pipeline_config_path | The name and path of the pipeline-config.yaml file within the pipeline-config repo. | string |
".pipeline-config.yaml" |
no |
| cd_pipeline_config_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
| cd_pipeline_config_repo_branch | Specify the branch containing the custom pipeline-config.yaml file. | string |
"" |
no |
| cd_pipeline_config_repo_clone_from_url | Specify a repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
| cd_pipeline_config_repo_existing_url | Specify a repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
| cd_pipeline_config_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
| cd_pipeline_debug | '0' by default. Set to '1' to enable debug logging. | string |
"0" |
no |
| cd_pipeline_ibmcloud_api_key_secret_name | Name of the Cloud API key secret in the secret provider. | string |
"ibmcloud-api-key" |
no |
| cd_region | The target region where the app is deployed. | string |
"" |
no |
| cd_repositories_prefix | Prefix name for the cloned compliance repos. | string |
"compliance-tf" |
no |
| cd_satellite_cluster_group | The Satellite cluster group. | string |
"" |
no |
| cd_scc_enable_scc | Enable the SCC integration | bool |
false |
no |
| cd_scc_evidence_namespace | The kind of evidence to be displayed, cc or cd. | string |
"cd" |
no |
| cd_scc_ibmcloud_api_key_secret_name | Name of the Cloud API key secret in the secret provider. | string |
"ibmcloud-api-key" |
no |
| cd_scc_integration_name | The name of the SCC integration name. | string |
"Security and Compliance" |
no |
| cd_scc_profile | Security and Compliance Profile. | string |
"compliance-profile" |
no |
| cd_scc_scope | Security and Compliance Scope. | string |
"compliance-scope" |
no |
| cd_scc_trigger_scan | Can be set to 'enabled'. Note each scan may incur a charge. | string |
"disabled" |
no |
| cd_slack_channel_name | The Slack channel that notifications is posted to. | string |
"my-channel" |
no |
| cd_slack_notifications | The switch that turns the Slack integration on or off. | string |
"0" |
no |
| cd_slack_pipeline_fail | Generate pipeline failed notifications. | bool |
true |
no |
| cd_slack_pipeline_start | Generate pipeline start notifications. | bool |
true |
no |
| cd_slack_pipeline_success | Generate pipeline succeeded notifications. | bool |
true |
no |
| cd_slack_team_name | The Slack team name, which is the word or phrase before .slack.com in the team URL. | string |
"my-team" |
no |
| cd_slack_toolchain_bind | Generate tool added to toolchain notifications. | bool |
true |
no |
| cd_slack_toolchain_unbind | Generate tool removed from toolchain notifications. | bool |
true |
no |
| cd_slack_webhook_secret_name | Name of the webhook secret in the secret provider. | string |
"slack-webhook" |
no |
| cd_sm_location | IBM Cloud location/region containing the Secrets Manager instance. | string |
"" |
no |
| cd_sm_name | Name of the Secrets Manager instance where the secrets are stored. | string |
"" |
no |
| cd_sm_resource_group | The resource group containing the Secrets Manager instance for your secrets. | string |
"" |
no |
| cd_sm_secret_group | The Secrets Manager secret group containing your secrets. | string |
"Default" |
no |
| cd_source_environment | The source environment that the app is promoted from. | string |
"master" |
no |
| cd_target_environment | The target environment that the app is deployed to. | string |
"prod" |
no |
| cd_target_environment_detail | Details of the environment being updated. | string |
"" |
no |
| cd_target_environment_purpose | Purpose of the environment being updated. | string |
"production" |
no |
| cd_toolchain_description | Description for the toolchain. | string |
"Toolchain created with terraform template for DevSecOps CD Best Practices" |
no |
| cd_toolchain_name | Name of the toolchain. | string |
"DevSecOps CD Toolchain - Terraform" |
no |
| cd_toolchain_region | The region containing the CI toolchain. | string |
"" |
no |
| cd_toolchain_resource_group | Resource group within which toolchain is created. | string |
"Default" |
no |
| ci_app_group | Specify Git group for your application. | string |
"" |
no |
| ci_app_name | Name of the application image and inventory entry. | string |
"hello-compliance-app" |
no |
| ci_app_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
| ci_app_repo_clone_from_branch | Used when app_repo_clone_from_url is provided, the default branch that is used by the CI build, usually either main or master. | string |
"" |
no |
| ci_app_repo_clone_from_url | Override the default sample app by providing your own sample app URL, which is cloned into the app repo. Note, using clone_if_not_exists mode, so if the app repo already exists the repo contents are unchanged. | string |
"" |
no |
| ci_app_repo_clone_to_git_id | By default absent, else custom server GUID, or other options for 'git_id' field in the browser UI. | string |
"" |
no |
| ci_app_repo_clone_to_git_provider | By default 'hostedgit', else use 'githubconsolidated' or 'gitlab'. | string |
"" |
no |
| ci_app_repo_existing_branch | Used when app_repo_existing_url is provided, the default branch that is used by the CI build, usually either main or master. | string |
"" |
no |
| ci_app_repo_existing_git_id | By default absent, else custom server GUID, or other options for 'git_id' field in the browser UI. | string |
"" |
no |
| ci_app_repo_existing_git_provider | By default 'hostedgit', else use 'githubconsolidated' or 'gitlab'. | string |
"" |
no |
| ci_app_repo_existing_url | Override to bring your own existing application repository URL, which is used directly instead of cloning the default sample. | string |
"" |
no |
| ci_app_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
| ci_app_version | The version of the app to deploy. | string |
"v1" |
no |
| ci_authorization_policy_creation | Disable Toolchain Service to Secrets Manager Service auhorization policy creation. | string |
"" |
no |
| ci_cluster_name | Name of the Kubernetes cluster where the application is deployed. | string |
"mycluster-free" |
no |
| ci_cluster_namespace | Name of the Kubernetes cluster namespace where the application is deployed. | string |
"default" |
no |
| ci_code_engine_build_strategy | The build strategy for the Code Engine entity. Default strategy is 'dockerfile'. Set as 'buildpacks' for 'buildpacks' build. | string |
"" |
no |
| ci_code_engine_entity_type | Type of Code Engine entity to create/update as part of deployment. Default type is 'application'. Set as 'job' for 'job' type. | string |
"" |
no |
| ci_code_engine_project | The name of the Code Engine project to use (or create). | string |
"DevSecOps_CE" |
no |
| ci_code_engine_region | The region to create/lookup for the Code Engine project. | string |
"ibm:yp:us-south" |
no |
| ci_code_engine_resource_group | The resource group of the Code Engine project. | string |
"Default" |
no |
| ci_code_engine_source | The path to the location of code to build in the repository. | string |
"" |
no |
| ci_compliance_base_image | Pipeline baseimage to run most of the built-in pipeline code. | string |
"" |
no |
| ci_compliance_pipeline_group | Specify user/group for compliance pipline repo. | string |
"" |
no |
| ci_compliance_pipeline_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
| ci_compliance_pipeline_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
| ci_cos_api_key_secret_name | Name of the COS API key secret in the secret provider. | string |
"cos-api-key" |
no |
| ci_cos_bucket_name | COS bucket name. | string |
"" |
no |
| ci_cos_endpoint | COS endpoint name. | string |
"" |
no |
| ci_cra_generate_cyclonedx_format | If set to 1, CRA also generates the BOM in cyclonedx format (defaults to 1). | string |
"1" |
no |
| ci_custom_image_tag | The custom tag for the image in a comma-separated list. | string |
"" |
no |
| ci_deployment_target | The deployment target, cluster or code-engine. | string |
"cluster" |
no |
| ci_dev_region | Region of the Kubernetes cluster where the application is deployed. | string |
"ibm:yp:us-south" |
no |
| ci_dev_resource_group | The cluster resource group. | string |
"Default" |
no |
| ci_doi_environment | The DevOps Insights target environment. | string |
"" |
no |
| ci_doi_toolchain_id | DevOpsInsights toolchain ID to link to. | string |
"" |
no |
| ci_doi_toolchain_id_pipeline_property | The DevOps Insights instance toolchain ID. | string |
"" |
no |
| ci_enable_key_protect | Set to enable Key Protect Integration. | bool |
false |
no |
| ci_enable_secrets_manager | Set to enable Secrets Manager Integration. | bool |
true |
no |
| ci_enable_slack | Default: false. Set to true to create the integration. | bool |
false |
no |
| ci_evidence_group | Specify Git group for evidence repository. | string |
"" |
no |
| ci_evidence_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
| ci_evidence_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
| ci_inventory_group | Specify Git group for inventory repository. | string |
"" |
no |
| ci_inventory_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
| ci_inventory_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
| ci_issues_group | Specify Git group for issues repository | string |
"" |
no |
| ci_issues_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
| ci_issues_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
| ci_kp_location | IBM Cloud location/region containing the Key Protect instance. | string |
"" |
no |
| ci_kp_name | Name of the Key Protect instance where the secrets are stored. | string |
"" |
no |
| ci_kp_resource_group | The resource group containing the Key Protect instance. | string |
"" |
no |
| ci_link_to_doi_toolchain | Enable a link to a DevOpsInsights instance in another toolchain, true or false. | bool |
false |
no |
| ci_opt_in_dynamic_api_scan | To enable the OWASP Zap API scan. '1' enable or '0' disable. | string |
"1" |
no |
| ci_opt_in_dynamic_scan | To enable the OWASP Zap scan. '1' enable or '0' disable. | string |
"1" |
no |
| ci_opt_in_dynamic_ui_scan | To enable the OWASP Zap UI scan. '1' enable or '0' disable. | string |
"1" |
no |
| ci_opt_in_sonar | Opt in for Sonarqube. | string |
"1" |
no |
| ci_opt_out_v1_evidence | Opt out of Evidence v1. | string |
"1" |
no |
| ci_pipeline_config_group | Specify user/group for pipeline config repo. | string |
"" |
no |
| ci_pipeline_config_path | The name and path of the pipeline-config.yaml file within the pipeline-config repo. | string |
".pipeline-config.yaml" |
no |
| ci_pipeline_config_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
| ci_pipeline_config_repo_branch | Specify the branch containing the custom pipeline-config.yaml file. | string |
"" |
no |
| ci_pipeline_config_repo_clone_from_url | Specify a repository containing a custom pipeline-config.yaml file . | string |
"" |
no |
| ci_pipeline_config_repo_existing_url | Specify a repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
| ci_pipeline_config_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
| ci_pipeline_debug | '0' by default. Set to '1' to enable debug logging. | string |
"0" |
no |
| ci_pipeline_ibmcloud_api_key_secret_name | Name of the Cloud API key secret in the secret provider. | string |
"ibmcloud-api-key" |
no |
| ci_registry_namespace | Unique Namespace within the IBM Cloud Container Registry where application image is stored. | string |
"devsecops-ci-registry" |
no |
| ci_registry_region | IBM Cloud Region where the IBM Cloud Container Registry namespace is to be created. | string |
"ibm:yp:us-south" |
no |
| ci_repositories_prefix | Prefix name for the cloned compliance repos. | string |
"compliance-tf" |
no |
| ci_signing_key_secret_name | Name of the signing key secret in the secret provider. | string |
"signing_key" |
no |
| ci_slack_channel_name | The Slack channel that notifications is posted to. | string |
"my-channel" |
no |
| ci_slack_notifications | The switch that turns the Slack integration on or off. | string |
"0" |
no |
| ci_slack_pipeline_fail | Generate pipeline failed notifications. | bool |
true |
no |
| ci_slack_pipeline_start | Generate pipeline start notifications. | bool |
true |
no |
| ci_slack_pipeline_success | Generate pipeline succeeded notifications. | bool |
true |
no |
| ci_slack_team_name | The Slack team name, which is the word or phrase before .slack.com in the team URL. | string |
"my-team" |
no |
| ci_slack_toolchain_bind | Generate tool added to toolchain notifications. | bool |
true |
no |
| ci_slack_toolchain_unbind | Generate tool removed from toolchain notifications. | bool |
true |
no |
| ci_slack_webhook_secret_name | Name of the webhook secret in the secret provider. | string |
"slack-webhook" |
no |
| ci_sm_location | IBM Cloud location/region containing the Secrets Manager instance. | string |
"" |
no |
| ci_sm_name | Name of the Secrets Manager instance where the secrets are stored. | string |
"" |
no |
| ci_sm_resource_group | The resource group containing the Secrets Manager instance. | string |
"" |
no |
| ci_sm_secret_group | The Secrets Manager secret group containing your secrets. | string |
"Default" |
no |
| ci_sonarqube_config | Runs a SonarQube scan in an isolated Docker-in-Docker container (default configuration) or in an existing Kubernetes cluster (custom configuration). Options: default or custom. Default is default. | string |
"default" |
no |
| ci_toolchain_description | Description for the toolchain. | string |
"Toolchain created with terraform template for DevSecOps CI Best Practices" |
no |
| ci_toolchain_name | The name of the toolchain. | string |
"DevSecOps CI Toolchain - Terraform" |
no |
| ci_toolchain_region | The region containing the CI toolchain. | string |
"" |
no |
| ci_toolchain_resource_group | The resource group within which the toolchain is created. | string |
"Default" |
no |
| create_cc_toolchain | Boolean flag which determines if the DevSecOps CC toolchain is created. | bool |
true |
no |
| create_cd_toolchain | Boolean flag which determines if the DevSecOps CD toolchain is created. | bool |
true |
no |
| create_ci_toolchain | Flag which determines if the DevSecOps CI toolchain is created. If this toolchain is not created then values must be set for the following variables, evidence_repo_url, issues_repo_url and inventory_repo_url. | bool |
true |
no |
| deployment_repo_url | This is the repository to clone deployment for DevSecOps toolchain template. | string |
"" |
no |
| evidence_repo_url | This is a template repository to clone compliance-evidence-locker for reference DevSecOps toolchain templates. | string |
"" |
no |
| ibmcloud_api | IBM Cloud API Endpoint. | string |
"https://cloud.ibm.com" |
no |
| ibmcloud_api_key | IBM Cloud API KEY to fetch/post cloud resources in terraform. Not used in the pipeline, where a secret reference is used instead. | string |
n/a | yes |
| inventory_repo_url | This is a template repository to clone compliance-inventory for reference DevSecOps toolchain templates. | string |
"" |
no |
| issues_repo_url | This is a template repository to clone compliance-issues for reference DevSecOps toolchain templates. | string |
"" |
no |
| kp_location | IBM Cloud location/region containing the Key Protect instance. | string |
"us-south" |
no |
| kp_name | Name of the Key Protect instance where the secrets are stored. | string |
"kp-compliance-secrets" |
no |
| kp_resource_group | The resource group containing the Key Protect instance for your secrets. | string |
"Default" |
no |
| sm_location | The region location of the Secrets Manager instance. | string |
"us-south" |
no |
| sm_name | The name of the Secret Managers instance. | string |
"sm-instance" |
no |
| sm_resource_group | The resource group containing the Secrets Manager instance. | string |
"Default" |
no |
| sm_secret_group | The secrets secret group in Secrets Manager. | string |
"Default" |
no |
| toolchain_region | IBM Cloud region where your toolchain is created. | string |
"us-south" |
no |
| toolchain_resource_group | The resource group within which the toolchain will be created. | string |
"Default" |
no |
| Variables | Description |
|---|---|
| toolchain_id | The id of the created toolchain |
| secrets_manager_instance_id | The id if a Secrets Manager instance is used |
| key_protect_instance_id | The id if a Key Protect Instance is used |
| ci_pipeline_id | The id of the CI pipeline |
| pr_pipeline_id | The id of the PR pipeline |
| secret_tool | Returns part of the references to point ot the secret tool integration |
| inventory_repo_url | The URL of the Inventory repository |
| evidence_repo_url | The URL of the Evidence repository |
| issues_repo_url | The URL of the Issues repository |
| pipeline_repo_url | The URL of the Compliance Pipeline repository |
| app_repo_url | The URL of the App repository |
| app_repo_git_provider | The Git provider of the App repository |
| app_repo_git_id | The App repository Git Id |
| Variables | Description |
|---|---|
| toolchain_id | The id of the created toolchain |
| secrets_manager_instance_id | The id if a Secrets Manager instance is used |
| key_protect_instance_id | The id if a Key Protect Instance is used |
| cd_pipeline_id | The id of the CI pipeline |
| secret_tool | Returns part of the references to point ot the secret tool integration |
| pipeline_repo_url | The URL of the Compliance Pipeline repository |
| deployment_repo_url | The URL of the Deployment repository |
| change_management_repo_url | The URL of Change Management repository |
| Variables | Description |
|---|---|
| toolchain_id | The id of the created toolchain |
| secrets_manager_instance_id | The id if a Secrets Manager instance is used |
| key_protect_instance_id | The id if a Key Protect Instance is used |
| cc_pipeline_id | The id of the CI pipeline |
| secret_tool | Returns part of the references to point ot the secret tool integration |
| pipeline_repo_url | The URL of the Compliance Pipeline repository |
You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.
To set up your local development environment, see Local development setup in the project documentation.