[![Implemented (No quality checks)](
](https://terraform-ibm-modules.github.io/documentation/#/badge-status)
A Terraform module for provisioning the DevSecOps CI, CD, and CC toolchains.
ibmcloud_api_key = "" #Set your API key
ci_toolchain_name = "DevSecOps CI Toolchain - Terraform"
cd_toolchain_name = "DevSecOps CD Toolchain - Terraform"
cc_toolchain_name = "DevSecOps CC Toolchain - Terraform"
toolchain_resource_group = "Default"
toolchain_region = "jp-tok" #Region short name only
registry_namespace = "tektonhh"
ci_registry_region = "ibm:yp:jp-tok"
sm_name = "sm-compliance-secrets" #Secrets Manager instance name
sm_location = "eu-gb"
sm_resource_group = "Default"
sm_secret_group = "Default"
ci_cluster_name = "mycluster-free"
ci_cluster_namespace = "dev"
ci_dev_region = "ibm:yp:jp-tok"
ci_dev_resource_group = "Default"
cd_cluster_name = "mycluster-free"
cd_cluster_namespace = "prod"
Name | Version |
---|---|
terraform | >= 1.0.0 |
ibm | >=1.51.0 |
No resources.
Name | Description | Type | Default | Required |
---|---|---|---|---|
authorization_policy_creation | Disable Toolchain Service to Secrets Manager Service authorization policy creation. To disable set the value to disabled . This applies to the CI, CD, and CC toolchains. To set separately, see ci_authorization_policy_creation , cd_authorization_policy_creation , and cc_authorization_policy_creation . |
string |
"" |
no |
cc_app_group | Specify user or group for app repo. | string |
"" |
no |
cc_app_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
cc_app_repo_branch | The default branch of the app repo. | string |
"master" |
no |
cc_app_repo_git_id | The Git Id of the repository. | string |
"" |
no |
cc_app_repo_git_provider | The type of the Git provider. | string |
"hostedgit" |
no |
cc_app_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
cc_app_repo_url | This Git URL for the application repository. | string |
"" |
no |
cc_authorization_policy_creation | Disable Toolchain service to Secrets Manager Service authorization policy creation. | string |
"" |
no |
cc_compliance_base_image | Pipeline baseimage to run most of the built-in pipeline code. | string |
"" |
no |
cc_compliance_pipeline_group | Specify user or group for compliance pipline repo. | string |
"" |
no |
cc_compliance_pipeline_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
cc_compliance_pipeline_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
cc_cos_api_key_secret_name | Name of the COS API key secret in the secret provider. | string |
"" |
no |
cc_cos_bucket_name | COS bucket name. | string |
"" |
no |
cc_cos_endpoint | COS endpoint name. | string |
"" |
no |
cc_doi_environment | DevOps Insights environment for DevSecOps CD deployment. | string |
"" |
no |
cc_doi_toolchain_id | DevOps Insights toolchain ID to link to. | string |
"" |
no |
cc_enable_key_protect | Enable the Key Protect integration. | bool |
false |
no |
cc_enable_pipeline_dockerconfigjson | Enable to add the pipeline-dockerconfigjson property to the pipeline properties. | bool |
false |
no |
cc_enable_secrets_manager | Enable the Secrets Manager integration. | bool |
false |
no |
cc_enable_slack | Set to true to create the integration. | bool |
false |
no |
cc_environment_tag | Tag name that represents the target environment in the inventory. Example: prod_latest. | string |
"prod_latest" |
no |
cc_evidence_group | Specify Git user or group for evidence repository. | string |
"" |
no |
cc_evidence_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat' | string |
"" |
no |
cc_evidence_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
cc_inventory_group | Specify Git user or group for inventory repository. | string |
"" |
no |
cc_inventory_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
cc_inventory_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
cc_issues_group | Specify Git user or group for issues repository. | string |
"" |
no |
cc_issues_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
cc_issues_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
cc_kp_location | IBM Cloud location/region containing the Key Protect instance. | string |
"" |
no |
cc_kp_name | Name of the Key Protect instance where the secrets are stored. | string |
"" |
no |
cc_kp_resource_group | The resource group containing the Key Protect instance for your secrets. | string |
"" |
no |
cc_link_to_doi_toolchain | Enable a link to a DevOps Insights instance in another toolchain, true or false. | bool |
true |
no |
cc_opt_in_auto_close | Enables auto-closing of issues coming from vulnerabilities, once the vulnerability is no longer detected by the CC pipeline run. | string |
"1" |
no |
cc_opt_in_dynamic_api_scan | To enable the OWASP Zap API scan. '1' enable or '0' disable. | string |
"" |
no |
cc_opt_in_dynamic_scan | To enable the OWASP Zap scan. '1' enable or '0' disable. | string |
"" |
no |
cc_opt_in_dynamic_ui_scan | To enable the OWASP Zap UI scan. '1' enable or '0' disable. | string |
"" |
no |
cc_pipeline_config_group | Specify user or group for pipeline config repo. | string |
"" |
no |
cc_pipeline_config_path | The name and path of the pipeline-config.yaml file within the pipeline-config repo. | string |
".pipeline-config.yaml" |
no |
cc_pipeline_config_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
cc_pipeline_config_repo_branch | Specify the branch containing the custom pipeline-config.yaml file. | string |
"" |
no |
cc_pipeline_config_repo_clone_from_url | Specify a repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
cc_pipeline_config_repo_existing_url | Specify a repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
cc_pipeline_config_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
cc_pipeline_debug | '0' by default. Set to '1' to enable debug logging. | string |
"0" |
no |
cc_pipeline_dockerconfigjson_secret_name | Name of the pipeline docker config JSON secret in the secret provider. | string |
"pipeline_dockerconfigjson_secret_name" |
no |
cc_pipeline_ibmcloud_api_key_secret_name | Name of the Cloud API key secret in the secret provider. | string |
"ibmcloud-api-key" |
no |
cc_repositories_prefix | The prefix for the compliance repositories. | string |
"" |
no |
cc_scc_enable_scc | Enable the SCC integration | bool |
true |
no |
cc_scc_integration_name | The name of the SCC integration. | string |
"Security and Compliance" |
no |
cc_slack_channel_name | The Slack channel that notifications are posted to. | string |
"my-channel" |
no |
cc_slack_notifications | The switch that turns the Slack notification on (1 ) or off (0 ). |
string |
"" |
no |
cc_slack_pipeline_fail | Generate pipeline failed notifications. | bool |
true |
no |
cc_slack_pipeline_start | Generate pipeline start notifications. | bool |
true |
no |
cc_slack_pipeline_success | Generate pipeline succeeded notifications. | bool |
true |
no |
cc_slack_team_name | The Slack team name, which is the word or phrase before .slack.com in the team URL. | string |
"my-team" |
no |
cc_slack_toolchain_bind | Generate tool added to toolchain notifications. | bool |
true |
no |
cc_slack_toolchain_unbind | Generate tool removed from toolchain notifications. | bool |
true |
no |
cc_slack_webhook_secret_name | Name of the webhook secret in the secret provider. | string |
"" |
no |
cc_sm_location | IBM Cloud location/region containing the Secrets Manager instance. | string |
"" |
no |
cc_sm_name | Name of the Secrets Manager instance where the secrets are stored. | string |
"" |
no |
cc_sm_resource_group | The resource group containing the Secrets Manager instance for your secrets. | string |
"" |
no |
cc_sm_secret_group | Group in Secrets Manager for organizing/grouping secrets. | string |
"" |
no |
cc_sonarqube_config | Runs a SonarQube scan in an isolated Docker-in-Docker container (default configuration) or in an existing Kubernetes cluster (custom configuration). Options: default or custom. Default is default. | string |
"default" |
no |
cc_toolchain_description | Description for the CC Toolchain. | string |
"Toolchain created with terraform template for DevSecOps CC Best Practices." |
no |
cc_toolchain_name | The name of the CC Toolchain. | string |
"" |
no |
cc_toolchain_region | The region containing the CI toolchain. Use the short form of the regions. For example us-south . |
string |
"" |
no |
cc_toolchain_resource_group | Resource group within which the toolchain is created. | string |
"" |
no |
cd_app_version | The version of the app to deploy. | string |
"v1" |
no |
cd_authorization_policy_creation | Disable Toolchain service to Secrets Manager Service authorization policy creation. | string |
"" |
no |
cd_change_management_group | Specify group for change management repository | string |
"" |
no |
cd_change_management_repo | This repository holds the change management requests created for the deployments. | string |
"" |
no |
cd_change_management_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
cd_change_management_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
cd_change_repo_clone_from_url | Override the default management repo, which is cloned into the app repo. Note, using clone_if_not_exists mode, so if the app repo already exists the repo contents are unchanged. | string |
"" |
no |
cd_change_request_id | The ID of an open change request. If this parameter is set to 'notAvailable' by default, a change request is automatically created by the continuous deployment pipeline. | string |
"notAvailable" |
no |
cd_cluster_name | Name of the Kubernetes cluster where the application is deployed. | string |
"" |
no |
cd_cluster_namespace | Name of the Kubernetes cluster namespace where the application is deployed. | string |
"prod" |
no |
cd_cluster_region | Region of the Kubernetes cluster where the application is deployed. Use the short form of the regions. For example us-south . |
string |
"" |
no |
cd_code_signing_cert_secret_name | Name of the code signing certificate secret in the secret provider. | string |
"code-signing-cert" |
no |
cd_compliance_base_image | Pipeline baseimage to run most of the built-in pipeline code. | string |
"" |
no |
cd_compliance_pipeline_group | Specify user or group for compliance pipline repo. | string |
"" |
no |
cd_compliance_pipeline_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
cd_compliance_pipeline_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
cd_cos_api_key_secret_name | Name of the COS API key secret in the secret provider. | string |
"" |
no |
cd_cos_bucket_name | COS bucket name. | string |
"" |
no |
cd_cos_endpoint | COS endpoint name. | string |
"" |
no |
cd_customer_impact | Custom impact of the change request. | string |
"no_impact" |
no |
cd_deployment_group | Specify group for deployment. | string |
"" |
no |
cd_deployment_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
cd_deployment_repo_clone_from_branch | Used when deployment_repo_clone_from_url is provided, the default branch that is used by the CD build, usually either main or master. | string |
"" |
no |
cd_deployment_repo_clone_from_url | Override the default sample app by providing your own sample deployment URL, which is cloned into the app repo. Note, using clone_if_not_exists mode, so if the app repo already exists the repo contents are unchanged. | string |
"" |
no |
cd_deployment_repo_clone_to_git_id | By default absent, else custom server GUID, or other options for 'git_id' field in the browser UI. | string |
"" |
no |
cd_deployment_repo_clone_to_git_provider | By default 'hostedgit', else use 'githubconsolidated' or 'gitlab'. | string |
"" |
no |
cd_deployment_repo_existing_branch | Used when deployment_repo_existing_url is provided, the default branch that is by the CD build, usually either main or master. | string |
"" |
no |
cd_deployment_repo_existing_git_id | By default absent, else custom server GUID, or other options for 'git_id' field in the browser UI. | string |
"" |
no |
cd_deployment_repo_existing_git_provider | By default 'hostedgit', else use 'githubconsolidated' or 'gitlab'. | string |
"hostedgit" |
no |
cd_deployment_repo_existing_url | Override to bring your own existing deployment repository URL, which is used directly instead of cloning the default deployment sample. | string |
"" |
no |
cd_deployment_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
cd_doi_environment | DevOps Insights environment for DevSecOps CD deployment. | string |
"" |
no |
cd_doi_toolchain_id | DevOps Insights toolchain ID to link to. | string |
"" |
no |
cd_emergency_label | Identifies the pull request as an emergency. | string |
"EMERGENCY" |
no |
cd_enable_key_protect | Use the Key Protect integration. | bool |
false |
no |
cd_enable_secrets_manager | Use the Secrets Manager integration. | bool |
false |
no |
cd_enable_signing_validation | Enable to add the code-signing-certificate property to the pipeline properties. | bool |
false |
no |
cd_enable_slack | Default: false. Set to true to create the integration. | bool |
false |
no |
cd_evidence_group | Specify Git user or group for evidence repository. | string |
"" |
no |
cd_evidence_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
cd_evidence_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
cd_inventory_group | Specify Git user or group for inventory repository. | string |
"" |
no |
cd_inventory_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
cd_inventory_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
cd_issues_group | Specify Git user or group for issues repository. | string |
"" |
no |
cd_issues_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
cd_issues_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
cd_kp_location | IBM Cloud location/region containing the Key Protect instance. | string |
"" |
no |
cd_kp_name | Name of the Key Protect instance where the secrets are stored. | string |
"" |
no |
cd_kp_resource_group | The resource group containing the Key Protect instance for your secrets. | string |
"" |
no |
cd_link_to_doi_toolchain | Enable a link to a DevOps Insights instance in another toolchain, true or false. | bool |
true |
no |
cd_merge_cra_sbom | Merge the SBOM | string |
"1" |
no |
cd_opt_out_v1_evidence | Opt out of evidence v1. | string |
"1" |
no |
cd_pipeline_config_group | Specify user or group for pipeline config repo. | string |
"" |
no |
cd_pipeline_config_path | The name and path of the pipeline-config.yaml file within the pipeline-config repo. | string |
".pipeline-config.yaml" |
no |
cd_pipeline_config_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
cd_pipeline_config_repo_branch | Specify the branch containing the custom pipeline-config.yaml file. | string |
"" |
no |
cd_pipeline_config_repo_clone_from_url | Specify a repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
cd_pipeline_config_repo_existing_url | Specify a repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
cd_pipeline_config_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
cd_pipeline_debug | '0' by default. Set to '1' to enable debug logging. | string |
"0" |
no |
cd_pipeline_ibmcloud_api_key_secret_name | Name of the Cloud API key secret in the secret provider. | string |
"ibmcloud-api-key" |
no |
cd_repositories_prefix | Prefix name for the cloned compliance repos. | string |
"" |
no |
cd_satellite_cluster_group | The Satellite cluster group | string |
"" |
no |
cd_scc_enable_scc | Enable the SCC integration. | bool |
true |
no |
cd_scc_integration_name | The name of the SCC integration. | string |
"Security and Compliance" |
no |
cd_slack_channel_name | The Slack channel that notifications are posted to. | string |
"my-channel" |
no |
cd_slack_notifications | The switch that turns the Slack notification on (1 ) or off (0 ). |
string |
"" |
no |
cd_slack_pipeline_fail | Generate pipeline failed notifications. | bool |
true |
no |
cd_slack_pipeline_start | Generate pipeline start notifications. | bool |
true |
no |
cd_slack_pipeline_success | Generate pipeline succeeded notifications. | bool |
true |
no |
cd_slack_team_name | The Slack team name, which is the word or phrase before .slack.com in the team URL. | string |
"my-team" |
no |
cd_slack_toolchain_bind | Generate tool added to toolchain notifications. | bool |
true |
no |
cd_slack_toolchain_unbind | Generate tool removed from toolchain notifications. | bool |
true |
no |
cd_slack_webhook_secret_name | Name of the webhook secret in the secret provider. | string |
"" |
no |
cd_sm_location | IBM Cloud location/region containing the Secrets Manager instance. | string |
"" |
no |
cd_sm_name | Name of the Secrets Manager instance where the secrets are stored. | string |
"" |
no |
cd_sm_resource_group | The resource group containing the Secrets Manager instance for your secrets. | string |
"" |
no |
cd_sm_secret_group | Group in Secrets Manager for organizing/grouping secrets. | string |
"" |
no |
cd_source_environment | The source environment that the app is promoted from. | string |
"master" |
no |
cd_target_environment | The target environment that the app is deployed to. | string |
"prod" |
no |
cd_target_environment_detail | Details of the environment being updated. | string |
"Production target environment" |
no |
cd_target_environment_purpose | Purpose of the environment being updated. | string |
"production" |
no |
cd_toolchain_description | Description for the CD toolchain. | string |
"Toolchain created with terraform template for DevSecOps CD Best Practices." |
no |
cd_toolchain_name | The name of the CD Toolchain. | string |
"" |
no |
cd_toolchain_region | The region containing the CI toolchain. Use the short form of the regions. For example us-south . |
string |
"" |
no |
cd_toolchain_resource_group | Resource group within which toolchain is created. | string |
"" |
no |
ci_app_group | Specify Git user or group for your application. | string |
"" |
no |
ci_app_name | Name of the application image and inventory entry. | string |
"hello-compliance-app" |
no |
ci_app_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
ci_app_repo_clone_from_branch | Used when app_repo_clone_from_url is provided, the default branch that is used by the CI build, usually either main or master. | string |
"" |
no |
ci_app_repo_clone_from_url | Override the default sample app by providing your own sample app URL, which is cloned into the app repo. Note, using clone_if_not_exists mode, so if the app repo already exists the repo contents are unchanged. | string |
"" |
no |
ci_app_repo_clone_to_git_id | By default absent, otherwise use custom server GUID, or other options for git_id field in the browser UI. |
string |
"" |
no |
ci_app_repo_clone_to_git_provider | By default 'hostedgit', else use 'githubconsolidated' or 'gitlab'. | string |
"" |
no |
ci_app_repo_existing_branch | Used when app_repo_existing_url is provided, the default branch that is used by the CI build, usually either main or master. | string |
"" |
no |
ci_app_repo_existing_git_id | By default absent, otherwise use custom server GUID, or other options for git_id field in the browser UI. |
string |
"" |
no |
ci_app_repo_existing_git_provider | By default 'hostedgit', else use 'githubconsolidated' or 'gitlab'. | string |
"" |
no |
ci_app_repo_existing_url | Override to bring your own existing application repository URL, which is used directly instead of cloning the default sample. | string |
"" |
no |
ci_app_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
ci_app_version | The version of the app to deploy. | string |
"v1" |
no |
ci_authorization_policy_creation | Disable Toolchain Service to Secrets Manager Service authorization policy creation. | string |
"" |
no |
ci_cluster_name | Name of the Kubernetes cluster where the application is deployed. (can be the same cluster used for prod) | string |
"" |
no |
ci_cluster_namespace | Name of the Kubernetes cluster namespace where the application is deployed. | string |
"dev" |
no |
ci_cluster_region | Region of the Kubernetes cluster where the application is deployed. Use the short form of the regions. For example us-south . |
string |
"" |
no |
ci_cluster_resource_group | The cluster resource group. | string |
"" |
no |
ci_code_engine_build_strategy | The build strategy for the Code Engine entity. Default strategy is 'dockerfile'. Set as 'buildpacks' for 'buildpacks' build. | string |
"" |
no |
ci_code_engine_entity_type | Type of Code Engine entity to create/update as part of deployment. Default type is 'application'. Set as 'job' for 'job' type. | string |
"" |
no |
ci_code_engine_project | The name of the Code Engine project to use (or create). | string |
"DevSecOps_CE" |
no |
ci_code_engine_region | The region to create/lookup for the Code Engine project. | string |
"ibm:yp:us-south" |
no |
ci_code_engine_resource_group | The resource group of the Code Engine project. | string |
"Default" |
no |
ci_code_engine_source | The path to the location of code to build in the repository. | string |
"" |
no |
ci_compliance_base_image | Pipeline baseimage to run most of the built-in pipeline code. | string |
"" |
no |
ci_compliance_pipeline_group | Specify user or group for compliance pipline repo. | string |
"" |
no |
ci_compliance_pipeline_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"oauth" |
no |
ci_compliance_pipeline_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"git-token" |
no |
ci_cos_api_key_secret_name | Name of the COS API key secret in the secret provider. | string |
"" |
no |
ci_cos_bucket_name | COS bucket name. | string |
"" |
no |
ci_cos_endpoint | COS endpoint name. | string |
"" |
no |
ci_cra_generate_cyclonedx_format | If set to 1, CRA also generates the BOM in cyclonedx format (defaults to 1). | string |
"1" |
no |
ci_custom_image_tag | The custom tag for the image in a comma-separated list. | string |
"" |
no |
ci_deployment_target | The deployment target, cluster or code-engine. | string |
"cluster" |
no |
ci_dev_region | (Deprecated. Use ci_cluster_region ) Region of the Kubernetes cluster where the application is deployed. Use the short form of the regions. For example us-south |
string |
"" |
no |
ci_dev_resource_group | (Deprecated. Use ci_cluster_resource_group ) The cluster resource group. |
string |
"" |
no |
ci_doi_environment | The DevOps Insights target environment. | string |
"" |
no |
ci_doi_toolchain_id | DevOps Insights toolchain ID to link to. | string |
"" |
no |
ci_doi_toolchain_id_pipeline_property | The DevOps Insights instance toolchain ID. | string |
"" |
no |
ci_enable_key_protect | Set to enable Key Protect Integration. | bool |
false |
no |
ci_enable_pipeline_dockerconfigjson | Enable to add the pipeline-dockerconfigjson property to the pipeline properties. | bool |
false |
no |
ci_enable_secrets_manager | Set to enable Secrets Manager Integration. | bool |
false |
no |
ci_enable_slack | Default: false. Set to true to create the integration. | bool |
false |
no |
ci_evidence_group | Specify Git user or group for evidence repository. | string |
"" |
no |
ci_evidence_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
ci_evidence_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
ci_inventory_group | Specify Git user or group for inventory repository. | string |
"" |
no |
ci_inventory_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
ci_inventory_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
ci_issues_group | Specify Git user or group for issues repository. | string |
"" |
no |
ci_issues_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
ci_issues_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
ci_kp_location | IBM Cloud location/region containing the Key Protect instance. | string |
"" |
no |
ci_kp_name | Name of the Key Protect instance where the secrets are stored. | string |
"" |
no |
ci_kp_resource_group | The resource group containing the Key Protect instance. | string |
"" |
no |
ci_link_to_doi_toolchain | Enable a link to a DevOps Insights instance in another toolchain. | bool |
false |
no |
ci_opt_in_dynamic_api_scan | To enable the OWASP Zap API scan. '1' enable or '0' disable. | string |
"1" |
no |
ci_opt_in_dynamic_scan | To enable the OWASP Zap scan. '1' enable or '0' disable. | string |
"1" |
no |
ci_opt_in_dynamic_ui_scan | To enable the OWASP Zap UI scan. '1' enable or '0' disable. | string |
"1" |
no |
ci_opt_in_sonar | Opt in for Sonarqube | string |
"1" |
no |
ci_opt_out_v1_evidence | Opt out of Evidence v1 | string |
"1" |
no |
ci_pipeline_config_group | Specify user or group for pipeline config repo. | string |
"" |
no |
ci_pipeline_config_path | The name and path of the pipeline-config.yaml file within the pipeline-config repo. | string |
".pipeline-config.yaml" |
no |
ci_pipeline_config_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
ci_pipeline_config_repo_branch | Specify the branch containing the custom pipeline-config.yaml file. | string |
"" |
no |
ci_pipeline_config_repo_clone_from_url | Specify a repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
ci_pipeline_config_repo_existing_url | Specify a repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
ci_pipeline_config_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
ci_pipeline_debug | '0' by default. Set to '1' to enable debug logging. | string |
"0" |
no |
ci_pipeline_dockerconfigjson_secret_name | Name of the pipeline docker config JSON secret in the secret provider. | string |
"pipeline_dockerconfigjson_secret_name" |
no |
ci_pipeline_ibmcloud_api_key_secret_name | Name of the Cloud API key secret in the secret provider. | string |
"ibmcloud-api-key" |
no |
ci_registry_namespace | A unique namespace within the IBM Cloud Container Registry region where the application image is stored. | string |
"" |
no |
ci_registry_region | The IBM Cloud Region where the IBM Cloud Container Registry namespace is to be created. Use the short form of the regions. For example us-south . |
string |
"" |
no |
ci_repositories_prefix | Prefix name for the cloned compliance repos. | string |
"" |
no |
ci_signing_key_secret_name | Name of the signing key secret in the secret provider. | string |
"signing_key" |
no |
ci_slack_channel_name | The Slack channel that notifications are posted to. | string |
"my-channel" |
no |
ci_slack_notifications | The switch that turns the Slack notification on (1 ) or off (0 ). |
string |
"" |
no |
ci_slack_pipeline_fail | Generate pipeline failed notifications. | bool |
true |
no |
ci_slack_pipeline_start | Generate pipeline start notifications. | bool |
true |
no |
ci_slack_pipeline_success | Generate pipeline succeeded notifications. | bool |
true |
no |
ci_slack_team_name | The Slack team name, which is the word or phrase before .slack.com in the team URL. |
string |
"my-team" |
no |
ci_slack_toolchain_bind | Generate tool added to toolchain notifications. | bool |
true |
no |
ci_slack_toolchain_unbind | Generate tool removed from toolchain notifications. | bool |
true |
no |
ci_slack_webhook_secret_name | Name of the webhook secret in the secret provider. | string |
"" |
no |
ci_sm_location | IBM Cloud location/region containing the Secrets Manager instance. | string |
"" |
no |
ci_sm_name | Name of the Secrets Manager instance where the secrets are stored. | string |
"" |
no |
ci_sm_resource_group | The resource group containing the Secrets Manager instance. | string |
"" |
no |
ci_sm_secret_group | Group in Secrets Manager for organizing/grouping secrets. | string |
"" |
no |
ci_sonarqube_config | Runs a SonarQube scan in an isolated Docker-in-Docker container (default configuration) or in an existing Kubernetes cluster (custom configuration). Options: default or custom. Default is default. | string |
"default" |
no |
ci_toolchain_description | Description for the CI Toolchain. | string |
"Toolchain created with terraform template for DevSecOps CI Best Practices." |
no |
ci_toolchain_name | The name of the CI Toolchain. | string |
"" |
no |
ci_toolchain_region | The region containing the CI toolchain. Use the short form of the regions. For example us-south . |
string |
"" |
no |
ci_toolchain_resource_group | The resource group within which the toolchain is created. | string |
"" |
no |
cluster_name | Name of the Kubernetes cluster where the application is deployed. This sets the same cluster for both CI and CD toolchains. See ci_cluster_name and cd_cluster_name to set different clusters. By default , the cluster namespace for CI will be set to dev and CD to prod . These can be changed using ci_cluster_namespace and cd_cluster_namespace . |
string |
"mycluster-free" |
no |
compliance_base_image | Pipeline baseimage to run most of the built-in pipeline code. | string |
"" |
no |
cos_api_key_secret_name | To enable the use of COS, a secret name to a COS API key secret in the secret provider is required. In addition cos_endpoint and cos_bucket_name must be set. This setting sets the same API key for the COS settings in the CI, CD, and CC toolchains. See ci_cos_api_key_secret_name , cd_cos_api_key_secret_name , and cc_cos_api_key_secret_name to set separately. |
string |
"cos-api-key" |
no |
cos_bucket_name | Set the name of your COS bucket. This applies the same COS bucket name for the CI, CD, and CC toolchains. See ci_cos_bucket_name , cd_cos_bucket_name , and cc_cos_bucket_name to set separately. |
string |
"" |
no |
cos_endpoint | Set the Cloud Object Storage endpoint for accessing your COS bucket. This setting sets the same endpoint for COS in the CI, CD, and CC toolchains. See ci_cos_endpoint , cd_cos_endpoint , and cc_cos_endpoint to set the endpoints separately. |
string |
"" |
no |
create_cc_toolchain | Boolean flag which determines if the DevSecOps CC toolchain is created. | bool |
true |
no |
create_cd_toolchain | Boolean flag which determines if the DevSecOps CD toolchain is created. | bool |
true |
no |
create_ci_toolchain | Flag which determines if the DevSecOps CI toolchain is created. If this toolchain is not created then values must be set for the following variables, evidence_repo_url, issues_repo_url and inventory_repo_url. | bool |
true |
no |
deployment_repo_url | This is the repository to clone deployment for DevSecOps toolchain template. | string |
"" |
no |
enable_key_protect | Set to enable Key Protect Integrations. | bool |
false |
no |
enable_secrets_manager | Enable the Secrets Manager integrations. | bool |
true |
no |
enable_slack | Set to true to create the integration. This requires a valid slack_channel_name , slack_team_name , and a valid webhook (see slack_webhook_secret_name ). This setting applies for CI, CD, and CC toolchains. To enable Slack separately, see ci_enable_slack , cd_enable_slack , and cc_enable_slack . |
bool |
false |
no |
environment_prefix | By default ibm:yp: . This will be set as the prefix to regions automatically where required. For example ibm:yp:us-south . |
string |
"ibm:yp:" |
no |
evidence_repo_url | This is a template repository to clone compliance-evidence-locker for reference DevSecOps toolchain templates. | string |
"" |
no |
ibmcloud_api | IBM Cloud API Endpoint. | string |
"https://cloud.ibm.com" |
no |
ibmcloud_api_key | API key used to create the toolchains. (See deployment guide.) | string |
n/a | yes |
inventory_repo_url | This is a template repository to clone compliance-inventory for reference DevSecOps toolchain templates. | string |
"" |
no |
issues_repo_url | This is a template repository to clone compliance-issues for reference DevSecOps toolchain templates. | string |
"" |
no |
kp_location | The region location of the Key Protect instance. This applies to the CI, CD and CC Key Protect integrations. See ci_kp_location , cd_kp_location , and cc_kp_location to set separately. |
string |
"us-south" |
no |
kp_name | Name of the Key Protect instance where the secrets are stored. This applies to the CI, CD and CC Key Protect integrations. See ci_kp_name , cd_kp_name , and cc_kp_name to set separately. |
string |
"kp-compliance-secrets" |
no |
kp_resource_group | The resource group containing the Key Protect instance. This applies to the CI, CD and CC Key Protect integrations. See ci_kp_resource_group , cd_kp_resource_group , and cc_kp_resource_group to set separately. |
string |
"Default" |
no |
repo_git_token_secret_name | Name of the Git token secret in the secret provider. Specifying a secret name for the Git Token automatically sets the authentication type to pat . |
string |
"" |
no |
repo_group | Specify Git user or group for your application. This must be set if the repository authentication type is pat (personal access token). |
string |
"" |
no |
repositories_prefix | Prefix name for the cloned compliance repos. | string |
"compliance" |
no |
slack_channel_name | The Slack channel that notifications are posted to. This applies to the CI, CD, and CC toolchains. To set separately see ci_slack_channel_name , cd_slack_channel_name , and cc_slack_channel_name |
string |
"my-channel" |
no |
slack_notifications | This is enabled automatically when a Slack integration is created. The switch overrides the Slack notifications. Set 1 for on and 0 for off. This applies to the CI, CD, and CC toolchains. To set separately, see ci_slack_notifications , cd_slack_notifications , and cc_slack_notifications . |
string |
"" |
no |
slack_team_name | The Slack team name, which is the word or phrase before .slack.com in the team URL. This applies to the CI, CD, and CC toolchains. To set separately, see ci_slack_team_name , cd_slack_team_name , and cc_slack_team_name . |
string |
"my-team" |
no |
slack_webhook_secret_name | Name of the webhook secret for Slack in the secret provider. This applies to the CI, CD, and CC toolchains. To set separately, see ci_slack_webhook_secret_name , cd_slack_webhook_secret_name , and cc_slack_webhook_secret_name |
string |
"slack-webhook" |
no |
sm_location | The region location of the Secrets Manager instance. This applies to the CI, CD and CC Secret Manager integrations. See ci_sm_location , cd_sm_location , and cc_sm_location to set separately. |
string |
"us-south" |
no |
sm_name | The name of the Secret Managers instance. This applies to the CI, CD and CC Secret Manager integrations. See ci_sm_name , cd_sm_name , and cc_sm_name to set separately. |
string |
"sm-instance" |
no |
sm_resource_group | The resource group containing the Secrets Manager instance. This applies to the CI, CD and CC Secret Manager integrations. See ci_sm_resource_group , cd_sm_resource_group , and cc_sm_resource_group to set separately. |
string |
"Default" |
no |
sm_secret_group | Group in Secrets Manager for organizing/grouping secrets. This applies to the CI, CD and CC Secret Manager integrations. See ci_sm_secret_group , cd_sm_secret_group , and cc_sm_secret_group to set separately. |
string |
"Default" |
no |
toolchain_name | Common element of the toolchain name. The toolchain names will be appended with CI Toolchain or CD Toolchain or CC Toolchain followed by a timestamp. Can explicitly be set using ci_toolchain_name , cd_toolchain_name , and cc_toolchain_name . |
string |
"DevSecOps" |
no |
toolchain_region | The region identifier that will be used, by default, for all resource creation and service instance lookup. This can be overridden on a per resource/service basis. See ci_toolchain_region ,cd_toolchain_region ,cc_toolchain_region , ci_cluster_region , cd_cluster_region , ci_registry_region . |
string |
"us-south" |
no |
toolchain_resource_group | The resource group that will be used, by default, for all resource creation and service instance lookups. This can be overridden on a per resource/service basis. See ci_toolchain_resource_group ,cd_toolchain_resource_group ,cc_toolchain_resource_group , ci_cluster_resource_group . |
string |
"Default" |
no |
Name | Description |
---|---|
app_repo_url | The App Repo URL |
compliance_cc_toolchain_id | The ID of the Compliance CC Toolchain |
compliance_cd_toolchain_id | The ID of the Compliance CD Toolchain |
compliance_ci_toolchain_id | The ID of the Compliance CI Toolchain |
evidence_repo_url | The Evidence Repo URL |
inventory_repo_url | The Inventory Repo URL |
issues_repo_url | The Issues Repo URL |
You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.
To set up your local development environment, see Local development setup in the project documentation.