A Terraform module for provisioning the DevSecOps CC toolchains.
Name | Version |
---|---|
terraform | >= 1.0.0 |
ibm | >= 1.67.0, < 2.0.0 |
Name | Source | Version |
---|---|---|
app_repo | ./customizations/repositories | n/a |
compliance_pipelines_repo | ./customizations/repositories | n/a |
evidence_repo | ./customizations/repositories | n/a |
integrations | ./integrations | n/a |
inventory_repo | ./customizations/repositories | n/a |
issues_repo | ./customizations/repositories | n/a |
pipeline_cc | ./pipeline-cc | n/a |
pipeline_config_repo | ./customizations/repositories | n/a |
pipeline_properties | ./customizations/pipeline-property-adder | n/a |
repository_properties | ./customizations/repository-adder | n/a |
services | ./services | n/a |
Name | Type |
---|---|
ibm_cd_toolchain.toolchain_instance | resource |
ibm_cd_toolchain_tool_pipeline.cc_pipeline | resource |
ibm_resource_group.resource_group | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
app_group | Specify Git user/group for app repo. | string |
"" |
no |
app_repo_auth_type | Select the method of authentication that will be used to access the git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
app_repo_branch | The default branch of the app repo. | string |
"master" |
no |
app_repo_clone_to_git_id | Custom server GUID, or other options for 'git_id' field in the browser UI. | string |
"" |
no |
app_repo_clone_to_git_provider | By default 'hostedgit', else use 'githubconsolidated' or 'gitlab'. | string |
"" |
no |
app_repo_git_id | The Git ID of the repository. | string |
"" |
no |
app_repo_git_provider | By default 'hostedgit', else use 'githubconsolidated' or 'gitlab'. | string |
"hostedgit" |
no |
app_repo_git_token_secret_crn | The CRN for the app repository Git Token. | string |
"" |
no |
app_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
app_repo_initialization_type | The initialization type for the repo. Can be new , fork , clone , link , new_if_not_exists , clone_if_not_exists , fork_if_not_exists . |
string |
"" |
no |
app_repo_integration_owner | The name of the integration owner. | string |
"" |
no |
app_repo_is_private_repo | Set to true to make repository private. |
bool |
true |
no |
app_repo_issues_enabled | Set to true to enable issues. |
bool |
false |
no |
app_repo_secret_group | Secret group prefix for the App repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
app_repo_traceability_enabled | Set to true to enable traceability. |
bool |
false |
no |
app_repo_url | This Git URL for the application repository. | string |
"" |
no |
artifactory_dashboard_url | Type the URL that you want to navigate to when you click the Artifactory integration tile. | string |
"" |
no |
artifactory_integration_name | The name of the Artifactory tool integration. | string |
"artifactory-dockerconfigjson" |
no |
artifactory_repo_name | Type the name of your Artifactory repository where your docker images are located. | string |
"wcp-compliance-automation-team-docker-local" |
no |
artifactory_repo_url | Type the URL for your Artifactory release repository. | string |
"" |
no |
artifactory_token_secret_crn | The CRN for the Artifactory secret. | string |
"" |
no |
artifactory_token_secret_group | Secret group prefix for the Artifactory token secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
artifactory_token_secret_name | Name of the artifactory token secret in the secret provider. | string |
"artifactory-token" |
no |
artifactory_user | Type the User ID or email for your Artifactory repository. | string |
"" |
no |
authorization_policy_creation | Set to disabled if you do not want this policy auto created. | string |
"" |
no |
compliance_pipeline_group | Specify Git user/group for compliance pipline repo. | string |
"" |
no |
compliance_pipeline_repo_auth_type | Select the method of authentication that will be used to access the git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
compliance_pipeline_repo_git_provider | Choose the default git provider for change management repo | string |
"hostedgit" |
no |
compliance_pipeline_repo_git_token_secret_crn | The CRN for the Compliance Pipeline repository Git Token. | string |
"" |
no |
compliance_pipeline_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
compliance_pipeline_repo_integration_owner | The name of the integration owner. | string |
"" |
no |
compliance_pipeline_repo_issues_enabled | Set to true to enable issues. |
bool |
false |
no |
compliance_pipeline_repo_secret_group | Secret group prefix for the Compliance Pipeline repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
compliance_pipeline_repo_url | Url of pipeline repo template to be cloned | string |
"" |
no |
compliance_pipelines_repo_git_id | Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. |
string |
"" |
no |
cos_api_key_secret_crn | The CRN for the Cloud Object Storage apikey. | string |
"" |
no |
cos_api_key_secret_group | Secret group prefix for the COS API key secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cos_api_key_secret_name | COS API key | string |
"cos-api-key" |
no |
cos_bucket_name | COS bucket name. | string |
"" |
no |
cos_dashboard_url | The dashboard URL for the COS toolcard. | string |
"https://cloud.ibm.com/objectstorage" |
no |
cos_description | The COS description on the tool card. | string |
"Cloud Object Storage to store evidences within DevSecOps Pipelines" |
no |
cos_documentation_url | The documentation URL that appears on the tool card. | string |
"https://cloud.ibm.com/objectstorage" |
no |
cos_endpoint | COS endpoint name. | string |
"" |
no |
cos_integration_name | The name of the COS integration. | string |
"Evidence Store" |
no |
default_git_provider | Choose the default git provider for app repo | string |
"hostedgit" |
no |
doi_toolchain_id | DevOps Insights Toolchain ID to link to. | string |
"" |
no |
enable_artifactory | Set true to enable artifacory for devsecops. | bool |
false |
no |
enable_insights | Set to true to enable the DevOps Insights integration. |
bool |
true |
no |
enable_key_protect | Set to enable Key Protect Integration. | bool |
false |
no |
enable_pipeline_git_token | Enable to add git-token to the pipeline properties. |
bool |
false |
no |
enable_pipeline_notifications | When enabled, pipeline run events will be sent to the Event Notifications and Slack integrations in the enclosing toolchain. | bool |
false |
no |
enable_secrets_manager | Set to enable Secrets Manager Integration. | bool |
true |
no |
enable_slack | Set to true to create the integration. | bool |
false |
no |
event_notifications_crn | The CRN for the Event Notifications instance. | string |
"" |
no |
event_notifications_tool_name | The name of the Event Notifications integration. | string |
"Event Notifications" |
no |
evidence_group | Specify Git user/group for evidence repo. | string |
"" |
no |
evidence_repo_auth_type | Select the method of authentication that will be used to access the git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
evidence_repo_git_id | Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. |
string |
"" |
no |
evidence_repo_git_provider | Git provider for evidence repo | string |
"hostedgit" |
no |
evidence_repo_git_token_secret_crn | The CRN for the Evidence repository Git Token. | string |
"" |
no |
evidence_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
evidence_repo_initialization_type | The initialization type for the repo. Can be new , fork , clone , link , new_if_not_exists , clone_if_not_exists , fork_if_not_exists . |
string |
"" |
no |
evidence_repo_integration_owner | The name of the integration owner. | string |
"" |
no |
evidence_repo_is_private_repo | Set to true to make repository private. |
bool |
true |
no |
evidence_repo_issues_enabled | Set to true to enable issues. |
bool |
false |
no |
evidence_repo_name | The repository name. | string |
"" |
no |
evidence_repo_secret_group | Secret group prefix for the Evidence repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
evidence_repo_traceability_enabled | Set to true to enable traceability. |
bool |
false |
no |
evidence_repo_url | This is a template repository to clone compliance-evidence-locker for reference DevSecOps toolchain templates. | string |
"" |
no |
ibmcloud_api_key | API key used to create the toolchains. | string |
n/a | yes |
inventory_group | Specify Git user/group for inventory repo. | string |
"" |
no |
inventory_repo_auth_type | Select the method of authentication that will be used to access the git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
inventory_repo_git_id | Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. |
string |
"" |
no |
inventory_repo_git_provider | Git provider for inventory repo | string |
"hostedgit" |
no |
inventory_repo_git_token_secret_crn | The CRN for the Inventory repository Git Token. | string |
"" |
no |
inventory_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
inventory_repo_initialization_type | The initialization type for the repo. Can be new , fork , clone , link , new_if_not_exists , clone_if_not_exists , fork_if_not_exists . |
string |
"" |
no |
inventory_repo_integration_owner | The name of the integration owner. | string |
"" |
no |
inventory_repo_is_private_repo | Set to true to make repository private. |
bool |
true |
no |
inventory_repo_issues_enabled | Set to true to enable issues. |
bool |
false |
no |
inventory_repo_name | The repository name. | string |
"" |
no |
inventory_repo_secret_group | Secret group prefix for the Inventory repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
inventory_repo_traceability_enabled | Set to true to enable traceability. |
bool |
false |
no |
inventory_repo_url | This is a template repository to clone compliance-inventory for reference DevSecOps toolchain templates. | string |
"" |
no |
issues_group | Specify Git user/group for issues repo. | string |
"" |
no |
issues_repo_auth_type | Select the method of authentication that will be used to access the git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
issues_repo_git_id | Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. |
string |
"" |
no |
issues_repo_git_provider | Git provider for issue repo | string |
"hostedgit" |
no |
issues_repo_git_token_secret_crn | The CRN for the Issues repository Git Token. | string |
"" |
no |
issues_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
issues_repo_initialization_type | The initialization type for the repo. Can be new , fork , clone , link , new_if_not_exists , clone_if_not_exists , fork_if_not_exists . |
string |
"" |
no |
issues_repo_integration_owner | The name of the integration owner. | string |
"" |
no |
issues_repo_is_private_repo | Set to true to make repository private. |
bool |
true |
no |
issues_repo_issues_enabled | Set to true to enable issues. |
bool |
true |
no |
issues_repo_name | The repository name. | string |
"" |
no |
issues_repo_secret_group | Secret group prefix for the Issues repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
issues_repo_traceability_enabled | Set to true to enable traceability. |
bool |
false |
no |
issues_repo_url | This is a template repository to clone compliance-issues for reference DevSecOps toolchain templates. | string |
"" |
no |
kp_integration_name | The name of the Key Protect integration. | string |
"kp-compliance-secrets" |
no |
kp_location | IBM Cloud location/region containing the Key Protect instance. | string |
"us-south" |
no |
kp_name | Name of the Key Protect instance where the secrets are stored. | string |
"kp-compliance-secrets" |
no |
kp_resource_group | The resource group containing the Key Protect instance for your secrets. | string |
"Default" |
no |
link_to_doi_toolchain | Enable a link to a DevOps Insights instance in another toolchain, true or false. | bool |
false |
no |
pipeline_branch | The branch within pipeline definitions repository for Compliance CC Toolchain. | string |
"open-v10" |
no |
pipeline_config_group | Specify Git user/group for pipeline config repo. | string |
"" |
no |
pipeline_config_repo_auth_type | Select the method of authentication that will be used to access the git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
pipeline_config_repo_branch | Specify a branch of a repository to clone that contains a custom pipeline-config.yaml file. | string |
"" |
no |
pipeline_config_repo_clone_from_url | Specify a repository to clone that contains a custom pipeline-config.yaml file. | string |
"" |
no |
pipeline_config_repo_existing_url | Specify a repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
pipeline_config_repo_git_id | Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. |
string |
"" |
no |
pipeline_config_repo_git_provider | Git provider for pipeline repo config | string |
"hostedgit" |
no |
pipeline_config_repo_git_token_secret_crn | The CRN for the Pipeline Config repository Git Token. | string |
"" |
no |
pipeline_config_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
pipeline_config_repo_initialization_type | The initialization type for the repo. Can be new , fork , clone , link , new_if_not_exists , clone_if_not_exists , fork_if_not_exists . |
string |
"" |
no |
pipeline_config_repo_integration_owner | The name of the integration owner. | string |
"" |
no |
pipeline_config_repo_is_private_repo | Set to true to make repository private. |
bool |
true |
no |
pipeline_config_repo_issues_enabled | Set to true to enable issues. |
bool |
false |
no |
pipeline_config_repo_name | The repository name. | string |
"" |
no |
pipeline_config_repo_secret_group | Secret group prefix for the Pipeline Config repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
pipeline_config_repo_traceability_enabled | Set to true to enable traceability. |
bool |
false |
no |
pipeline_doi_api_key_secret_crn | The CRN for the pipeline DOI apikey. | string |
"" |
no |
pipeline_doi_api_key_secret_group | Secret group prefix for the pipeline DOI api key. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
pipeline_doi_api_key_secret_name | Name of the Cloud API key secret in the secret provider to access the toolchain containing the Devops Insights instance. | string |
"" |
no |
pipeline_git_tag | The GIT tag within the CC pipeline definitions repository for Compliance CC Toolchain. | string |
"" |
no |
pipeline_ibmcloud_api_key_secret_crn | The CRN for the IBMCloud apikey. | string |
"" |
no |
pipeline_ibmcloud_api_key_secret_group | Secret group prefix for the pipeline ibmcloud API key secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
pipeline_ibmcloud_api_key_secret_name | Name of the Cloud API key secret in the secret provider. | string |
"ibmcloud-api-key" |
no |
pipeline_properties | Stringified JSON containing the properties. This takes precedence over the properties JSON. | string |
"" |
no |
pipeline_properties_filepath | The path to the file containing the property JSON. If this is not set, it will by default read the properties.json file at the root of the module. |
string |
"" |
no |
repositories_prefix | Prefix name for the cloned compliance repos. | string |
"compliance" |
no |
repository_properties | Stringified JSON containing the repositories and triggers. This takes precedence over the repositories JSON. | string |
"" |
no |
repository_properties_filepath | The path to the file containing the repository and triggers JSON. If this is not set, it will by default read the repositories.json file at the root of the module. |
string |
"" |
no |
scc_attachment_id | An attachment ID. An attachment is configured under a profile to define how a scan will be run. To find the attachment ID, in the browser, in the attachments list, click on the attachment link, and a panel appears with a button to copy the attachment ID. This parameter is only relevant when the scc_use_profile_attachment parameter is enabled. |
string |
"" |
no |
scc_enable_scc | Enable the SCC integration. | bool |
true |
no |
scc_instance_crn | The Security and Compliance Center service instance CRN (Cloud Resource Name). This parameter is only relevant when the scc_use_profile_attachment parameter is enabled. The value must match the regular expression. |
string |
"" |
no |
scc_integration_name | The name of the SCC integration name. | string |
"Security and Compliance" |
no |
scc_profile_name | The name of a Security and Compliance Center profile. Use the IBM Cloud Framework for Financial Services profile, which contains the DevSecOps Toolchain rules. Or use a user-authored customized profile that has been configured to contain those rules. This parameter is only relevant when the scc_use_profile_attachment parameter is enabled. |
string |
"" |
no |
scc_profile_version | The version of a Security and Compliance Center profile, in SemVer format, like 0.0.0 . This parameter is only relevant when the scc_use_profile_attachment parameter is enabled. |
string |
"" |
no |
scc_scc_api_key_secret_crn | The CRN for SCC apikey. | string |
"" |
no |
scc_scc_api_key_secret_group | Secret group prefix for the Security and Compliance tool secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
scc_scc_api_key_secret_name | The Security and Compliance Center api-key secret in the secret provider. | string |
"scc-api-key" |
no |
scc_use_profile_attachment | Set to enabled to enable use profile with attachment, so that the scripts in the pipeline can interact with the Security and Compliance Center service. When enabled, other parameters become relevant; scc_scc_scc_api_key_secret_name , scc_instance_crn , scc_profile_name , scc_profile_version , scc_attachment_id . |
string |
"disabled" |
no |
slack_channel_name | The Slack channel that notifications will be posted to. | string |
"my-channel" |
no |
slack_integration_name | The name of the Slack integration. | string |
"slack-compliance" |
no |
slack_pipeline_fail | Generate pipeline failed notifications. | bool |
true |
no |
slack_pipeline_start | Generate pipeline start notifications. | bool |
true |
no |
slack_pipeline_success | Generate pipeline succeeded notifications. | bool |
true |
no |
slack_team_name | The Slack team name, which is the word or phrase before .slack.com in the team URL. | string |
"my-team" |
no |
slack_toolchain_bind | Generate tool added to toolchain notifications. | bool |
true |
no |
slack_toolchain_unbind | Generate tool removed from toolchain notifications. | bool |
true |
no |
slack_webhook_secret_crn | The CRN for Slack Webhook secret. | string |
"" |
no |
slack_webhook_secret_group | Secret group prefix for the Slack webhook secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
slack_webhook_secret_name | Name of the webhook secret in the secret provider. | string |
"slack-webhook" |
no |
sm_instance_crn | The CRN of the Secrets Manager instance. | string |
"" |
no |
sm_integration_name | The name of the Secrets Manager integration. | string |
"sm-compliance-secrets" |
no |
sm_location | IBM Cloud location/region containing the Secrets Manager instance. Not required if using a Secrets Manager CRN instance. | string |
"us-south" |
no |
sm_name | Name of the Secrets Manager instance where the secrets are stored. Not required if using a Secrets Manager CRN instance. | string |
"sm-compliance-secrets" |
no |
sm_resource_group | The resource group containing the Secrets Manager instance for your secrets. Not required if using a Secrets Manager CRN instance. | string |
"Default" |
no |
sm_secret_group | Group in Secrets Manager for organizing/grouping secrets. | string |
"Default" |
no |
sonarqube_integration_name | The name of the SonarQube integration. | string |
"SonarQube" |
no |
sonarqube_is_blind_connection | When set to true , instructs IBM Cloud Continuous Delivery to not validate the configuration of this integration. Set this to true if the SonarQube server is not addressable on the public internet. |
string |
true |
no |
sonarqube_secret_crn | The CRN for the SonarQube secret. | string |
"" |
no |
sonarqube_secret_group | Secret group prefix for the SonarQube secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
sonarqube_secret_name | The name of the SonarQube secret. | string |
"sonarqube-secret" |
no |
sonarqube_server_url | The URL to the SonarQube server. | string |
"" |
no |
sonarqube_user | The name of the SonarQube user. | string |
"" |
no |
toolchain_description | Description for the CC Toolchain. | string |
"Toolchain created with terraform template for DevSecOps CC Best Practices" |
no |
toolchain_name | Name of the CC Toolchain. | string |
"DevSecOps CC Toolchain - Terraform" |
no |
toolchain_region | IBM Cloud region where the toolchain is created | string |
"us-south" |
no |
toolchain_resource_group | Resource group within which the toolchain is created | string |
"Default" |
no |
trigger_manual_enable | Set to true to enable the CC pipeline Manual trigger. |
bool |
true |
no |
trigger_manual_name | The name of the CC pipeline Manual trigger. | string |
"CC Manual Trigger" |
no |
trigger_manual_pruner_enable | Set to true to enable the manual Pruner trigger. |
bool |
true |
no |
trigger_manual_pruner_name | The name of the manual Pruner trigger. | string |
"Evidence Pruner Manual Trigger" |
no |
trigger_timed_cron_schedule | Only needed for timer triggers. Cron expression that indicates when this trigger will activate. Maximum frequency is every 5 minutes. The string is based on UNIX crontab syntax: minute, hour, day of month, month, day of week. Example: 0 *_/2 * * * - every 2 hours. | string |
"0 4 * * *" |
no |
trigger_timed_enable | Set to true to enable the CI pipeline Timed trigger. |
bool |
false |
no |
trigger_timed_name | The name of the CC pipeline Timed trigger. | string |
"CC Timed Trigger" |
no |
trigger_timed_pruner_enable | Set to true to enable the timed Pruner trigger. |
bool |
false |
no |
trigger_timed_pruner_name | The name of the timed Pruner trigger. | string |
"Evidence Pruner Timed Trigger" |
no |
worker_id | The identifier for the Managed Pipeline worker. | string |
"public" |
no |
Name | Description |
---|---|
app_repo | The Application repo. |
app_repo_url | The app repository instance URL containing an application that can be built and deployed with the reference DevSecOps toolchain templates. |
cc_pipeline_id | The CC pipeline ID. |
evidence_repo | The Evidence repo. |
evidence_repo_url | The evidence repository instance URL, where evidence of the builds and scans are stored, ready for any compliance audit. |
inventory_repo | The Inventory repo. |
inventory_repo_url | The inventory repository instance URL, with details of which artifact has been built and will be deployed. |
issues_repo | The Issues repo. |
issues_repo_url | The incident issues repository instance URL, where issues are created when vulnerabilities and CVEs are detected. |
key_protect_instance_id | The Key Protect instance ID. |
pipeline_repo_url | This repository URL contains the tekton definitions for compliance pipelines. |
secrets_manager_instance_id | The Secrets Manager instance ID. |
toolchain_id | The CC toolchain ID. |
toolchain_url | The CC toolchain URL. |
- To make a variable locked, we need to provide the locked key as true for that variable.
Example
{
"name": "example_variable",
"type": "text",
"value": "example_data",
"locked": "true"
}
The variable example_variable
is locked by providing locked
to true
.If you want to unlock it, provide locked
to false
.
- Pipeline properties that are locked by default are stored in
default_locked_properties
. - Overriding of pipeline properties
- The code will first check if the locked key provides any value. If it is set, then it will take that value.
- If no locked value is provided for the variable, it will check if it is inside the default set of locked property
default_locked_properties
.
You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.
To set up your local development environment, see Local development setup in the project documentation.