-
Notifications
You must be signed in to change notification settings - Fork 50
/
metadata.yaml
115 lines (114 loc) · 5.57 KB
/
metadata.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: blueprints.cloud.google.com/v1alpha1
kind: BlueprintMetadata
metadata:
name: terraform-google-secure-cicd
annotations:
config.kubernetes.io/local-config: "true"
spec:
info:
title: Secure CI/CD pipeline
source:
repo: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd.git
sourceType: git
description:
tagline: Create a CI/CD pipeline that follows security best practices.
detailed: |-
Set up a secure CI/CD pipeline that follows best practices for building, scanning, storing, and deploying containers to GKE.
You can choose whether to deploy your solution through the console directly or download as Terraform from GitHub to deploy later.
architecture:
- A developer pushes code for a container-based application to the App Source Code repository in Cloud Source Repositories. This repository must include a skaffold.yaml configuration file, a cloudbuild-ci.yaml configuration file, and templated Kubernetes manifests for the respective Kubernetes deployments, services and other objects.
- Changes to the App Source Code repo will trigger a build of the containers as defined in the skaffold.yaml configuration.
- Metadata about the built containers is stored in the build artifacts Cloud Storage bucket.
- The resulting built containers will be scanned for container structure and CVE’s based on a customer-configurable security policy and stored in an Artifact Registry repository.
- Upon passing all scans, the containers are signed by the Binary Authorization build attestor.
- At the end of the build process, the pipeline creates a new Cloud Deploy release to rollout the newly built container images to the Dev environment.
- After successful deployment, the Cloud Deploy operations Pub/Sub topic receives a confirmation message that triggers the post-deployment checks on the live application via Cloud Build.
- Upon passing the post-deployment application security tests, the containers are signed by the security attestor.
- The Cloud Deploy release is promoted, triggering a rollout to the QA environment. Steps 7-8 repeat, but the containers receive the quality attestor after passing through the QA environment.
- The release is promoted for the final time, creating a rollout to the Prod environment.
- The GKE clusters validate deployed containers based on the respective Binary Authorization policy, requiring additional attestors from the pipeline at each higher environment.
- All Cloud Build and Cloud Deploy processes will run in a private Cloud Build worker pool hosted in a customer-managed VPC.
content:
documentation:
- title: Architecture Diagram
url: https://github.com/GoogleCloudPlatform/terraform-google-secure-cicd/blob/main/assets/secure_cicd_pipeline_v2.svg
subBlueprints:
- name: cloudbuild-private-pool
location: modules/cloudbuild-private-pool
- name: secure-cd
location: modules/secure-cd
- name: secure-ci
location: modules/secure-ci
- name: workerpool-gke-ha-vpn
location: modules/workerpool-gke-ha-vpn
examples:
- name: app_cicd
location: examples/app_cicd
- name: cloudbuild_private_pool
location: examples/cloudbuild_private_pool
- name: private_cluster_cicd
location: examples/private_cluster_cicd
- name: standalone_single_project
location: examples/standalone_single_project
requirements:
roles:
- level: Project
roles:
- roles/compute.networkAdmin
- roles/container.admin
- roles/binaryauthorization.policyEditor
- roles/resourcemanager.projectIamAdmin
- roles/iam.serviceAccountAdmin
- roles/serviceusage.serviceUsageViewer
- roles/iam.serviceAccountUser
- level: Project
roles:
- roles/artifactregistry.admin
- roles/binaryauthorization.attestorsAdmin
- roles/cloudbuild.builds.builder
- roles/cloudbuild.workerPoolOwner
- roles/clouddeploy.admin
- roles/cloudkms.admin
- roles/cloudkms.publicKeyViewer
- roles/containeranalysis.notes.editor
- roles/compute.networkAdmin
- roles/gkehub.editor
- roles/iam.serviceAccountAdmin
- roles/iam.serviceAccountUser
- roles/pubsub.editor
- roles/serviceusage.serviceUsageAdmin
- roles/source.admin
- roles/storage.admin
- roles/resourcemanager.projectIamAdmin
- roles/viewer
services:
- cloudresourcemanager.googleapis.com
- cloudbilling.googleapis.com
- clouddeploy.googleapis.com
- storage-api.googleapis.com
- serviceusage.googleapis.com
- cloudbuild.googleapis.com
- containerregistry.googleapis.com
- iamcredentials.googleapis.com
- secretmanager.googleapis.com
- sourcerepo.googleapis.com
- artifactregistry.googleapis.com
- containeranalysis.googleapis.com
- cloudkms.googleapis.com
- binaryauthorization.googleapis.com
- containerscanning.googleapis.com
- servicenetworking.googleapis.com
- pubsub.googleapis.com