Feature/jenkins

examples/guardrails/folder-factory/Jenkinsfile

@@ -0,0 +1,81 @@
+pipeline {  
+    agent any
+     environment {
+    BUCKET_PATH                         = credentials('backend-path')
+    REPO_FULL_NAME                      = credentials('bucket-repo')
+    PROJECT_NAME                        = credentials('project-name')
+    GCP_PROJECT_NUMBER                  = credentials('project-id')
+    workload_identity_pool_id           = credentials('wif_pool_id')
+    workload_identity_pool_provider_id  = credentials('wif_pool_provider_id')
+    SERVICE_ACCOUNT_NAME                = credentials('sa-name')
+    policy_file_path                    = credentials('policy_file_path')
+  }
+    options {
+    skipDefaultCheckout(true)
+  }
+    stages {
+      stage('clean workspace') {
+      steps {
+        cleanWs()
+      }
+    }
+        stage('WIF') {
+      steps {
+          withCredentials([file(variable: 'ID_TOKEN_FILE', credentialsId: 'gcp')]) {
+          writeFile file: "$WORKSPACE_TMP/creds.json", text: """
+    {
+      "type": "external_account",
+      "audience": "//iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${workload_identity_pool_id}/providers/${workload_identity_pool_provider_id}",
+      "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
+      "token_url": "https://sts.googleapis.com/v1/token",
+      "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${SERVICE_ACCOUNT_NAME}@${PROJECT_NAME}.iam.gserviceaccount.com:generateAccessToken",
+      "credential_source": {
+        "file": "$ID_TOKEN_FILE",
+        "format": {
+          "type": "text"
+        }
+      }
+    }
+  """
+  sh '''
+    gcloud auth login --brief --cred-file=$WORKSPACE_TMP/creds.json
+  '''
+}    
+      }
+    }
+       stage('checkout') {
+      steps {
+        checkout scm
+      }
+    }
+        stage('Terraform Plan') {
+            steps {
+
+               sh '''
+                 cd guardrails/folder-factory
+                terraform init -backend-config="bucket=${BUCKET_PATH}" -backend-config="prefix=${REPO_FULL_NAME}" 
+                terraform plan -input=false -out ffjenkins.tfplan    
+              ''' 
+            }
+        }
+       stage('Terraform Validate') {
+            steps {
+               sh '''
+                 cd guardrails/folder-factory
+                 terraform show -json "ffjenkins.tfplan" > "ffjenkins.json" 
+                gcloud source repos clone gcp-policies "${policy_file_path}" --project="${GCP_PROJECT_NUMBER}" 
+                gcloud beta terraform vet "ffjenkins.json" --policy-library="${policy_file_path}" --project="${GCP_PROJECT_NUMBER}" 
+                '''          
+            }
+        }
+       stage('Terraform Apply') {
+            steps {           
+               sh '''
+                 cd guardrails/folder-factory
+                terraform apply -auto-approve
+                '''             
+            }
+        }
+    }   
+}
+

examples/guardrails/folder-factory/README.md

@@ -57,3 +57,44 @@ iam:
 ```
 
 Every folder is defined with its own yaml file located in the following [Folder](data/folder).
+
+## How to run this stage
+### Prerequisites
+
+Workload Identity setup between the folder factory gitlab repositories and the GCP Identity provider configured with a service account containing required permissions to create folders and their organizational policies. There is a sample code provided in “folder.yaml.sample” to create a folder and for terraform to create a folder minimum below permissions are required. 
+“Folder Creator” or “Folder Admin” at org level
+“Organization Policy Admin” at org level
+
+
+### Installation Steps
+
+Step 1: Create a bucket for terraform backend on the GCP environment.
+Step 2: Create Jenkins Pipeline on Jenkins.
+Step 3: Configure the below variables on Jenkins Credentials.
+
+### Terraform config validator
+The pipeline has an option to utilise the integrated config validator (gcloud terraform vet) to impose constraints on your terraform configuration. You have to provide the policy-library repo URL to $POLICY_LIBRARY_REPO variable. See the below for details on the Variables to be set on the CI/CD pipeline.
+
+
+| Variable                      |                                                                                                                                                        | Example Value                                 |
+| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------- |
+| PROJECT_NAME                  | The project containing the service account that has permission to communicate with the WIF provider. Should be created as part of Project Factory.     | jenkins-connect-prj                         |
+| GCP_PROJECT_NUMBER            | Project number for the project that hosts the WIF provider                                                                                             | 107999111999                                  |
+| SERVICE_ACCOUNT_NAME          | The name of the service account that will be used to deploy. Must be hosted in PROJECT_NAME.                                                           | jenkins-sa                               |
+| BUCKET_PATH                   | A state bucket that will hold the terraform state. This bucket must previously exist and the service account must have permission to read/write to it. | jenkins-gcs-state-bucket-name                         |
+| policy_file_path          | https://github.com/GoogleCloudPlatform/policy-library                                                                                                  | The public repo where the policies are hosted |
+| workload_identity_pool_id     |                                                                                                                                                        | jenkins-test-pool                           |
+| workload_identity_provider_id |                                                                                                                                                        | jenkins-test-provider                       |                                                                                                |
+
+* Once the prerequisites are set up, any commit to the remote main branch with changes to  *.tf, *.tfvars, data/*, modules/* files should trigger the pipeline.  
+
+
+### Pipeline Workflow Overview
+The complete workflow comprises of 6 stages and 2 before-script jobs
+  * Stages:
+    * Clean workspace : This step cleans the previous packages from Jenkins workspace
+    * WIF : Execute the Workload Identity Federation script and generate credential file.
+    * Terraform plan: Runs terraform plan and saves the plan and json version of the plan as artifacts, this depends on the branch
+    * Terraform validate: Runs gcloud terraform vet against the terraform code with the constraints in the specified repository.
+    * apply: This is executed for specified list of branches, currently main/master
+

examples/guardrails/project-factory/Jenkinsfile

@@ -0,0 +1,49 @@
+pipeline {
+    agent any
+     environment {
+      BUCKET_PATH       = credentials('backend-path')
+      policy_file_path  = credentials('policy_file_path')
+  }
+    options {
+    skipDefaultCheckout(true)
+  }
+    stages {
+      stage('clean workspace') {
+      steps {
+        cleanWs()
+      }
+    }
+      stage('checkout') {
+      steps {
+        checkout scm
+      }
+    }
+        stage('Terraform Plan') {
+            steps {             
+                sh '''
+                 cd guardrails/project-factory
+                terraform init -backend-config="bucket=${BUCKET_PATH}" -backend-config="prefix=project-factory-staging-tfstate" -var-file="staging.tfvars"
+                terraform plan -var-file="staging.tfvars"  -out pfjenkins.tfplan                                 
+              '''            
+            }
+        }
+       stage('Terraform Validate') {
+            steps {           
+               sh '''
+                 cd guardrails/project-factory
+                 terraform show -json "pfjenkins.tfplan" > "ffjenkins.json" 
+                gcloud source repos clone gcp-policies "${policy_file_path}" --project="${GCP_PROJECT_NUMBER}" 
+                gcloud beta terraform vet "pfjenkins.json" --policy-library="${policy_file_path}" --project="${GCP_PROJECT_NUMBER}" 
+                '''            
+            }
+        }
+       stage('Terraform Apply') {
+            steps {          
+               sh '''
+                 cd guardrails/project-factory
+                 terraform apply -var-file="staging.tfvars"  -auto-approve 
+                '''             
+            }
+        }
+    }
+}

examples/guardrails/project-factory/README.md

@@ -73,3 +73,45 @@ repo_branch: dev
 ```
 
 Every project is defined with its own file located in the [Project Folder](data/projects).
+
+## How to run this stage
+### Prerequisites
+
+Workload Identity setup between the folder factory gitlab repositories and the GCP Identity provider configured with a service account containing required permissions to create folders and their organizational policies. There is a sample code provided in “folder.yaml.sample” to create a folder and for terraform to create a folder minimum below permissions are required. 
+“Folder Creator” or “Folder Admin” at org level
+“Organization Policy Admin” at org level
+
+
+### Installation Steps
+
+Step 1: Create a bucket for terraform backend on the GCP environment.
+Step 2: Create Jenkins Pipeline on Jenkins.
+Step 3: Configure the below variables on Jenkins Credentials.
+
+### Terraform config validator
+The pipeline has an option to utilise the integrated config validator (gcloud terraform vet) to impose constraints on your terraform configuration. You have to provide the policy-library repo URL to $POLICY_LIBRARY_REPO variable. See the below for details on the Variables to be set on the CI/CD pipeline.
+
+
+| Variable                      |                                                                                                                                                        | Example Value                                 |
+| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------- |
+| PROJECT_NAME                  | The project containing the service account that has permission to communicate with the WIF provider. Should be created as part of Project Factory.     | jenkins-connect-prj                         |
+| GCP_PROJECT_NUMBER            | Project number for the project that hosts the WIF provider                                                                                             | 107999111999                                  |
+| SERVICE_ACCOUNT_NAME          | The name of the service account that will be used to deploy. Must be hosted in PROJECT_NAME.                                                           | jenkins-sa                               |
+| BUCKET_PATH                   | A state bucket that will hold the terraform state. This bucket must previously exist and the service account must have permission to read/write to it. | jenkins-gcs-state-bucket-name                         |
+| policy_file_path          | https://github.com/GoogleCloudPlatform/policy-library                                                                                                  | The public repo where the policies are hosted |
+| workload_identity_pool_id     |                                                                                                                                                        | jenkins-test-pool                           |
+| workload_identity_provider_id |                                                                                                                                                        | jenkins-test-provider                       |                                                                                                |
+
+* Once the prerequisites are set up, any commit to the remote main branch with changes to  *.tf, *.tfvars, data/*, modules/* files should trigger the pipeline.  
+
+
+### Pipeline Workflow Overview
+The complete workflow comprises of 6 stages and 2 before-script jobs
+  * Stages:
+    * Clean workspace : This step cleans the previous packages from Jenkins workspace
+    * WIF : Execute the Workload Identity Federation script and generate credential file.
+    * Terraform plan: Runs terraform plan and saves the plan and json version of the plan as artifacts, this depends on the branch
+    * Terraform validate: Runs gcloud terraform vet against the terraform code with the constraints in the specified repository.
+    * apply: This is executed for specified list of branches, currently main/master
+
+

examples/guardrails/project-factory/main.tf

@@ -25,11 +25,12 @@ module "project" {
   source          = "./modules/project_plus"
   for_each        = local.projects
   team            = each.key
-  repo_sub        = "${each.value.repo_provider == "gitlab" ? "project_path:${each.value.repo_name}:ref_type:branch:ref:${each.value.repo_branch}" : "repo:${each.value.repo_name}:ref:refs/heads/${each.value.repo_branch}"}" 
+  repo_sub        = each.value.repo_branch
   repo_provider   = each.value.repo_provider
   billing_account = each.value.billing_account_id
   folder          = var.folder
   roles           = try(each.value.roles, [])
-  wif-pool        = "${each.value.repo_provider == "gitlab" ? google_iam_workload_identity_pool.wif-pool-gitlab.name : google_iam_workload_identity_pool.wif-pool-github.name}"
-  depends_on      = [google_iam_workload_identity_pool.wif-pool-github,google_iam_workload_identity_pool.wif-pool-gitlab]
+  wif-pool        = google_iam_workload_identity_pool.wif-pool-jenkins.name
+  depends_on      = [google_iam_workload_identity_pool.wif-pool-jenkins]
 }
+

examples/guardrails/project-factory/modules/project_plus/main.tf

@@ -34,7 +34,7 @@ resource "google_service_account" "sa" {
 resource "google_service_account_iam_member" "sa-iam" {
   service_account_id = google_service_account.sa.name
   role               = "roles/iam.workloadIdentityUser"
-  member             = "principalSet://iam.googleapis.com/${var.wif-pool}/attribute.sub/${var.repo_sub}"
+  member             = "principalSet://iam.googleapis.com/${var.wif-pool}/attribute.branch_name/${var.repo_sub}"
 }
 
 resource "google_project_iam_member" "sa-project" {

examples/guardrails/project-factory/variables.tf

@@ -17,3 +17,11 @@
 variable "folder" {
 
 }
+variable "billing_account" {
+}
+variable "issuer_uri" {
+}
+
+variable "allowed_audiences" {
+  type = list
+}

examples/guardrails/project-factory/wif.tf

@@ -22,46 +22,30 @@ module "wif-project" {
   source          = "./modules/project"
   name            = "wif-prj-${random_id.rand.hex}"
   parent          = var.folder
-  billing_account = "01B3B2-962224-4EEC67"
+  billing_account = var.billing_account
 }
 
-resource "google_iam_workload_identity_pool" "wif-pool-gitlab" {
+resource "google_iam_workload_identity_pool" "wif-pool-jenkins" {
   provider                  = google-beta
-  workload_identity_pool_id = "gitlab-pool-${random_id.rand.hex}"
+  workload_identity_pool_id = "jenkins-pool1-${random_id.rand.hex}"
   project                   = module.wif-project.project_id
 }
 
-resource "google_iam_workload_identity_pool_provider" "wif-provider-gitlab" {
+resource "google_iam_workload_identity_pool_provider" "wif-provider-jenkins" {
   provider                           = google-beta
-  workload_identity_pool_id          = google_iam_workload_identity_pool.wif-pool-gitlab.workload_identity_pool_id
-  workload_identity_pool_provider_id = "gitlab-provider-${random_id.rand.hex}"
+  workload_identity_pool_id          = google_iam_workload_identity_pool.wif-pool-jenkins.workload_identity_pool_id
+  workload_identity_pool_provider_id = "jenkins-provider-${random_id.rand.hex}"
   project                            = module.wif-project.project_id
   attribute_mapping                  = {
     "google.subject" = "assertion.sub"
     "attribute.sub" = "assertion.sub"
+    "attribute.branch_name" = "assertion.branchName"
   }
   oidc {
-    issuer_uri        = "https://gitlab.com"
-  }
-}
-
-resource "google_iam_workload_identity_pool" "wif-pool-github" {
-  provider                  = google-beta
-  workload_identity_pool_id = "github-pool-${random_id.rand.hex}"
-  project                   = module.wif-project.project_id
-}
-
-resource "google_iam_workload_identity_pool_provider" "wif-provider-github" {
-  provider                           = google-beta
-  workload_identity_pool_id          = google_iam_workload_identity_pool.wif-pool-github.workload_identity_pool_id
-  workload_identity_pool_provider_id = "github-provider-${random_id.rand.hex}"
-  project                            = module.wif-project.project_id
-  attribute_mapping                  = {
-    "google.subject" = "assertion.sub"
-    "attribute.sub" = "assertion.sub"
-    "attribute.actor" = "assertion.actor"
-  }
-  oidc {
-    issuer_uri        = "https://token.actions.githubusercontent.com"
+    issuer_uri        = var.issuer_uri
+    allowed_audiences = var.allowed_audiences
   }
+    depends_on = [
+    google_iam_workload_identity_pool.wif-pool-jenkins
+  ]
 }