# Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: blueprints.cloud.google.com/v1alpha1 kind: BlueprintMetadata metadata: name: terraform-google-secure-cicd annotations: config.kubernetes.io/local-config: "true" spec: info: title: Secure CI/CD pipeline source: repo: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd.git sourceType: git description: tagline: Create a CI/CD pipeline that follows security best practices. detailed: |- Set up a secure CI/CD pipeline that follows best practices for building, scanning, storing, and deploying containers to GKE. You can choose whether to deploy your solution through the console directly or download as Terraform from GitHub to deploy later. architecture: - A developer pushes code for a container-based application to the App Source Code repository in Cloud Source Repositories. This repository must include a skaffold.yaml configuration file, a cloudbuild-ci.yaml configuration file, and templated Kubernetes manifests for the respective Kubernetes deployments, services and other objects. - Changes to the App Source Code repo will trigger a build of the containers as defined in the skaffold.yaml configuration. - Metadata about the built containers is stored in the build artifacts Cloud Storage bucket. - The resulting built containers will be scanned for container structure and CVE’s based on a customer-configurable security policy and stored in an Artifact Registry repository. - Upon passing all scans, the containers are signed by the Binary Authorization build attestor. - At the end of the build process, the pipeline creates a new Cloud Deploy release to rollout the newly built container images to the Dev environment. - After successful deployment, the Cloud Deploy operations Pub/Sub topic receives a confirmation message that triggers the post-deployment checks on the live application via Cloud Build. - Upon passing the post-deployment application security tests, the containers are signed by the security attestor. - The Cloud Deploy release is promoted, triggering a rollout to the QA environment. Steps 7-8 repeat, but the containers receive the quality attestor after passing through the QA environment. - The release is promoted for the final time, creating a rollout to the Prod environment. - The GKE clusters validate deployed containers based on the respective Binary Authorization policy, requiring additional attestors from the pipeline at each higher environment. - All Cloud Build and Cloud Deploy processes will run in a private Cloud Build worker pool hosted in a customer-managed VPC. content: documentation: - title: Architecture Diagram url: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd/blob/main/assets/secure_cicd_pipeline_v2.svg subBlueprints: - name: cloudbuild-private-pool location: modules/cloudbuild-private-pool - name: secure-cd location: modules/secure-cd - name: secure-ci location: modules/secure-ci - name: workerpool-gke-ha-vpn location: modules/workerpool-gke-ha-vpn examples: - name: app_cicd location: examples/app_cicd - name: cloudbuild_private_pool location: examples/cloudbuild_private_pool - name: private_cluster_cicd location: examples/private_cluster_cicd - name: standalone_single_project location: examples/standalone_single_project requirements: roles: - level: Project roles: - roles/compute.networkAdmin - roles/container.admin - roles/binaryauthorization.policyEditor - roles/resourcemanager.projectIamAdmin - roles/iam.serviceAccountAdmin - roles/serviceusage.serviceUsageViewer - roles/iam.serviceAccountUser - level: Project roles: - roles/artifactregistry.admin - roles/binaryauthorization.attestorsAdmin - roles/cloudbuild.builds.builder - roles/cloudbuild.workerPoolOwner - roles/clouddeploy.admin - roles/cloudkms.admin - roles/cloudkms.publicKeyViewer - roles/containeranalysis.notes.editor - roles/compute.networkAdmin - roles/gkehub.editor - roles/iam.serviceAccountAdmin - roles/iam.serviceAccountUser - roles/pubsub.editor - roles/serviceusage.serviceUsageAdmin - roles/source.admin - roles/storage.admin - roles/resourcemanager.projectIamAdmin - roles/viewer services: - cloudresourcemanager.googleapis.com - cloudbilling.googleapis.com - clouddeploy.googleapis.com - storage-api.googleapis.com - serviceusage.googleapis.com - cloudbuild.googleapis.com - containerregistry.googleapis.com - iamcredentials.googleapis.com - secretmanager.googleapis.com - sourcerepo.googleapis.com - artifactregistry.googleapis.com - containeranalysis.googleapis.com - cloudkms.googleapis.com - binaryauthorization.googleapis.com - containerscanning.googleapis.com - servicenetworking.googleapis.com - pubsub.googleapis.com