Giter Club home page Giter Club logo

devsecops-alm's Introduction

DevSecOps Application Lifecycle Management

[![Implemented (No quality checks)](Stable (With quality checks) ](https://terraform-ibm-modules.github.io/documentation/#/badge-status) Build status pre-commit latest release Renovate enabled semantic-release

A Terraform module for provisioning the DevSecOps CI, CD, and CC toolchains.

Reference architectures

Architecture diagram for 'DevSecOps CI, CD, CC toolchains'.

Usage

ibmcloud_api_key          = "" #Set your API key
ci_toolchain_name         = "DevSecOps CI Toolchain - Terraform"
cd_toolchain_name         = "DevSecOps CD Toolchain - Terraform"
cc_toolchain_name         = "DevSecOps CC Toolchain - Terraform"
toolchain_resource_group  = "Default"
toolchain_region          = "jp-tok" #Region short name only
registry_namespace        = "tektonhh"
ci_registry_region        = "ibm:yp:jp-tok"
sm_name                   = "sm-compliance-secrets" #Secrets Manager instance name
sm_location               = "eu-gb"
sm_resource_group         = "Default"
sm_secret_group           = "Default"
ci_cluster_name           = "mycluster-free"
ci_cluster_namespace      = "dev"
ci_dev_region             = "ibm:yp:jp-tok"
ci_dev_resource_group     = "Default"
cd_cluster_name           = "mycluster-free"
cd_cluster_namespace      = "prod"

Required IAM access policies

Examples

Requirements

Name Version
terraform >= 1.0.0
ibm >=1.51.0

Modules

Name Source Version
devsecops_cc_toolchain git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-cc-toolchain v1.0.5
devsecops_cd_toolchain git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-cd-toolchain v1.0.5
devsecops_ci_toolchain git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-ci-toolchain v1.0.5

Resources

No resources.

Inputs

Name Description Type Default Required
authorization_policy_creation Disable Toolchain Service to Secrets Manager Service authorization policy creation. To disable set the value to disabled. This applies to the CI, CD, and CC toolchains. To set separately, see ci_authorization_policy_creation, cd_authorization_policy_creation, and cc_authorization_policy_creation. string "" no
cc_app_group Specify user or group for app repo. string "" no
cc_app_repo_auth_type Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. string "" no
cc_app_repo_branch The default branch of the app repo. string "master" no
cc_app_repo_git_id The Git Id of the repository. string "" no
cc_app_repo_git_provider The type of the Git provider. string "hostedgit" no
cc_app_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "git-token" no
cc_app_repo_url This Git URL for the application repository. string "" no
cc_authorization_policy_creation Disable Toolchain service to Secrets Manager Service authorization policy creation. string "" no
cc_compliance_base_image Pipeline baseimage to run most of the built-in pipeline code. string "" no
cc_compliance_pipeline_group Specify user or group for compliance pipline repo. string "" no
cc_compliance_pipeline_repo_auth_type Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. string "oauth" no
cc_compliance_pipeline_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "git-token" no
cc_cos_api_key_secret_name Name of the COS API key secret in the secret provider. string "" no
cc_cos_bucket_name COS bucket name. string "" no
cc_cos_endpoint COS endpoint name. string "" no
cc_doi_environment DevOps Insights environment for DevSecOps CD deployment. string "" no
cc_doi_toolchain_id DevOps Insights toolchain ID to link to. string "" no
cc_enable_key_protect Enable the Key Protect integration. bool false no
cc_enable_pipeline_dockerconfigjson Enable to add the pipeline-dockerconfigjson property to the pipeline properties. bool false no
cc_enable_secrets_manager Enable the Secrets Manager integration. bool false no
cc_enable_slack Set to true to create the integration. bool false no
cc_environment_tag Tag name that represents the target environment in the inventory. Example: prod_latest. string "prod_latest" no
cc_evidence_group Specify Git user or group for evidence repository. string "" no
cc_evidence_repo_auth_type Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat' string "" no
cc_evidence_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "" no
cc_inventory_group Specify Git user or group for inventory repository. string "" no
cc_inventory_repo_auth_type Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. string "" no
cc_inventory_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "" no
cc_issues_group Specify Git user or group for issues repository. string "" no
cc_issues_repo_auth_type Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. string "" no
cc_issues_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "" no
cc_kp_location IBM Cloud location/region containing the Key Protect instance. string "" no
cc_kp_name Name of the Key Protect instance where the secrets are stored. string "" no
cc_kp_resource_group The resource group containing the Key Protect instance for your secrets. string "" no
cc_link_to_doi_toolchain Enable a link to a DevOps Insights instance in another toolchain, true or false. bool true no
cc_opt_in_auto_close Enables auto-closing of issues coming from vulnerabilities, once the vulnerability is no longer detected by the CC pipeline run. string "1" no
cc_opt_in_dynamic_api_scan To enable the OWASP Zap API scan. '1' enable or '0' disable. string "" no
cc_opt_in_dynamic_scan To enable the OWASP Zap scan. '1' enable or '0' disable. string "" no
cc_opt_in_dynamic_ui_scan To enable the OWASP Zap UI scan. '1' enable or '0' disable. string "" no
cc_pipeline_config_group Specify user or group for pipeline config repo. string "" no
cc_pipeline_config_path The name and path of the pipeline-config.yaml file within the pipeline-config repo. string ".pipeline-config.yaml" no
cc_pipeline_config_repo_auth_type Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. string "" no
cc_pipeline_config_repo_branch Specify the branch containing the custom pipeline-config.yaml file. string "" no
cc_pipeline_config_repo_clone_from_url Specify a repository containing a custom pipeline-config.yaml file. string "" no
cc_pipeline_config_repo_existing_url Specify a repository containing a custom pipeline-config.yaml file. string "" no
cc_pipeline_config_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "git-token" no
cc_pipeline_debug '0' by default. Set to '1' to enable debug logging. string "0" no
cc_pipeline_dockerconfigjson_secret_name Name of the pipeline docker config JSON secret in the secret provider. string "pipeline_dockerconfigjson_secret_name" no
cc_pipeline_ibmcloud_api_key_secret_name Name of the Cloud API key secret in the secret provider. string "ibmcloud-api-key" no
cc_repositories_prefix The prefix for the compliance repositories. string "" no
cc_scc_enable_scc Enable the SCC integration bool true no
cc_scc_integration_name The name of the SCC integration. string "Security and Compliance" no
cc_slack_channel_name The Slack channel that notifications are posted to. string "my-channel" no
cc_slack_notifications The switch that turns the Slack notification on (1) or off (0). string "" no
cc_slack_pipeline_fail Generate pipeline failed notifications. bool true no
cc_slack_pipeline_start Generate pipeline start notifications. bool true no
cc_slack_pipeline_success Generate pipeline succeeded notifications. bool true no
cc_slack_team_name The Slack team name, which is the word or phrase before .slack.com in the team URL. string "my-team" no
cc_slack_toolchain_bind Generate tool added to toolchain notifications. bool true no
cc_slack_toolchain_unbind Generate tool removed from toolchain notifications. bool true no
cc_slack_webhook_secret_name Name of the webhook secret in the secret provider. string "" no
cc_sm_location IBM Cloud location/region containing the Secrets Manager instance. string "" no
cc_sm_name Name of the Secrets Manager instance where the secrets are stored. string "" no
cc_sm_resource_group The resource group containing the Secrets Manager instance for your secrets. string "" no
cc_sm_secret_group Group in Secrets Manager for organizing/grouping secrets. string "" no
cc_sonarqube_config Runs a SonarQube scan in an isolated Docker-in-Docker container (default configuration) or in an existing Kubernetes cluster (custom configuration). Options: default or custom. Default is default. string "default" no
cc_toolchain_description Description for the CC Toolchain. string "Toolchain created with terraform template for DevSecOps CC Best Practices." no
cc_toolchain_name The name of the CC Toolchain. string "" no
cc_toolchain_region The region containing the CI toolchain. Use the short form of the regions. For example us-south. string "" no
cc_toolchain_resource_group Resource group within which the toolchain is created. string "" no
cd_app_version The version of the app to deploy. string "v1" no
cd_authorization_policy_creation Disable Toolchain service to Secrets Manager Service authorization policy creation. string "" no
cd_change_management_group Specify group for change management repository string "" no
cd_change_management_repo This repository holds the change management requests created for the deployments. string "" no
cd_change_management_repo_auth_type Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. string "" no
cd_change_management_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "" no
cd_change_repo_clone_from_url Override the default management repo, which is cloned into the app repo. Note, using clone_if_not_exists mode, so if the app repo already exists the repo contents are unchanged. string "" no
cd_change_request_id The ID of an open change request. If this parameter is set to 'notAvailable' by default, a change request is automatically created by the continuous deployment pipeline. string "notAvailable" no
cd_cluster_name Name of the Kubernetes cluster where the application is deployed. string "" no
cd_cluster_namespace Name of the Kubernetes cluster namespace where the application is deployed. string "prod" no
cd_cluster_region Region of the Kubernetes cluster where the application is deployed. Use the short form of the regions. For example us-south. string "" no
cd_code_signing_cert_secret_name Name of the code signing certificate secret in the secret provider. string "code-signing-cert" no
cd_compliance_base_image Pipeline baseimage to run most of the built-in pipeline code. string "" no
cd_compliance_pipeline_group Specify user or group for compliance pipline repo. string "" no
cd_compliance_pipeline_repo_auth_type Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. string "oauth" no
cd_compliance_pipeline_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "git-token" no
cd_cos_api_key_secret_name Name of the COS API key secret in the secret provider. string "" no
cd_cos_bucket_name COS bucket name. string "" no
cd_cos_endpoint COS endpoint name. string "" no
cd_customer_impact Custom impact of the change request. string "no_impact" no
cd_deployment_group Specify group for deployment. string "" no
cd_deployment_repo_auth_type Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. string "" no
cd_deployment_repo_clone_from_branch Used when deployment_repo_clone_from_url is provided, the default branch that is used by the CD build, usually either main or master. string "" no
cd_deployment_repo_clone_from_url Override the default sample app by providing your own sample deployment URL, which is cloned into the app repo. Note, using clone_if_not_exists mode, so if the app repo already exists the repo contents are unchanged. string "" no
cd_deployment_repo_clone_to_git_id By default absent, else custom server GUID, or other options for 'git_id' field in the browser UI. string "" no
cd_deployment_repo_clone_to_git_provider By default 'hostedgit', else use 'githubconsolidated' or 'gitlab'. string "" no
cd_deployment_repo_existing_branch Used when deployment_repo_existing_url is provided, the default branch that is by the CD build, usually either main or master. string "" no
cd_deployment_repo_existing_git_id By default absent, else custom server GUID, or other options for 'git_id' field in the browser UI. string "" no
cd_deployment_repo_existing_git_provider By default 'hostedgit', else use 'githubconsolidated' or 'gitlab'. string "hostedgit" no
cd_deployment_repo_existing_url Override to bring your own existing deployment repository URL, which is used directly instead of cloning the default deployment sample. string "" no
cd_deployment_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "" no
cd_doi_environment DevOps Insights environment for DevSecOps CD deployment. string "" no
cd_doi_toolchain_id DevOps Insights toolchain ID to link to. string "" no
cd_emergency_label Identifies the pull request as an emergency. string "EMERGENCY" no
cd_enable_key_protect Use the Key Protect integration. bool false no
cd_enable_secrets_manager Use the Secrets Manager integration. bool false no
cd_enable_signing_validation Enable to add the code-signing-certificate property to the pipeline properties. bool false no
cd_enable_slack Default: false. Set to true to create the integration. bool false no
cd_evidence_group Specify Git user or group for evidence repository. string "" no
cd_evidence_repo_auth_type Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. string "" no
cd_evidence_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "" no
cd_inventory_group Specify Git user or group for inventory repository. string "" no
cd_inventory_repo_auth_type Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. string "" no
cd_inventory_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "" no
cd_issues_group Specify Git user or group for issues repository. string "" no
cd_issues_repo_auth_type Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. string "" no
cd_issues_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "" no
cd_kp_location IBM Cloud location/region containing the Key Protect instance. string "" no
cd_kp_name Name of the Key Protect instance where the secrets are stored. string "" no
cd_kp_resource_group The resource group containing the Key Protect instance for your secrets. string "" no
cd_link_to_doi_toolchain Enable a link to a DevOps Insights instance in another toolchain, true or false. bool true no
cd_merge_cra_sbom Merge the SBOM string "1" no
cd_opt_out_v1_evidence Opt out of evidence v1. string "1" no
cd_pipeline_config_group Specify user or group for pipeline config repo. string "" no
cd_pipeline_config_path The name and path of the pipeline-config.yaml file within the pipeline-config repo. string ".pipeline-config.yaml" no
cd_pipeline_config_repo_auth_type Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. string "" no
cd_pipeline_config_repo_branch Specify the branch containing the custom pipeline-config.yaml file. string "" no
cd_pipeline_config_repo_clone_from_url Specify a repository containing a custom pipeline-config.yaml file. string "" no
cd_pipeline_config_repo_existing_url Specify a repository containing a custom pipeline-config.yaml file. string "" no
cd_pipeline_config_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "" no
cd_pipeline_debug '0' by default. Set to '1' to enable debug logging. string "0" no
cd_pipeline_ibmcloud_api_key_secret_name Name of the Cloud API key secret in the secret provider. string "ibmcloud-api-key" no
cd_repositories_prefix Prefix name for the cloned compliance repos. string "" no
cd_satellite_cluster_group The Satellite cluster group string "" no
cd_scc_enable_scc Enable the SCC integration. bool true no
cd_scc_integration_name The name of the SCC integration. string "Security and Compliance" no
cd_slack_channel_name The Slack channel that notifications are posted to. string "my-channel" no
cd_slack_notifications The switch that turns the Slack notification on (1) or off (0). string "" no
cd_slack_pipeline_fail Generate pipeline failed notifications. bool true no
cd_slack_pipeline_start Generate pipeline start notifications. bool true no
cd_slack_pipeline_success Generate pipeline succeeded notifications. bool true no
cd_slack_team_name The Slack team name, which is the word or phrase before .slack.com in the team URL. string "my-team" no
cd_slack_toolchain_bind Generate tool added to toolchain notifications. bool true no
cd_slack_toolchain_unbind Generate tool removed from toolchain notifications. bool true no
cd_slack_webhook_secret_name Name of the webhook secret in the secret provider. string "" no
cd_sm_location IBM Cloud location/region containing the Secrets Manager instance. string "" no
cd_sm_name Name of the Secrets Manager instance where the secrets are stored. string "" no
cd_sm_resource_group The resource group containing the Secrets Manager instance for your secrets. string "" no
cd_sm_secret_group Group in Secrets Manager for organizing/grouping secrets. string "" no
cd_source_environment The source environment that the app is promoted from. string "master" no
cd_target_environment The target environment that the app is deployed to. string "prod" no
cd_target_environment_detail Details of the environment being updated. string "Production target environment" no
cd_target_environment_purpose Purpose of the environment being updated. string "production" no
cd_toolchain_description Description for the CD toolchain. string "Toolchain created with terraform template for DevSecOps CD Best Practices." no
cd_toolchain_name The name of the CD Toolchain. string "" no
cd_toolchain_region The region containing the CI toolchain. Use the short form of the regions. For example us-south. string "" no
cd_toolchain_resource_group Resource group within which toolchain is created. string "" no
ci_app_group Specify Git user or group for your application. string "" no
ci_app_name Name of the application image and inventory entry. string "hello-compliance-app" no
ci_app_repo_auth_type Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. string "" no
ci_app_repo_clone_from_branch Used when app_repo_clone_from_url is provided, the default branch that is used by the CI build, usually either main or master. string "" no
ci_app_repo_clone_from_url Override the default sample app by providing your own sample app URL, which is cloned into the app repo. Note, using clone_if_not_exists mode, so if the app repo already exists the repo contents are unchanged. string "" no
ci_app_repo_clone_to_git_id By default absent, otherwise use custom server GUID, or other options for git_id field in the browser UI. string "" no
ci_app_repo_clone_to_git_provider By default 'hostedgit', else use 'githubconsolidated' or 'gitlab'. string "" no
ci_app_repo_existing_branch Used when app_repo_existing_url is provided, the default branch that is used by the CI build, usually either main or master. string "" no
ci_app_repo_existing_git_id By default absent, otherwise use custom server GUID, or other options for git_id field in the browser UI. string "" no
ci_app_repo_existing_git_provider By default 'hostedgit', else use 'githubconsolidated' or 'gitlab'. string "" no
ci_app_repo_existing_url Override to bring your own existing application repository URL, which is used directly instead of cloning the default sample. string "" no
ci_app_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "" no
ci_app_version The version of the app to deploy. string "v1" no
ci_authorization_policy_creation Disable Toolchain Service to Secrets Manager Service authorization policy creation. string "" no
ci_cluster_name Name of the Kubernetes cluster where the application is deployed. (can be the same cluster used for prod) string "" no
ci_cluster_namespace Name of the Kubernetes cluster namespace where the application is deployed. string "dev" no
ci_cluster_region Region of the Kubernetes cluster where the application is deployed. Use the short form of the regions. For example us-south. string "" no
ci_cluster_resource_group The cluster resource group. string "" no
ci_code_engine_build_strategy The build strategy for the Code Engine entity. Default strategy is 'dockerfile'. Set as 'buildpacks' for 'buildpacks' build. string "" no
ci_code_engine_entity_type Type of Code Engine entity to create/update as part of deployment. Default type is 'application'. Set as 'job' for 'job' type. string "" no
ci_code_engine_project The name of the Code Engine project to use (or create). string "DevSecOps_CE" no
ci_code_engine_region The region to create/lookup for the Code Engine project. string "ibm:yp:us-south" no
ci_code_engine_resource_group The resource group of the Code Engine project. string "Default" no
ci_code_engine_source The path to the location of code to build in the repository. string "" no
ci_compliance_base_image Pipeline baseimage to run most of the built-in pipeline code. string "" no
ci_compliance_pipeline_group Specify user or group for compliance pipline repo. string "" no
ci_compliance_pipeline_repo_auth_type Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. string "oauth" no
ci_compliance_pipeline_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "git-token" no
ci_cos_api_key_secret_name Name of the COS API key secret in the secret provider. string "" no
ci_cos_bucket_name COS bucket name. string "" no
ci_cos_endpoint COS endpoint name. string "" no
ci_cra_generate_cyclonedx_format If set to 1, CRA also generates the BOM in cyclonedx format (defaults to 1). string "1" no
ci_custom_image_tag The custom tag for the image in a comma-separated list. string "" no
ci_deployment_target The deployment target, cluster or code-engine. string "cluster" no
ci_dev_region (Deprecated. Use ci_cluster_region) Region of the Kubernetes cluster where the application is deployed. Use the short form of the regions. For example us-south string "" no
ci_dev_resource_group (Deprecated. Use ci_cluster_resource_group) The cluster resource group. string "" no
ci_doi_environment The DevOps Insights target environment. string "" no
ci_doi_toolchain_id DevOps Insights toolchain ID to link to. string "" no
ci_doi_toolchain_id_pipeline_property The DevOps Insights instance toolchain ID. string "" no
ci_enable_key_protect Set to enable Key Protect Integration. bool false no
ci_enable_pipeline_dockerconfigjson Enable to add the pipeline-dockerconfigjson property to the pipeline properties. bool false no
ci_enable_secrets_manager Set to enable Secrets Manager Integration. bool false no
ci_enable_slack Default: false. Set to true to create the integration. bool false no
ci_evidence_group Specify Git user or group for evidence repository. string "" no
ci_evidence_repo_auth_type Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. string "" no
ci_evidence_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "" no
ci_inventory_group Specify Git user or group for inventory repository. string "" no
ci_inventory_repo_auth_type Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. string "" no
ci_inventory_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "" no
ci_issues_group Specify Git user or group for issues repository. string "" no
ci_issues_repo_auth_type Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. string "" no
ci_issues_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "" no
ci_kp_location IBM Cloud location/region containing the Key Protect instance. string "" no
ci_kp_name Name of the Key Protect instance where the secrets are stored. string "" no
ci_kp_resource_group The resource group containing the Key Protect instance. string "" no
ci_link_to_doi_toolchain Enable a link to a DevOps Insights instance in another toolchain. bool false no
ci_opt_in_dynamic_api_scan To enable the OWASP Zap API scan. '1' enable or '0' disable. string "1" no
ci_opt_in_dynamic_scan To enable the OWASP Zap scan. '1' enable or '0' disable. string "1" no
ci_opt_in_dynamic_ui_scan To enable the OWASP Zap UI scan. '1' enable or '0' disable. string "1" no
ci_opt_in_sonar Opt in for Sonarqube string "1" no
ci_opt_out_v1_evidence Opt out of Evidence v1 string "1" no
ci_pipeline_config_group Specify user or group for pipeline config repo. string "" no
ci_pipeline_config_path The name and path of the pipeline-config.yaml file within the pipeline-config repo. string ".pipeline-config.yaml" no
ci_pipeline_config_repo_auth_type Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. string "" no
ci_pipeline_config_repo_branch Specify the branch containing the custom pipeline-config.yaml file. string "" no
ci_pipeline_config_repo_clone_from_url Specify a repository containing a custom pipeline-config.yaml file. string "" no
ci_pipeline_config_repo_existing_url Specify a repository containing a custom pipeline-config.yaml file. string "" no
ci_pipeline_config_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "" no
ci_pipeline_debug '0' by default. Set to '1' to enable debug logging. string "0" no
ci_pipeline_dockerconfigjson_secret_name Name of the pipeline docker config JSON secret in the secret provider. string "pipeline_dockerconfigjson_secret_name" no
ci_pipeline_ibmcloud_api_key_secret_name Name of the Cloud API key secret in the secret provider. string "ibmcloud-api-key" no
ci_registry_namespace A unique namespace within the IBM Cloud Container Registry region where the application image is stored. string "" no
ci_registry_region The IBM Cloud Region where the IBM Cloud Container Registry namespace is to be created. Use the short form of the regions. For example us-south. string "" no
ci_repositories_prefix Prefix name for the cloned compliance repos. string "" no
ci_signing_key_secret_name Name of the signing key secret in the secret provider. string "signing_key" no
ci_slack_channel_name The Slack channel that notifications are posted to. string "my-channel" no
ci_slack_notifications The switch that turns the Slack notification on (1) or off (0). string "" no
ci_slack_pipeline_fail Generate pipeline failed notifications. bool true no
ci_slack_pipeline_start Generate pipeline start notifications. bool true no
ci_slack_pipeline_success Generate pipeline succeeded notifications. bool true no
ci_slack_team_name The Slack team name, which is the word or phrase before .slack.com in the team URL. string "my-team" no
ci_slack_toolchain_bind Generate tool added to toolchain notifications. bool true no
ci_slack_toolchain_unbind Generate tool removed from toolchain notifications. bool true no
ci_slack_webhook_secret_name Name of the webhook secret in the secret provider. string "" no
ci_sm_location IBM Cloud location/region containing the Secrets Manager instance. string "" no
ci_sm_name Name of the Secrets Manager instance where the secrets are stored. string "" no
ci_sm_resource_group The resource group containing the Secrets Manager instance. string "" no
ci_sm_secret_group Group in Secrets Manager for organizing/grouping secrets. string "" no
ci_sonarqube_config Runs a SonarQube scan in an isolated Docker-in-Docker container (default configuration) or in an existing Kubernetes cluster (custom configuration). Options: default or custom. Default is default. string "default" no
ci_toolchain_description Description for the CI Toolchain. string "Toolchain created with terraform template for DevSecOps CI Best Practices." no
ci_toolchain_name The name of the CI Toolchain. string "" no
ci_toolchain_region The region containing the CI toolchain. Use the short form of the regions. For example us-south. string "" no
ci_toolchain_resource_group The resource group within which the toolchain is created. string "" no
cluster_name Name of the Kubernetes cluster where the application is deployed. This sets the same cluster for both CI and CD toolchains. See ci_cluster_name and cd_cluster_name to set different clusters. By default , the cluster namespace for CI will be set to dev and CD to prod. These can be changed using ci_cluster_namespace and cd_cluster_namespace. string "mycluster-free" no
compliance_base_image Pipeline baseimage to run most of the built-in pipeline code. string "" no
cos_api_key_secret_name To enable the use of COS, a secret name to a COS API key secret in the secret provider is required. In addition cos_endpoint and cos_bucket_name must be set. This setting sets the same API key for the COS settings in the CI, CD, and CC toolchains. See ci_cos_api_key_secret_name, cd_cos_api_key_secret_name, and cc_cos_api_key_secret_name to set separately. string "cos-api-key" no
cos_bucket_name Set the name of your COS bucket. This applies the same COS bucket name for the CI, CD, and CC toolchains. See ci_cos_bucket_name, cd_cos_bucket_name, and cc_cos_bucket_name to set separately. string "" no
cos_endpoint Set the Cloud Object Storage endpoint for accessing your COS bucket. This setting sets the same endpoint for COS in the CI, CD, and CC toolchains. See ci_cos_endpoint, cd_cos_endpoint, and cc_cos_endpoint to set the endpoints separately. string "" no
create_cc_toolchain Boolean flag which determines if the DevSecOps CC toolchain is created. bool true no
create_cd_toolchain Boolean flag which determines if the DevSecOps CD toolchain is created. bool true no
create_ci_toolchain Flag which determines if the DevSecOps CI toolchain is created. If this toolchain is not created then values must be set for the following variables, evidence_repo_url, issues_repo_url and inventory_repo_url. bool true no
deployment_repo_url This is the repository to clone deployment for DevSecOps toolchain template. string "" no
enable_key_protect Set to enable Key Protect Integrations. bool false no
enable_secrets_manager Enable the Secrets Manager integrations. bool true no
enable_slack Set to true to create the integration. This requires a valid slack_channel_name, slack_team_name, and a valid webhook (see slack_webhook_secret_name). This setting applies for CI, CD, and CC toolchains. To enable Slack separately, see ci_enable_slack, cd_enable_slack, and cc_enable_slack. bool false no
environment_prefix By default ibm:yp:. This will be set as the prefix to regions automatically where required. For example ibm:yp:us-south. string "ibm:yp:" no
evidence_repo_url This is a template repository to clone compliance-evidence-locker for reference DevSecOps toolchain templates. string "" no
ibmcloud_api IBM Cloud API Endpoint. string "https://cloud.ibm.com" no
ibmcloud_api_key API key used to create the toolchains. (See deployment guide.) string n/a yes
inventory_repo_url This is a template repository to clone compliance-inventory for reference DevSecOps toolchain templates. string "" no
issues_repo_url This is a template repository to clone compliance-issues for reference DevSecOps toolchain templates. string "" no
kp_location The region location of the Key Protect instance. This applies to the CI, CD and CC Key Protect integrations. See ci_kp_location, cd_kp_location, and cc_kp_location to set separately. string "us-south" no
kp_name Name of the Key Protect instance where the secrets are stored. This applies to the CI, CD and CC Key Protect integrations. See ci_kp_name, cd_kp_name, and cc_kp_name to set separately. string "kp-compliance-secrets" no
kp_resource_group The resource group containing the Key Protect instance. This applies to the CI, CD and CC Key Protect integrations. See ci_kp_resource_group, cd_kp_resource_group, and cc_kp_resource_group to set separately. string "Default" no
repo_git_token_secret_name Name of the Git token secret in the secret provider. Specifying a secret name for the Git Token automatically sets the authentication type to pat. string "" no
repo_group Specify Git user or group for your application. This must be set if the repository authentication type is pat (personal access token). string "" no
repositories_prefix Prefix name for the cloned compliance repos. string "compliance" no
slack_channel_name The Slack channel that notifications are posted to. This applies to the CI, CD, and CC toolchains. To set separately see ci_slack_channel_name, cd_slack_channel_name, and cc_slack_channel_name string "my-channel" no
slack_notifications This is enabled automatically when a Slack integration is created. The switch overrides the Slack notifications. Set 1 for on and 0 for off. This applies to the CI, CD, and CC toolchains. To set separately, see ci_slack_notifications, cd_slack_notifications, and cc_slack_notifications. string "" no
slack_team_name The Slack team name, which is the word or phrase before .slack.com in the team URL. This applies to the CI, CD, and CC toolchains. To set separately, see ci_slack_team_name, cd_slack_team_name, and cc_slack_team_name. string "my-team" no
slack_webhook_secret_name Name of the webhook secret for Slack in the secret provider. This applies to the CI, CD, and CC toolchains. To set separately, see ci_slack_webhook_secret_name, cd_slack_webhook_secret_name, and cc_slack_webhook_secret_name string "slack-webhook" no
sm_location The region location of the Secrets Manager instance. This applies to the CI, CD and CC Secret Manager integrations. See ci_sm_location, cd_sm_location, and cc_sm_location to set separately. string "us-south" no
sm_name The name of the Secret Managers instance. This applies to the CI, CD and CC Secret Manager integrations. See ci_sm_name, cd_sm_name, and cc_sm_name to set separately. string "sm-instance" no
sm_resource_group The resource group containing the Secrets Manager instance. This applies to the CI, CD and CC Secret Manager integrations. See ci_sm_resource_group, cd_sm_resource_group, and cc_sm_resource_group to set separately. string "Default" no
sm_secret_group Group in Secrets Manager for organizing/grouping secrets. This applies to the CI, CD and CC Secret Manager integrations. See ci_sm_secret_group, cd_sm_secret_group, and cc_sm_secret_group to set separately. string "Default" no
toolchain_name Common element of the toolchain name. The toolchain names will be appended with CI Toolchain or CD Toolchain or CC Toolchain followed by a timestamp. Can explicitly be set using ci_toolchain_name, cd_toolchain_name, and cc_toolchain_name. string "DevSecOps" no
toolchain_region The region identifier that will be used, by default, for all resource creation and service instance lookup. This can be overridden on a per resource/service basis. See ci_toolchain_region,cd_toolchain_region,cc_toolchain_region, ci_cluster_region, cd_cluster_region, ci_registry_region. string "us-south" no
toolchain_resource_group The resource group that will be used, by default, for all resource creation and service instance lookups. This can be overridden on a per resource/service basis. See ci_toolchain_resource_group,cd_toolchain_resource_group,cc_toolchain_resource_group, ci_cluster_resource_group. string "Default" no

Outputs

Name Description
app_repo_url The App Repo URL
compliance_cc_toolchain_id The ID of the Compliance CC Toolchain
compliance_cd_toolchain_id The ID of the Compliance CD Toolchain
compliance_ci_toolchain_id The ID of the Compliance CI Toolchain
evidence_repo_url The Evidence Repo URL
inventory_repo_url The Inventory Repo URL
issues_repo_url The Issues Repo URL

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.

devsecops-alm's People

Contributors

terraform-ibm-modules-ops avatar huayuenh avatar padraic-edwards avatar ocofaigh avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.