feat: pipeline, repo and trigger from json support (#431)

Author: huayuenh

README.md

@@ -81,7 +81,7 @@ resource "ibm_resource_instance" "cd_instance" {
 module "devsecops_ci_toolchain" {
   count                    = var.create_ci_toolchain ? 1 : 0
   depends_on               = [ibm_resource_instance.cd_instance]
-  source                   = "git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-ci-toolchain?ref=v1.3.0"
+  source                   = "git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-ci-toolchain?ref=v1.4.0"
   ibmcloud_api_key         = var.ibmcloud_api_key
   toolchain_name           = (var.ci_toolchain_name == "") ? format("${var.toolchain_name}%s", "-CI-Toolchain") : var.ci_toolchain_name
   toolchain_region         = (var.ci_toolchain_region == "") ? var.toolchain_region : replace(replace(var.ci_toolchain_region, "ibm:yp:", ""), "ibm:ys1:", "")
@@ -243,6 +243,18 @@ module "devsecops_ci_toolchain" {
   enable_pipeline_dockerconfigjson   = var.ci_enable_pipeline_dockerconfigjson
   peer_review_compliance             = (var.ci_peer_review_compliance == "") ? var.peer_review_compliance : var.ci_peer_review_compliance
   print_code_signing_certificate     = var.ci_print_code_signing_certificate
+  pr_cra_bom_generate                = var.pr_cra_bom_generate
+  pr_cra_vulnerability_scan          = var.pr_cra_vulnerability_scan
+  pr_cra_deploy_analysis             = var.pr_cra_deploy_analysis
+  ci_cra_bom_generate                = var.ci_cra_bom_generate
+  ci_cra_vulnerability_scan          = var.ci_cra_vulnerability_scan
+  ci_cra_deploy_analysis             = var.ci_cra_deploy_analysis
+  enable_pipeline_notifications      = var.ci_enable_pipeline_notifications
+  event_notifications                = var.ci_event_notifications
+  pipeline_properties                = var.ci_pipeline_properties
+  pipeline_properties_filepath       = var.ci_pipeline_properties_filepath
+  repository_properties              = var.ci_repository_properties
+  repository_properties_filepath     = var.ci_repository_properties_filepath
 
   #CODE ENGINE
 
@@ -338,7 +350,7 @@ module "devsecops_ci_toolchain" {
 module "devsecops_cd_toolchain" {
   count            = var.create_cd_toolchain ? 1 : 0
   depends_on       = [ibm_resource_instance.cd_instance]
-  source           = "git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-cd-toolchain?ref=v1.3.0"
+  source           = "git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-cd-toolchain?ref=v1.4.0"
   ibmcloud_api_key = var.ibmcloud_api_key
 
   toolchain_name           = (var.cd_toolchain_name == "") ? format("${var.toolchain_name}%s", "-CD-Toolchain") : var.cd_toolchain_name
@@ -509,6 +521,14 @@ module "devsecops_cd_toolchain" {
   scc_profile_name              = var.scc_profile_name
   scc_profile_version           = var.scc_profile_version
   scc_use_profile_attachment    = (var.cd_scc_use_profile_attachment == "") ? var.scc_use_profile_attachment : var.cd_scc_use_profile_attachment
+  enable_pipeline_notifications = var.cd_enable_pipeline_notifications
+  event_notifications           = var.cd_event_notifications
+  pipeline_properties           = var.cd_pipeline_properties
+  pipeline_properties_filepath  = var.cd_pipeline_properties_filepath
+  pre_prod_evidence_collection  = var.cd_pre_prod_evidence_collection
+
+  repository_properties          = var.cd_repository_properties
+  repository_properties_filepath = var.cd_repository_properties_filepath
 
   #SLACK INTEGRATION
   enable_slack           = (local.use_slack_enable_override) ? local.enable_slack : var.cd_enable_slack
@@ -580,7 +600,7 @@ module "devsecops_cd_toolchain" {
 module "devsecops_cc_toolchain" {
   count                         = var.create_cc_toolchain ? 1 : 0
   depends_on                    = [ibm_resource_instance.cd_instance]
-  source                        = "git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-cc-toolchain?ref=v1.3.0"
+  source                        = "git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-cc-toolchain?ref=v1.4.0"
   ibmcloud_api_key              = var.ibmcloud_api_key
   toolchain_name                = (var.cc_toolchain_name == "") ? format("${var.toolchain_name}%s", "-CC-Toolchain") : var.cc_toolchain_name
   toolchain_description         = var.cc_toolchain_description
@@ -736,6 +756,15 @@ module "devsecops_cc_toolchain" {
   scc_profile_name                 = var.scc_profile_name
   scc_profile_version              = var.scc_profile_version
   scc_use_profile_attachment       = (var.cc_scc_use_profile_attachment == "") ? var.scc_use_profile_attachment : var.cc_scc_use_profile_attachment
+  enable_pipeline_notifications    = var.cc_enable_pipeline_notifications
+  event_notifications              = var.cc_event_notifications
+  cra_bom_generate                 = var.cc_cra_bom_generate
+  cra_vulnerability_scan           = var.cc_cra_vulnerability_scan
+  cra_deploy_analysis              = var.cc_cra_deploy_analysis
+  pipeline_properties              = var.cc_pipeline_properties
+  pipeline_properties_filepath     = var.cc_pipeline_properties_filepath
+  repository_properties            = var.cc_repository_properties
+  repository_properties_filepath   = var.cc_repository_properties_filepath
 
   #SLACK INTEGRATION
   enable_slack           = (local.use_slack_enable_override) ? local.enable_slack : var.cc_enable_slack

code-engine/README.md

@@ -659,12 +659,36 @@ variable "pr_pipeline_git_tag" {
   default     = ""
 }
 
+variable "ci_pipeline_properties" {
+  type        = string
+  description = "Stringified JSON containing the properties for the CI toolchain pipelines."
+  default     = ""
+}
+
+variable "ci_pipeline_properties_filepath" {
+  type        = string
+  description = "The path to the file containing the property JSON. If this is not set, it will by default read the `properties.json` file at the root of the module."
+  default     = ""
+}
+
 variable "ci_print_code_signing_certificate" {
   type        = string
   description = "Set to `1` to enable printing of the public signing certificate in the logs."
   default     = "1"
 }
 
+variable "ci_repository_properties" {
+  type        = string
+  description = "Stringified JSON containing the repositories and triggers that get created in the CI toolchain pipelines."
+  default     = ""
+}
+
+variable "ci_repository_properties_filepath" {
+  type        = string
+  description = "The path to the file containing the repository and triggers JSON. If this is not set, it will by default read the `repositories.json` file at the root of the module."
+  default     = ""
+}
+
 variable "ci_repositories_prefix" {
   type        = string
   description = "Prefix name for the cloned compliance repos. For the repositories_prefix value only a-z, A-Z and 0-9 and the special characters `-_` are allowed. In addition the string must not end with a special character or have two consecutive special characters."
@@ -692,6 +716,84 @@ variable "ci_link_to_doi_toolchain" {
   default     = false
 }
 
+variable "pr_cra_bom_generate" {
+  type        = string
+  description = "Set this flag to `1` to generate cra bom in PR pipeline"
+  default     = "1"
+  validation {
+    condition     = contains(["0", "1"], var.pr_cra_bom_generate)
+    error_message = "Must be either \"0\" or \"1\" ."
+  }
+}
+
+variable "pr_cra_vulnerability_scan" {
+  type        = string
+  description = "Set this flag to `1` and `pr-cra-bom-generate` to `1` for cra vulnerability scan in PR pipeline. If this value is set to `1` and `pr-cra-bom-generate` is set to `0`, the scan will be marked as `failure`"
+  default     = "1"
+  validation {
+    condition     = contains(["0", "1"], var.pr_cra_vulnerability_scan)
+    error_message = "Must be either \"0\" or \"1\" ."
+  }
+
+}
+
+variable "pr_cra_deploy_analysis" {
+  type        = string
+  description = "Set this flag to `1` for cra deployment analysis to be done in PR pipeline."
+  default     = "1"
+  validation {
+    condition     = contains(["0", "1"], var.pr_cra_deploy_analysis)
+    error_message = "Must be either \"0\" or \"1\" ."
+  }
+}
+
+variable "ci_cra_bom_generate" {
+  type        = string
+  description = "Set this flag to `1` to generate cra bom in CI pipeline."
+  default     = "1"
+  validation {
+    condition     = contains(["0", "1"], var.ci_cra_bom_generate)
+    error_message = "Must be either \"0\" or \"1\" ."
+  }
+}
+
+variable "ci_cra_vulnerability_scan" {
+  type        = string
+  description = "Set this flag to `1` and `ci-cra-bom-generate` to `1` for cra vulnerability scan in CI pipeline. If this value is set to 1 and `ci-cra-bom-generate` is set to `0`, the scan will be marked as `failure`"
+  default     = "1"
+  validation {
+    condition     = contains(["0", "1"], var.ci_cra_vulnerability_scan)
+    error_message = "Must be either \"0\" or \"1\" ."
+  }
+
+}
+
+variable "ci_cra_deploy_analysis" {
+  type        = string
+  description = "Set this flag to `1` for cra deployment analysis to be done in CI pipeline."
+  default     = "1"
+  validation {
+    condition     = contains(["0", "1"], var.ci_cra_deploy_analysis)
+    error_message = "Must be either \"0\" or \"1\" ."
+  }
+}
+
+variable "ci_enable_pipeline_notifications" {
+  type        = bool
+  description = "When enabled, pipeline run events will be sent to the Event Notifications and Slack integrations in the enclosing toolchain."
+  default     = false
+}
+
+variable "ci_event_notifications" {
+  type        = string
+  description = "To enable event notification, set event_notifications to 1 "
+  default     = "0"
+  validation {
+    condition     = contains(["0", "1"], var.ci_event_notifications)
+    error_message = "Must be either \"0\" or \"1\" ."
+  }
+}
+
 variable "ci_doi_toolchain_id" {
   type        = string
   description = "DevOps Insights toolchain ID to link to."
@@ -1918,12 +2020,62 @@ variable "cd_enable_key_protect" {
   default     = false
 }
 
+variable "cd_enable_pipeline_notifications" {
+  type        = bool
+  description = "When enabled, pipeline run events will be sent to the Event Notifications and Slack integrations in the enclosing toolchain."
+  default     = false
+}
+
+variable "cd_event_notifications" {
+  type        = string
+  description = "To enable event notification, set event_notifications to 1 "
+  default     = "0"
+  validation {
+    condition     = contains(["0", "1"], var.cd_event_notifications)
+    error_message = "Must be either \"0\" or \"1\" ."
+  }
+}
+
 variable "cd_enable_secrets_manager" {
   description = "Use the Secrets Manager integration."
   type        = bool
   default     = false
 }
 
+variable "cd_pipeline_properties" {
+  type        = string
+  description = "Stringified JSON containing the properties for the CD toolchain pipelines."
+  default     = ""
+}
+
+variable "cd_pipeline_properties_filepath" {
+  type        = string
+  description = "The path to the file containing the property JSON. If this is not set, it will by default read the `properties.json` file at the root of the module."
+  default     = ""
+}
+
+variable "cd_pre_prod_evidence_collection" {
+  type        = string
+  description = "Set this flag to collect the pre-prod evidences and the change requests in the production deployment (target-environment-purpose set to production). Default value is 0."
+  default     = "0"
+  validation {
+    condition     = contains(["0", "1"], var.cd_pre_prod_evidence_collection)
+    error_message = "Must be either \"0\" or \"1\" ."
+  }
+}
+
+variable "cd_repository_properties" {
+  type        = string
+  description = "Stringified JSON containing the repositories and triggers that get created in the CI toolchain pipelines."
+  default     = ""
+}
+
+variable "cd_repository_properties_filepath" {
+  type        = string
+  description = "The path to the file containing the repository and triggers JSON. If this is not set, it will by default read the `repositories.json` file at the root of the module."
+  default     = ""
+}
+
 variable "cd_sm_secret_group" {
   type        = string
   description = "Group in Secrets Manager for organizing/grouping secrets."
@@ -3576,6 +3728,53 @@ variable "cc_compliance_pipeline_branch" {
   default     = ""
 }
 
+variable "cc_cra_bom_generate" {
+  type        = string
+  description = "Set this flag to `1` to generate cra bom"
+  default     = "1"
+  validation {
+    condition     = contains(["0", "1"], var.cc_cra_bom_generate)
+    error_message = "Must be either \"0\" or \"1\" ."
+  }
+}
+
+variable "cc_cra_vulnerability_scan" {
+  type        = string
+  description = "Set this flag to `1` and `cra-bom-generate` to `1` for cra vulnerability scan.  If this value is set to 1 and `cra-bom-generate` is set to 0, the scan will be marked as `failure`"
+  default     = "1"
+  validation {
+    condition     = contains(["0", "1"], var.cc_cra_vulnerability_scan)
+    error_message = "Must be either \"0\" or \"1\" ."
+  }
+
+}
+
+variable "cc_cra_deploy_analysis" {
+  type        = string
+  description = "Set this flag to `1` for cra deployment analysis to be done."
+  default     = "1"
+  validation {
+    condition     = contains(["0", "1"], var.cc_cra_deploy_analysis)
+    error_message = "Must be either \"0\" or \"1\" ."
+  }
+}
+
+variable "cc_enable_pipeline_notifications" {
+  type        = bool
+  description = "When enabled, pipeline run events will be sent to the Event Notifications and Slack integrations in the enclosing toolchain."
+  default     = false
+}
+
+variable "cc_event_notifications" {
+  type        = string
+  description = "To enable event notification, set event_notifications to 1 "
+  default     = "0"
+  validation {
+    condition     = contains(["0", "1"], var.cc_event_notifications)
+    error_message = "Must be either \"0\" or \"1\" ."
+  }
+}
+
 variable "cc_pipeline_git_tag" {
   type        = string
   description = "The GIT tag within the pipeline definitions repository for the Compliance CC Pipeline."
@@ -3588,6 +3787,30 @@ variable "cc_pipeline_debug" {
   default     = "0"
 }
 
+variable "cc_pipeline_properties" {
+  type        = string
+  description = "Stringified JSON containing the properties for the CC toolchain pipelines."
+  default     = ""
+}
+
+variable "cc_pipeline_properties_filepath" {
+  type        = string
+  description = "The path to the file containing the property JSON. If this is not set, it will by default read the `properties.json` file at the root of the module."
+  default     = ""
+}
+
+variable "cc_repository_properties" {
+  type        = string
+  description = "Stringified JSON containing the repositories and triggers that get created in the CI toolchain pipelines."
+  default     = ""
+}
+
+variable "cc_repository_properties_filepath" {
+  type        = string
+  description = "The path to the file containing the repository and triggers JSON. If this is not set, it will by default read the `repositories.json` file at the root of the module."
+  default     = ""
+}
+
 variable "cc_opt_in_dynamic_api_scan" {
   type        = string
   description = "To enable the OWASP Zap API scan. '1' enable or '0' disable."

code-engine/main.tf

@@ -1,5 +1,5 @@
 module "terraform_devsecops_alm" {
-  source                   = "git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-alm?ref=v1.6.1"
+  source                   = "git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-alm?ref=v1.7.0"
   ibmcloud_api_key         = var.ibmcloud_api_key
   toolchain_resource_group = var.toolchain_resource_group
   toolchain_region         = var.toolchain_region

code-engine/variables.tf

@@ -1,5 +1,5 @@
 module "terraform_devsecops_alm" {
-  source                            = "git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-alm?ref=v1.6.1"
+  source                            = "git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-alm?ref=v1.7.0"
   ibmcloud_api_key                  = var.ibmcloud_api_key
   toolchain_resource_group          = var.toolchain_resource_group
   toolchain_region                  = var.toolchain_region

examples/default/main.tf

@@ -1,5 +1,5 @@
 module "terraform_devsecops_alm" {
-  source                   = "git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-alm?ref=v1.6.1"
+  source                   = "git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-alm?ref=v1.7.0"
   ibmcloud_api_key         = var.ibmcloud_api_key
   toolchain_resource_group = var.toolchain_resource_group
   toolchain_region         = var.toolchain_region