feat(module): add cloudbuild connection module (#312)

Co-authored-by: Daniel Andrade <dandrade@ciandt.com>
Co-authored-by: Andrew Peabody <andrewpeabody@google.com>

Author: 3 people

build/int.cloudbuild.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-timeout: 3600s
+timeout: 4200s
 steps:
 - id: swap-module-refs
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
@@ -249,6 +249,44 @@ steps:
   args: ['/bin/bash', '-c', 'cft test run TestCloudBuildWorkspaceSimpleGitLab --stage teardown --verbose']
   secretEnv: ['IM_GITLAB_PAT']
 
+- id: apply-cloudbuild-connection-github
+  waitFor:
+      - create-all
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestCloudBuildRepoConnectionGithub --stage apply --verbose']
+  secretEnv: ['IM_GITHUB_PAT']
+- id: verify-cloudbuild-connection-github
+  waitFor:
+      - apply-cloudbuild-connection-github
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestCloudBuildRepoConnectionGithub --stage verify --verbose']
+  secretEnv: ['IM_GITHUB_PAT']
+- id: teardown-cloudbuild-connection-github
+  waitFor:
+      - verify-cloudbuild-connection-github
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestCloudBuildRepoConnectionGithub --stage teardown --verbose']
+  secretEnv: ['IM_GITHUB_PAT']
+
+- id: apply-cloudbuild-connection-gitlab
+  waitFor:
+      - create-all
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestCloudBuildRepoConnectionGitLab --stage apply --verbose']
+  secretEnv: ['IM_GITLAB_PAT']
+- id: verify-cloudbuild-connection-gitlab
+  waitFor:
+      - apply-cloudbuild-connection-gitlab
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestCloudBuildRepoConnectionGitLab --stage verify --verbose']
+  secretEnv: ['IM_GITLAB_PAT']
+- id: teardown-cloudbuild-connection-gitlab
+  waitFor:
+      - verify-cloudbuild-connection-gitlab
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestCloudBuildRepoConnectionGitLab --stage teardown --verbose']
+  secretEnv: ['IM_GITLAB_PAT']
+
 availableSecrets:
   secretManager:
   - versionName: $_IM_GITHUB_PAT_SECRET_ID/versions/latest

examples/cloudbuild_repo_connection_github/README.md

@@ -0,0 +1,35 @@
+## Overview
+
+The example will create Cloud Build repositories (2nd gen) using a Github connection.
+
+## Github Requirements for Cloud Build Connection
+
+When using a Cloud Build repositories (2nd gen) GitHub repository, a Cloud Build connection to your repository provider will be created.
+
+For GitHub connections you will need:
+
+- Install the [Cloud Build App](https://github.com/apps/google-cloud-build) on Github.
+- Create a [Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) on Github with [scopes](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes) `repo` and `read:user` (or if app is installed in a organization use `read:org`).
+
+For more information on this topic refer to the Cloud Build repositories (2nd gen) documentation for
+[Connect to a GitHub repository](https://cloud.google.com/build/docs/automating-builds/github/connect-repo-github?generation=2nd-gen).
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| github\_app\_id | The application ID for the Cloudbuild GitHub app. | `string` | n/a | yes |
+| github\_pat | The personal access token for authenticating with GitHub. | `string` | n/a | yes |
+| project\_id | The ID of the project in which to provision resources. | `string` | n/a | yes |
+| repository\_name | The name of the test repository. | `string` | n/a | yes |
+| repository\_url | The HTTPS clone URL of the repository, ending with .git. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| cloud\_build\_repositories\_2nd\_gen\_connection | Cloudbuild connection created. |
+| cloud\_build\_repositories\_2nd\_gen\_repositories | Created repositories. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/cloudbuild_repo_connection_github/main.tf

@@ -0,0 +1,34 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "github_connection" {
+  source = "terraform-google-modules/bootstrap/google//modules/cloudbuild_repo_connection"
+  version = "~> 9.0"
+
+  project_id = var.project_id
+  credential_config = {
+    credential_type = "GITHUBv2"
+    github_pat      = var.github_pat
+    github_app_id   = var.github_app_id
+  }
+
+  cloud_build_repositories = {
+    "test_repo" = {
+      repository_name = var.repository_name
+      repository_url  = var.repository_url
+    },
+  }
+}

examples/cloudbuild_repo_connection_github/outputs.tf

@@ -0,0 +1,26 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "cloud_build_repositories_2nd_gen_connection" {
+  description = "Cloudbuild connection created."
+  value       = module.github_connection.cloud_build_repositories_2nd_gen_connection
+}
+
+output "cloud_build_repositories_2nd_gen_repositories" {
+  description = "Created repositories."
+  value       = module.github_connection.cloud_build_repositories_2nd_gen_repositories
+}
+

examples/cloudbuild_repo_connection_github/variables.tf

@@ -0,0 +1,41 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The ID of the project in which to provision resources."
+  type        = string
+}
+
+variable "github_pat" {
+  description = "The personal access token for authenticating with GitHub."
+  type        = string
+}
+
+variable "github_app_id" {
+  description = "The application ID for the Cloudbuild GitHub app."
+  type        = string
+}
+
+variable "repository_url" {
+  description = "The HTTPS clone URL of the repository, ending with .git."
+  type        = string
+}
+
+variable "repository_name" {
+  description = "The name of the test repository."
+  type        = string
+}
+

examples/cloudbuild_repo_connection_gitlab/README.md

@@ -0,0 +1,31 @@
+## Overview
+
+The example will create Cloud Build repositories (2nd gen) using a Gitlab connection.
+
+## Gitlab Requirements for Cloud Build Connection
+
+When using a Cloud Build repositories (2nd gen) GitLab repository, a Cloud Build connection to your repository provider will be needed.
+
+For more information on this topic refer to the Cloud Build repositories (2nd gen) documentation:
+- [Connect to a GitLab host](https://cloud.google.com/build/docs/automating-builds/gitlab/connect-host-gitlab)
+- [Connect to a GitLab repository](https://cloud.google.com/build/docs/automating-builds/github/connect-repo-github?generation=2nd-gen)
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| gitlab\_authorizer\_credential | Credential for GitLab authorizer | `string` | n/a | yes |
+| gitlab\_read\_authorizer\_credential | Credential for GitLab read authorizer | `string` | n/a | yes |
+| project\_id | The ID of the project in which to provision resources. | `string` | n/a | yes |
+| repository\_name | The name of the test repository. | `string` | n/a | yes |
+| repository\_url | The HTTPS clone URL of the repository, ending with .git. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| cloud\_build\_repositories\_2nd\_gen\_connection | Cloudbuild connection created. |
+| cloud\_build\_repositories\_2nd\_gen\_repositories | Created repositories. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/cloudbuild_repo_connection_gitlab/main.tf

@@ -0,0 +1,33 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "gitlab_connection" {
+  source = "../../modules/cloudbuild_repo_connection"
+
+  project_id = var.project_id
+  credential_config = {
+    credential_type                   = "GITLABv2"
+    gitlab_authorizer_credential      = var.gitlab_authorizer_credential
+    gitlab_read_authorizer_credential = var.gitlab_read_authorizer_credential
+  }
+
+  cloud_build_repositories = {
+    "test_repo" = {
+      repository_name = var.repository_name
+      repository_url  = var.repository_url
+    },
+  }
+}

examples/cloudbuild_repo_connection_gitlab/outputs.tf

@@ -0,0 +1,25 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "cloud_build_repositories_2nd_gen_connection" {
+  description = "Cloudbuild connection created."
+  value       = module.gitlab_connection.cloud_build_repositories_2nd_gen_connection
+}
+
+output "cloud_build_repositories_2nd_gen_repositories" {
+  description = "Created repositories."
+  value       = module.gitlab_connection.cloud_build_repositories_2nd_gen_repositories
+}

examples/cloudbuild_repo_connection_gitlab/variables.tf

@@ -0,0 +1,41 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The ID of the project in which to provision resources."
+  type        = string
+}
+
+variable "repository_url" {
+  description = "The HTTPS clone URL of the repository, ending with .git."
+  type        = string
+}
+
+variable "repository_name" {
+  description = "The name of the test repository."
+  type        = string
+}
+
+variable "gitlab_authorizer_credential" {
+  description = "Credential for GitLab authorizer"
+  type        = string
+}
+
+variable "gitlab_read_authorizer_credential" {
+  description = "Credential for GitLab read authorizer"
+  type        = string
+}
+

modules/cloudbuild_repo_connection/README.md

@@ -0,0 +1,27 @@
+# Overview
+
+This module is designed to establish the corresponding Cloud Build repositories (2nd gen) based on the `cloud_build_repositories` variable, where users can specify the repository names and URLs from their own version control systems.
+
+Additionally, it will create and manage secret versions, as well as configure the necessary permissions for cloud build service agent when utilizing Cloud Build repositories (2nd gen).
+
+Users will provide the required secrets through the `credential_config` variable, indicating their chosen Git provider. Currently, the module supports both GitHub and GitLab.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| cloud\_build\_repositories | Cloud Build repositories configuration:<br>  - repository\_name: The name of the repository to be used in Cloud Build.<br>  - repository\_url: The HTTPS clone URL for the repository. This URL must end with '.git' and be a valid HTTPS URL.<br><br>Each entry in this map must contain both `repository_name` and `repository_url` to properly integrate with the Cloud Build service. | <pre>map(object({<br>    repository_name = string,<br>    repository_url  = string,<br>  }))</pre> | n/a | yes |
+| cloudbuild\_connection\_name | Cloudbuild Connection Name. | `string` | `"generic-cloudbuild-connection"` | no |
+| credential\_config | Credential configuration options:<br>  - credential\_type: Specifies the type of credential being used. Supported types are 'GITHUBv2' and 'GITLABv2'.<br>  - github\_secret\_id: (Optional) The secret ID for GitHub credentials. Default is "cb-github-pat".<br>  - github\_pat: (Optional) The personal access token for GitHub authentication.<br>  - github\_app\_id: (Optional) The application ID for a GitHub App used for authentication. For app installation, follow this link: https://github.com/apps/google-cloud-build<br>  - gitlab\_read\_authorizer\_credential: (Optional) The read authorizer credential for GitLab access.<br>  - gitlab\_read\_authorizer\_credential\_secret\_id: (Optional) The secret ID for the GitLab read authorizer credential. Default is "cb-gitlab-read-api-credential".<br>  - gitlab\_authorizer\_credential: (Optional) The authorizer credential for GitLab access.<br>  - gitlab\_authorizer\_credential\_secret\_id: (Optional) The secret ID for the GitLab authorizer credential. Default is "cb-gitlab-api-credential". | <pre>object({<br>    credential_type                             = string<br>    github_secret_id                            = optional(string, "cb-github-pat")<br>    github_pat                                  = optional(string)<br>    github_app_id                               = optional(string)<br>    gitlab_read_authorizer_credential           = optional(string)<br>    gitlab_read_authorizer_credential_secret_id = optional(string, "cb-gitlab-read-api-credential")<br>    gitlab_authorizer_credential                = optional(string)<br>    gitlab_authorizer_credential_secret_id      = optional(string, "cb-gitlab-api-credential")<br>  })</pre> | n/a | yes |
+| location | Resources location. | `string` | `"us-central1"` | no |
+| project\_id | The project id to create the secret and assign cloudbuild service account permissions. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| cloud\_build\_repositories\_2nd\_gen\_connection | The unique identifier of the Cloud Build connection created within the specified Google Cloud project.<br>  Example format: projects/{{project}}/locations/{{location}}/connections/{{name}} |
+| cloud\_build\_repositories\_2nd\_gen\_repositories | A map of created repositories associated with the Cloud Build connection.<br>Each entry contains the repository's unique identifier and its remote URL.<br>Example format:<br>"key\_name" = {<br>  "id" =  "projects/{{project}}/locations/{{location}}/connections/{{parent\_connection}}/repositories/{{name}}",<br>  "url" = "https://github.com/{{account/org}}/{{repository_name}}.git"<br>} |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->