Skip to content

This is the DevSecOps Application Lifecycle Management Deployable Architecture

License

Notifications You must be signed in to change notification settings

terraform-ibm-modules/terraform-ibm-devsecops-alm

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

DevSecOps Application Lifecycle Management

Stable (With quality checks) pre-commit latest release Renovate enabled semantic-release

A Terraform module for provisioning the DevSecOps CI, CD, and CC toolchains.

Reference architectures

Architecture diagram for 'DevSecOps CI, CD, CC toolchains'.

Usage

module "terraform_devsecops_alm" {
  source                   = "git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-alm?ref=v1.0.4"
  toolchain_region         = var.toolchain_region
  toolchain_resource_group = var.toolchain_resource_group
  registry_namespace       = var.registry_namespace
  cluster_name             = var.cluster_name
  sm_resource_group        = var.sm_resource_group
  sm_name                  = var.sm_name
  sm_location              = var.sm_location
  sm_secret_group          = var.sm_secret_group
}

Required IAM access policies

Examples

Requirements

Name Version
terraform >= 1.0.0
ibm =1.70.0
null = 3.2.2
random = 3.6.2

Modules

Name Source Version
devsecops_cc_toolchain git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-cc-toolchain v2.3.0
devsecops_cd_toolchain git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-cd-toolchain v2.3.0
devsecops_ci_toolchain git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-ci-toolchain v2.3.0
prereqs ./prereqs n/a

Resources

Name Type
ibm_cd_tekton_pipeline_trigger.ci_pipeline_webhook resource
ibm_cd_tekton_pipeline_trigger_property.ci_pipeline_webhook_branch_property resource
ibm_cd_tekton_pipeline_trigger_property.ci_pipeline_webhook_name_property resource
ibm_cd_tekton_pipeline_trigger_property.ci_pipeline_webhook_repo_url_property resource
ibm_cr_namespace.cr_namespace resource
ibm_resource_instance.cd_instance resource
null_resource.ci_pipeline_run resource
random_string.resource_suffix resource
random_string.webhook_secret resource
ibm_resource_group.resource_group data source

Inputs

Name Description Type Default Required
add_code_engine_prefix Set to true to use prefix to add a prefix to the code engine project names. bool true no
add_container_name_suffix Set to true to add a random suffix to the specified ICR name. bool false no
add_pipeline_definitions Set to true to add pipeline definitions. string "true" no
app_group Specify the Git user or group for the application repository. string "" no
app_repo_auth_type Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. string "" no
app_repo_branch This is the repository branch used by the default sample application. Alternatively if app_repo_existing_url is provided, then the branch must reflect the default branch for that repository. Typically these branches are main or master. string "master" no
app_repo_clone_from_url Override the default sample app by providing your own sample app URL, which is cloned into the app repository. Note, uses clone_if_not_exists mode, so if the app repository already exists the repository contents are unchanged. string "" no
app_repo_clone_to_git_id Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. string "" no
app_repo_clone_to_git_provider By default this gets set as 'hostedgit', else set to 'githubconsolidated' for GitHub repositories. string "" no
app_repo_existing_git_id Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. string "" no
app_repo_existing_git_provider Git provider for application repo. If not set will default to hostedgit. string "" no
app_repo_existing_url Bring your own existing application repository by providing the URL. This will create an integration for your application repository instead of cloning the default sample. Repositories existing in a different org will require the use of Git token. See app_repo_git_token_secret_name under optional variables. string "__NOTSET__" no
app_repo_git_token_secret_crn The CRN of the Git token used for accessing the sample application repository. string "" no
app_repo_git_token_secret_name Name of the Git token secret in the secret provider used for accessing the sample (or bring your own) application repository. string "" no
app_repo_secret_group Secret group for the App repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
authorization_policy_creation Disable Toolchain Service to Secrets Manager/Key Protect/Notifications Service authorization policy creation. To disable set the value to disabled. This applies to the CI, CD, and CC toolchains. To set independently, see ci_authorization_policy_creation, cd_authorization_policy_creation, and cc_authorization_policy_creation. string "" no
autostart Set to true to auto run the CI pipeline in the CI toolchain after creation. bool false no
cc_app_group Specify user or group for app repository. string "" no
cc_app_repo_auth_type Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. string "" no
cc_app_repo_branch The default branch of the app repository. string "" no
cc_app_repo_git_id The Git Id of the repository. string "" no
cc_app_repo_git_provider Git provider for the application repo. If not set will default to hostedgit. string "" no
cc_app_repo_git_token_secret_crn The CRN of the Git token used for accessing the application repository. string "" no
cc_app_repo_git_token_secret_name Name of the Git token secret in the secret provider used for accessing the sample (or bring your own) application repository. string "" no
cc_app_repo_secret_group Secret group for the App repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
cc_app_repo_url This Git URL for the application repository. string "" no
cc_artifactory_token_secret_crn The CRN for the Artifactory access secret. string "" no
cc_authorization_policy_creation Disable Toolchain Service to Secrets Manager/Key Protect/Notifications Service authorization policy creation. To disable set the value to disabled. string "" no
cc_compliance_pipeline_branch The CC Pipeline Compliance Pipeline branch. string "" no
cc_compliance_pipeline_group Specify user or group for compliance pipline repository. string "" no
cc_compliance_pipeline_repo_auth_type Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. string "" no
cc_compliance_pipeline_repo_git_token_secret_crn The CRN of the Git token used for accessing the Compliance Pipelines repository. string "" no
cc_compliance_pipeline_repo_git_token_secret_name Name of the Git token secret in the secret provider used for accessing the compliance pipelines repository. string "" no
cc_compliance_pipeline_repo_secret_group Secret group for the Compliance Pipeline repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
cc_cos_api_key_secret_crn The CRN of the Cloud Object Storage apikey. string "" no
cc_cos_api_key_secret_group Secret group for the COS API key secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
cc_cos_api_key_secret_name Name of the Cloud Object Storage API key secret in the secret provider used for accessing the evidence COS bucket. string "" no
cc_cos_bucket_name The name of the Cloud Object Storage bucket used for storing the evidence. string "" no
cc_cos_endpoint The endpoint for the Cloud Object Stroage instance containing the evidence bucket. string "" no
cc_doi_toolchain_id The ID of the toolchain containing the DevOps Insights integration. This variable is used to link the DevOps Insights toolcard to a specific instance. string "" no
cc_enable_key_protect Set to true to the enable Key Protect integrations. string "" no
cc_enable_pipeline_notifications When enabled, pipeline run events will be sent to the Event Notifications and Slack integrations in the enclosing toolchain. string "" no
cc_enable_secrets_manager Set to true to enable the Secrets Manager integrations. string "" no
cc_enable_slack Set to true to create the Slack toolchain integration. string "" no
cc_event_notifications_crn Set the Event Notifications CRN to create an Events Notification integration. string "" no
cc_evidence_group Specify the Git user or group for the evidence repository. string "" no
cc_evidence_repo_auth_type Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat' string "" no
cc_evidence_repo_git_token_secret_crn The CRN of the Git token used for accessing the Evidence repository. string "" no
cc_evidence_repo_git_token_secret_name Name of the Git token secret in the secret provider used for accessing the evidence repository. string "" no
cc_evidence_repo_secret_group Secret group for the Evidence repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
cc_inventory_group Specify the Git user or group for the inventory repository. string "" no
cc_inventory_repo_auth_type Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. string "" no
cc_inventory_repo_git_token_secret_crn The CRN of the Git token used for acessing the Inventory repository. string "" no
cc_inventory_repo_git_token_secret_name Name of the Git token secret in the secret provider used for accessing the inventory repository. string "" no
cc_inventory_repo_secret_group Secret group for the Inventory repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
cc_issues_group Specify the Git user or group for the issues repository. string "" no
cc_issues_repo_auth_type Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. string "" no
cc_issues_repo_git_token_secret_crn The CRN of the Git token used for accessing the Issues repository. string "" no
cc_issues_repo_git_token_secret_name Name of the Git token secret in the secret provider used for accessing the issues repository. string "" no
cc_issues_repo_secret_group Secret group for the Issues repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
cc_kp_location The region hosting the Key Protect instance. string "" no
cc_kp_name Name of the Key Protect instance where the secrets are stored. string "" no
cc_kp_resource_group The resource group containing the Key Protect instance. string "" no
cc_link_to_doi_toolchain Enable a link to a DevOps Insights instance in another toolchain, true or false. bool true no
cc_pipeline_config_group Specify the Git user or group for the compliance pipeline repository. string "" no
cc_pipeline_config_repo_auth_type Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. string "" no
cc_pipeline_config_repo_branch Specify the branch containing the custom pipeline-config.yaml file. string "" no
cc_pipeline_config_repo_clone_from_url Specify a repository containing a custom pipeline-config.yaml file. string "" no
cc_pipeline_config_repo_existing_url Specify a repository containing a custom pipeline-config.yaml file. string "" no
cc_pipeline_config_repo_git_token_secret_crn The CRN of the Git token for accessing the pipeline config repository. string "" no
cc_pipeline_config_repo_git_token_secret_name Name of the Git token secret in the secret provider used for accessing the pipeline config repository. string "" no
cc_pipeline_config_repo_secret_group Secret group for the Pipeline Config repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
cc_pipeline_doi_api_key_secret_crn The CRN of the DOI (DevOps Insights) apikey used for accessing a specific toolchain Insights instance. string "" no
cc_pipeline_doi_api_key_secret_group Secret group for the pipeline DOI api key. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
cc_pipeline_doi_api_key_secret_name Name of the Cloud API key secret in the secret provider to access the toolchain containing the Devops Insights instance. string "" no
cc_pipeline_git_tag The GIT tag selector for the Compliance Pipelines definitions. string "" no
cc_pipeline_ibmcloud_api_key_secret_crn The CRN of the IBMCloud apikey used for running the pipelines. string "" no
cc_pipeline_ibmcloud_api_key_secret_group Secret group for the pipeline ibmcloud API key secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
cc_pipeline_ibmcloud_api_key_secret_name Name of the Cloud API key secret in the secret provider for running the pipelines. string "" no
cc_pipeline_properties This JSON represents the pipeline properties belonging to the CC pipeline in the CC toolchain. Each element in the JSON represents a seperate pipeline property. Three attributes are required to create a property. These are the name field (how the name appears in the pipeline properties), the type (text, secure and enum) and then the value. Do not put secrets directly into JSON for the secure type, instead the value for a secret type should be a CRN to a secret in the configured secrets provider or a secret reference to a secret in the configured secrets provider. string "" no
cc_pipeline_properties_filepath The path to the file containing the property JSON. If this is not set, it will by default read the properties.json file at the root of the module. string "" no
cc_repositories_prefix The prefix for the compliance repositories. For the repositories_prefix value only a-z, A-Z and 0-9 and the special characters -_ are allowed. In addition the string must not end with a special character or have two consecutive special characters. string "" no
cc_repository_properties Stringified JSON containing the repositories and triggers that get created in the CI toolchain pipelines. string "" no
cc_repository_properties_filepath The path to the file containing the repository and triggers JSON. If this is not set, it will by default read the repositories.json file at the root of the module. string "" no
cc_scc_enable_scc Adds the SCC tool integration to the toolchain. string "" no
cc_scc_integration_name The name of the SCC integration. string "Security and Compliance" no
cc_scc_use_profile_attachment Set to enabled to enable use profile with attachment, so that the scripts in the pipeline can interact with the Security and Compliance Center service. When enabled, other parameters become relevant; scc_scc_api_key_secret_name, scc_instance_crn, scc_profile_name, scc_profile_version, scc_attachment_id. string "" no
cc_slack_channel_name The name of the Slack channel where notifications are posted. string "" no
cc_slack_pipeline_fail Set to true to generate pipeline failed notifications. bool true no
cc_slack_pipeline_start Set to true to generate pipeline start notifications. bool true no
cc_slack_pipeline_success Set to true to generate pipeline succeeded notifications. bool true no
cc_slack_team_name The Slack team name, which is the word or phrase before .slack.com in the team URL. string "" no
cc_slack_toolchain_bind Generate tool added to toolchain notifications. bool true no
cc_slack_toolchain_unbind Set to true to generate tool removed from toolchain notifications. bool true no
cc_slack_webhook_secret_crn The CRN of the Slack webhook secret used for accessing the specified Slack channel. string "" no
cc_slack_webhook_secret_group Secret group for the Slack webhook secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
cc_slack_webhook_secret_name Name of the webhook secret in the secret provider used for accessing the configured Slack channel. string "" no
cc_sm_instance_crn The CRN of the Secrets Manager instance. string "" no
cc_sm_location The region hosting the Secrets Manager instance. string "" no
cc_sm_name The name of an existing Secrets Manager instance where the secrets are stored. string "" no
cc_sm_resource_group The name of the existing resource group containing the Secrets Manager instance for your secrets. string "" no
cc_sm_secret_group The Secrets Manager secret group containing the secrets for the DevSecOps pipelines. string "" no
cc_sonarqube_integration_name The name of the SonarQube integration. string "" no
cc_sonarqube_is_blind_connection When set to true, instructs IBM Cloud Continuous Delivery to not validate the configuration of this integration. Set this to true if the SonarQube server is not addressable on the public internet. string "" no
cc_sonarqube_secret_crn The CRN of the secret used to access SonarQube. string "" no
cc_sonarqube_secret_group Secret group for the SonarQube secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
cc_sonarqube_secret_name The name of the SonarQube secret in the secrets provider. string "" no
cc_sonarqube_server_url The URL to the SonarQube server. string "" no
cc_sonarqube_user The name of the SonarQube user. string "" no
cc_toolchain_description Description for the CC Toolchain. string "Toolchain created with terraform template for DevSecOps CC Best Practices." no
cc_toolchain_name The name of the CC Toolchain. string "" no
cc_toolchain_region The region containing the CI toolchain. Use the short form of the regions. For example us-south. string "" no
cc_toolchain_resource_group Resource group within which the toolchain is created. string "" no
cc_trigger_manual_enable Set to true to enable the CC pipeline Manual trigger. bool true no
cc_trigger_manual_name The name of the CC pipeline Manual trigger. string "CC Manual Trigger" no
cc_trigger_manual_pruner_enable Set to true to enable the manual Pruner trigger. bool true no
cc_trigger_manual_pruner_name The name of the manual Pruner trigger. string "Evidence Pruner Manual Trigger" no
cc_trigger_timed_cron_schedule Only needed for timer triggers. Cron expression that indicates when this trigger will activate. Maximum frequency is every 5 minutes. The string is based on UNIX crontab syntax: minute, hour, day of month, month, day of week. Example: 0 *_/2 * * * - every 2 hours. string "0 4 * * *" no
cc_trigger_timed_enable Set to true to enable the CI pipeline Timed trigger. bool false no
cc_trigger_timed_name The name of the CC pipeline Timed trigger. string "CC Timed Trigger" no
cc_trigger_timed_pruner_enable Set to true to enable the timed Pruner trigger. bool false no
cc_trigger_timed_pruner_name The name of the timed Pruner trigger. string "Evidence Pruner Timed Trigger" no
cd_artifactory_token_secret_crn The CRN for the Artifactory access secret. string "" no
cd_authorization_policy_creation Disable Toolchain Service to Secrets Manager/Key Protect/Notifications Service authorization policy creation. To disable set the value to disabled. string "" no
cd_change_management_group Specify group for change management repository string "" no
cd_change_management_repo_auth_type Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. string "" no
cd_change_management_repo_git_provider Git provider for the change management repo. If not set will default to hostedgit. string "" no
cd_change_management_repo_git_token_secret_crn The CRN for the Change Management repository Git Token. string "" no
cd_change_management_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "" no
cd_change_management_repo_secret_group Secret group for the Change Management repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
cd_change_repo_clone_from_url Override the default management repository, which is cloned into the application repository. Note, using clone_if_not_exists mode, so if the application repository already exists the repository contents are unchanged. string "" no
cd_cluster_name Name of the cluster where the application is deployed. string "" no
cd_cluster_namespace Name of the cluster namespace where the application is deployed. string "prod" no
cd_cluster_region Region hosting the cluster where the application is deployed. Use the short form of the regions. For example us-south. string "" no
cd_code_engine_project The name of the Code Engine project to use for the CD pipeline promoted code. The project is created if it does not already exist. string "Sample_CD_Project" no
cd_code_engine_region The region to create/lookup for the Code Engine project. string "" no
cd_code_engine_resource_group The resource group of the Code Engine project. string "" no
cd_code_signing_cert_secret_name This is the name of the secret in the secrets provider for storing the code signing certificate. string "signing-certificate" no
cd_compliance_pipeline_branch The CD Pipeline Compliance Pipeline branch. string "" no
cd_compliance_pipeline_group Specify user or group for compliance pipline repository. string "" no
cd_compliance_pipeline_repo_auth_type Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. string "" no
cd_compliance_pipeline_repo_git_token_secret_crn The CRN of the Git token used for accessing the Compliance Pipelines repository. string "" no
cd_compliance_pipeline_repo_git_token_secret_name Name of the Git token secret in the secret provider used for accessing the compliance pipelines repository. string "" no
cd_compliance_pipeline_repo_secret_group Secret group for the Compliance Pipeline repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
cd_cos_api_key_secret_crn The CRN of the Cloud Object Storage apikey. string "" no
cd_cos_api_key_secret_group Secret group for the COS API key secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
cd_cos_api_key_secret_name Name of the Cloud Object Storage API key secret in the secret provider used for accessing the evidence COS bucket. string "" no
cd_cos_bucket_name The name of the Cloud Object Storage bucket used for storing the evidence. string "" no
cd_cos_endpoint The endpoint for the Cloud Object Stroage instance containing the evidence bucket. string "" no
cd_deployment_group Specify group for deployment. string "" no
cd_deployment_repo_auth_type Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. string "" no
cd_deployment_repo_clone_from_branch Used when deployment_repo_clone_from_url is provided, the default branch that is used by the CD build, usually either main or master. string "" no
cd_deployment_repo_clone_from_url Override the default sample app by providing your own sample deployment URL, which is cloned into the app repository. Note, using clone_if_not_exists mode, so if the app repository already exists the repository contents are unchanged. string "" no
cd_deployment_repo_clone_to_git_id By default absent, else custom server GUID, or other options for 'git_id' field in the browser UI. string "" no
cd_deployment_repo_clone_to_git_provider By default 'hostedgit', else use 'githubconsolidated' or 'gitlab'. string "" no
cd_deployment_repo_existing_branch Used when deployment_repo_existing_url is provided, the default branch that is by the CD build, usually either main or master. string "" no
cd_deployment_repo_existing_git_id Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. string "" no
cd_deployment_repo_existing_git_provider Git provider for the deployment repo. If not set will default to hostedgit. string "" no
cd_deployment_repo_existing_url Override to bring your own existing deployment repository URL, which is used directly instead of cloning the default deployment sample. string "" no
cd_deployment_repo_git_token_secret_crn The CRN for the Deployment repository Git Token. string "" no
cd_deployment_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "" no
cd_deployment_repo_secret_group Secret group for the Deployment repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
cd_doi_toolchain_id The ID of the toolchain containing the DevOps Insights integration. This variable is used to link the DevOps Insights toolcard to a specific instance. string "" no
cd_enable_key_protect Set to true to the enable Key Protect integrations. string "" no
cd_enable_pipeline_notifications When enabled, pipeline run events will be sent to the Event Notifications and Slack integrations in the enclosing toolchain. string "" no
cd_enable_secrets_manager Set to true to enable the Secrets Manager integrations. string "" no
cd_enable_slack Set to true to create the Slack toolchain integration. string "" no
cd_event_notifications_crn Set the Event Notifications CRN to create an Events Notification integration. string "" no
cd_evidence_group Specify the Git user or group for the evidence repository. string "" no
cd_evidence_repo_auth_type Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. string "" no
cd_evidence_repo_git_token_secret_crn The CRN of the Git token used for accessing the Evidence repository. string "" no
cd_evidence_repo_git_token_secret_name Name of the Git token secret in the secret provider used for accessing the evidence repository. string "" no
cd_evidence_repo_secret_group Secret group for the Evidence repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
cd_inventory_group Specify the Git user or group for the inventory repository. string "" no
cd_inventory_repo_auth_type Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. string "" no
cd_inventory_repo_git_token_secret_crn The CRN of the Git token used for acessing the Inventory repository. string "" no
cd_inventory_repo_git_token_secret_name Name of the Git token secret in the secret provider used for accessing the inventory repository. string "" no
cd_inventory_repo_secret_group Secret group for the Inventory repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
cd_issues_group Specify the Git user or group for the issues repository. string "" no
cd_issues_repo_auth_type Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. string "" no
cd_issues_repo_git_token_secret_crn The CRN of the Git token used for accessing the Issues repository. string "" no
cd_issues_repo_git_token_secret_name Name of the Git token secret in the secret provider used for accessing the issues repository. string "" no
cd_issues_repo_secret_group Secret group for the Issues repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
cd_kp_location The region hosting the Key Protect instance. string "" no
cd_kp_name Name of the Key Protect instance where the secrets are stored. string "" no
cd_kp_resource_group The resource group containing the Key Protect instance. string "" no
cd_link_to_doi_toolchain Enable a link to a DevOps Insights instance in another toolchain, true or false. bool true no
cd_pipeline_config_group Specify the Git user or group for the compliance pipeline repository. string "" no
cd_pipeline_config_repo_auth_type Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. string "" no
cd_pipeline_config_repo_branch Specify the branch containing the custom pipeline-config.yaml file. string "" no
cd_pipeline_config_repo_clone_from_url Specify a repository containing a custom pipeline-config.yaml file. string "" no
cd_pipeline_config_repo_existing_url Specify a repository containing a custom pipeline-config.yaml file. string "" no
cd_pipeline_config_repo_git_token_secret_crn The CRN of the Git token for accessing the pipeline config repository. string "" no
cd_pipeline_config_repo_git_token_secret_name Name of the Git token secret in the secret provider used for accessing the pipeline config repository. string "" no
cd_pipeline_config_repo_secret_group Secret group for the Pipeline Config repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
cd_pipeline_doi_api_key_secret_crn The CRN of the DOI (DevOps Insights) apikey used for accessing a specific toolchain Insights instance. string "" no
cd_pipeline_doi_api_key_secret_group Secret group for the pipeline DOI api key. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
cd_pipeline_doi_api_key_secret_name Name of the Cloud API key secret in the secret provider to access the toolchain containing the Devops Insights instance. string "" no
cd_pipeline_git_tag The GIT tag selector for the Compliance Pipelines definitions. string "" no
cd_pipeline_ibmcloud_api_key_secret_crn The CRN of the IBMCloud apikey used for running the pipelines. string "" no
cd_pipeline_ibmcloud_api_key_secret_group Secret group for the pipeline ibmcloud API key secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
cd_pipeline_ibmcloud_api_key_secret_name Name of the Cloud API key secret in the secret provider for running the pipelines. string "" no
cd_pipeline_properties This JSON represents the pipeline properties belonging to the CD pipeline in the CD toolchain. Each element in the JSON represents a seperate pipeline property. Three attributes are required to create a property. These are the name field (how the name appears in the pipeline properties), the type (text, secure and enum) and then the value. Do not put secrets directly into JSON for the secure type, instead the value for a secret type should be a CRN to a secret in the configured secrets provider or a secret reference to a secret in the configured secrets provider. string "" no
cd_pipeline_properties_filepath The path to the file containing the property JSON. If this is not set, it will by default read the properties.json file at the root of the module. string "" no
cd_privateworker_credentials_secret_crn The CRN of the private worker service apikey that runs the pipeline tasks. string "" no
cd_region IBM Cloud region used to prefix the prod_latest inventory repository branch. string "" no
cd_repositories_prefix Prefix name for the cloned compliance repos. For the repositories_prefix value only a-z, A-Z and 0-9 and the special characters -_ are allowed. In addition the string must not end with a special character or have two consecutive special characters. string "" no
cd_repository_properties Stringified JSON containing the repositories and triggers that get created in the CI toolchain pipelines. string "" no
cd_repository_properties_filepath The path to the file containing the repository and triggers JSON. If this is not set, it will by default read the repositories.json file at the root of the module. string "" no
cd_scc_enable_scc Adds the SCC tool integration to the toolchain. string "" no
cd_scc_integration_name The name of the SCC integration. string "Security and Compliance" no
cd_scc_use_profile_attachment Set to enabled to enable use profile with attachment, so that the scripts in the pipeline can interact with the Security and Compliance Center service. When enabled, other parameters become relevant; scc_scc_api_key_secret_name, scc_instance_crn, scc_profile_name, scc_profile_version, scc_attachment_id. string "" no
cd_service_plan The Continuous Delivery service plan. Can be lite or professional. string "professional" no
cd_slack_channel_name The name of the Slack channel where notifications are posted. string "" no
cd_slack_pipeline_fail Set to true to generate pipeline failed notifications. bool true no
cd_slack_pipeline_start Set to true to generate pipeline start notifications. bool true no
cd_slack_pipeline_success Set to true to generate pipeline succeeded notifications. bool true no
cd_slack_team_name The Slack team name, which is the word or phrase before .slack.com in the team URL. string "" no
cd_slack_toolchain_bind Set to true to Generate tool added to toolchain notifications. bool true no
cd_slack_toolchain_unbind Set to true to generate tool removed from toolchain notifications. bool true no
cd_slack_webhook_secret_crn The CRN of the Slack webhook secret used for accessing the specified Slack channel. string "" no
cd_slack_webhook_secret_group Secret group for the Slack webhook secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
cd_slack_webhook_secret_name Name of the webhook secret in the secret provider used for accessing the configured Slack channel. string "" no
cd_sm_instance_crn The CRN of the Secrets Manager instance. string "" no
cd_sm_location The region hosting the Secrets Manager instance. string "" no
cd_sm_name The name of an existing Secrets Manager instance where the secrets are stored. string "" no
cd_sm_resource_group The name of the existing resource group containing the Secrets Manager instance for your secrets. string "" no
cd_sm_secret_group The Secrets Manager secret group containing the secrets for the DevSecOps pipelines. string "" no
cd_toolchain_description Description for the CD toolchain. string "Toolchain created with terraform template for DevSecOps CD Best Practices." no
cd_toolchain_name The name of the CD Toolchain. string "" no
cd_toolchain_region The region containing the CD toolchain. Use the short form of the regions. For example us-south. string "" no
cd_toolchain_resource_group Resource group within which the toolchain is created. string "" no
cd_trigger_git_enable Set to true to enable the CD pipeline Git trigger. bool false no
cd_trigger_git_name The name of the CD pipeline GIT trigger. string "Git CD Trigger" no
cd_trigger_git_promotion_validation_branch Branch for Git promotion validation listener. string "prod" no
cd_trigger_git_promotion_validation_enable Enable Git promotion validation for Git promotion listener. bool false no
cd_trigger_git_promotion_validation_listener Select a Tekton EventListener to use when Git promotion validation listener trigger is fired. string "promotion-validation-listener-gitlab" no
cd_trigger_git_promotion_validation_name Name of Git Promotion Validation Trigger string "Git Promotion Validation Trigger" no
cd_trigger_manual_enable Set to true to enable the CD pipeline Manual trigger. bool true no
cd_trigger_manual_name The name of the CI pipeline Manual trigger. string "Manual CD Trigger" no
cd_trigger_manual_promotion_enable Set to true to enable the CD pipeline Manual Promotion trigger. bool true no
cd_trigger_manual_promotion_name The name of the CD pipeline Manual Promotion trigger. string "Manual Promotion Trigger" no
cd_trigger_manual_pruner_enable Set to true to enable the manual Pruner trigger. bool true no
cd_trigger_manual_pruner_name The name of the manual Pruner trigger. string "Evidence Pruner Manual Trigger" no
cd_trigger_timed_cron_schedule Only needed for timer triggers. Cron expression that indicates when this trigger will activate. Maximum frequency is every 5 minutes. The string is based on UNIX crontab syntax: minute, hour, day of month, month, day of week. Example: 0 *_/2 * * * - every 2 hours. string "0 4 * * *" no
cd_trigger_timed_enable Set to true to enable the CD pipeline Timed trigger. bool false no
cd_trigger_timed_name The name of the CD pipeline Timed trigger. string "Git CD Timed Trigger" no
cd_trigger_timed_pruner_enable Set to true to enable the timed Pruner trigger. bool false no
cd_trigger_timed_pruner_name The name of the timed Pruner trigger. string "Evidence Pruner Timed Trigger" no
change_management_existing_url The URL for an existing Change Management repository. string "" no
change_management_repo_git_id Set this value to github for github.com, or to the ID of a custom GitHub Enterprise server. string "" no
ci_app_group Specify the Git user or group for the application repository. string "" no
ci_app_name Name of the application image and inventory entry. string "hello-compliance-app" no
ci_app_repo_auth_type Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. string "" no
ci_app_repo_branch This is the repository branch used by the default sample application. Alternatively if app_repo_existing_url is provided, then the branch must reflect the default branch for that repository. Typically these branches are main or master. string "" no
ci_app_repo_clone_from_url Override the default sample app by providing your own sample app URL, which is cloned into the app repository. Note, uses clone_if_not_exists mode, so if the app repository already exists the repository contents are unchanged. string "" no
ci_app_repo_clone_to_git_id Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. string "" no
ci_app_repo_clone_to_git_provider By default this gets set as 'hostedgit', else set to 'githubconsolidated' for GitHub repositories. string "" no
ci_app_repo_existing_git_id Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. string "" no
ci_app_repo_existing_git_provider Git provider for application repo. If not set will default to hostedgit. string "" no
ci_app_repo_existing_url Bring your own existing application repository by providing the URL. This will create an integration for your application repository instead of cloning the default sample. Repositories existing in a different org will require the use of Git token. See app_repo_git_token_secret_name under optional variables. string "" no
ci_app_repo_git_token_secret_crn The CRN of the Git token used for accessing the application repository. string "" no
ci_app_repo_git_token_secret_name Name of the Git token secret in the secret provider used for accessing the sample (or bring your own) application repository. string "" no
ci_app_repo_secret_group Secret group for the App repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
ci_artifactory_token_secret_crn The CRN for the Artifactory access secret. string "" no
ci_authorization_policy_creation Disable Toolchain Service to Secrets Manager/Key Protect/Notifications Service authorization policy creation. To disable set the value to disabled. string "" no
ci_cluster_name Name of the cluster where the application is deployed. (can be the same cluster used for prod) string "" no
ci_cluster_namespace Name of the cluster namespace where the application is deployed. string "dev" no
ci_cluster_region Region hosting the cluster where the application is deployed. Use the short form of the regions. For example us-south. string "" no
ci_cluster_resource_group The cluster resource group. string "" no
ci_code_engine_project The name of the Code Engine project to use. string "DevSecOps_CE" no
ci_code_engine_region The region to create/lookup for the Code Engine project. string "" no
ci_code_engine_resource_group The resource group of the Code Engine project. string "" no
ci_compliance_pipeline_branch The CI Pipeline Compliance Pipeline branch. string "" no
ci_compliance_pipeline_group Specify the Git user or group for the compliance pipeline repository. string "" no
ci_compliance_pipeline_pr_branch The PR Pipeline Compliance Pipeline branch. string "" no
ci_compliance_pipeline_repo_auth_type Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. string "" no
ci_compliance_pipeline_repo_git_token_secret_crn The CRN of the Git token used for accessing the Compliance Pipelines repository. string "" no
ci_compliance_pipeline_repo_git_token_secret_name Name of the Git token secret in the secret provider used for accessing the compliance pipelines repository. string "" no
ci_compliance_pipeline_repo_secret_group Secret group for the Compliance Pipeline repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
ci_cos_api_key_secret_crn The CRN of the Cloud Object Storage apikey. string "" no
ci_cos_api_key_secret_group Secret group for the COS API key secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
ci_cos_api_key_secret_name Name of the Cloud Object Storage API key secret in the secret provider used for accessing the evidence COS bucket. string "" no
ci_cos_bucket_name The name of the Cloud Object Storage bucket used for storing the evidence. string "" no
ci_cos_endpoint The endpoint for the Cloud Object Stroage instance containing the evidence bucket. string "" no
ci_doi_toolchain_id The ID of the toolchain containing the DevOps Insights integration. This variable is used to link the DevOps Insights toolcard to a specific instance. string "" no
ci_doi_toolchain_id_pipeline_property The pipeline property for the DevOps Insights instance toolchain ID. string "" no
ci_enable_key_protect Set to true to the enable Key Protect integrations. string "" no
ci_enable_pipeline_notifications When enabled, pipeline run events will be sent to the Event Notifications and Slack integrations in the enclosing toolchain. string "" no
ci_enable_secrets_manager Set to true to enable the Secrets Manager integrations. string "" no
ci_enable_slack Set to true to create the Slack toolchain integration. string "" no
ci_event_notifications_crn Set the Event Notifications CRN to create an Events Notification integration. string "" no
ci_evidence_group Specify the Git user or group for the evidence repository. string "" no
ci_evidence_repo_auth_type Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. string "" no
ci_evidence_repo_git_token_secret_crn The CRN of the Git token used for accessing the Evidence repository. string "" no
ci_evidence_repo_git_token_secret_name Name of the Git token secret in the secret provider used for accessing the evidence repository. string "" no
ci_evidence_repo_secret_group Secret group for the Evidence repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
ci_inventory_group Specify the Git user or group for the inventory repository. string "" no
ci_inventory_repo_auth_type Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. string "" no
ci_inventory_repo_git_token_secret_crn The CRN of the Git token used for acessing the Inventory repository. string "" no
ci_inventory_repo_git_token_secret_name Name of the Git token secret in the secret provider used for accessing the inventory repository. string "" no
ci_inventory_repo_secret_group Secret group for the Inventory repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
ci_issues_group Specify the Git user or group for the issues repository. string "" no
ci_issues_repo_auth_type Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. string "" no
ci_issues_repo_git_token_secret_crn The CRN of the Git token used for accessing the Issues repository. string "" no
ci_issues_repo_git_token_secret_name Name of the Git token secret in the secret provider used for accessing the issues repository. string "" no
ci_issues_repo_secret_group Secret group for the Issues repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
ci_kp_location The region hosting the Key Protect instance. string "" no
ci_kp_name Name of the Key Protect instance where the secrets are stored. string "" no
ci_kp_resource_group The resource group containing the Key Protect instance. string "" no
ci_link_to_doi_toolchain Enable a link to a DevOps Insights instance in another toolchain. bool false no
ci_pipeline_config_group Specify the Git user or group for the pipeline config repository. string "" no
ci_pipeline_config_repo_auth_type Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. string "" no
ci_pipeline_config_repo_branch Specify the branch containing the custom pipeline-config.yaml file. string "" no
ci_pipeline_config_repo_clone_from_url Specify a repository containing a custom pipeline-config.yaml file. string "" no
ci_pipeline_config_repo_existing_url Specify and link to an existing repository containing a custom pipeline-config.yaml file. string "" no
ci_pipeline_config_repo_git_token_secret_crn The CRN of the Git token for accessing the pipeline config repository. string "" no
ci_pipeline_config_repo_git_token_secret_name Name of the Git token secret in the secret provider used for accessing the pipeline config repository. string "" no
ci_pipeline_config_repo_secret_group Secret group for the Pipeline Config repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
ci_pipeline_doi_api_key_secret_crn The CRN of the DOI (DevOps Insights) apikey used for accessing a specific toolchain Insights instance. string "" no
ci_pipeline_doi_api_key_secret_group Secret group for the pipeline DOI api key. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
ci_pipeline_doi_api_key_secret_name Name of the Cloud API key secret in the secret provider to access the toolchain containing the Devops Insights instance. string "" no
ci_pipeline_git_tag The GIT tag selector for the Compliance Pipelines definitions. string "" no
ci_pipeline_ibmcloud_api_key_secret_crn The CRN of the IBMCloud apikey used for running the pipelines. string "" no
ci_pipeline_ibmcloud_api_key_secret_group Secret group for the pipeline ibmcloud API key secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
ci_pipeline_ibmcloud_api_key_secret_name Name of the Cloud API key secret in the secret provider for running the pipelines. string "" no
ci_pipeline_properties This JSON represents the pipeline properties belonging to the both the CI and PR pipelines in the CI toolchain. Each element in the JSON represents a seperate pipeline property. Three attributes are required to create a property. These are the name field (how the name appears in the pipeline properties), the type (text, secure and enum) and then the value. Do not put secrets directly into JSON for the secure type, instead the value for a secret type should be a CRN to a secret in the configured secrets provider or a secret reference to a secret in the configured secrets provider. string "" no
ci_pipeline_properties_filepath The path to the file containing the properties JSON. If this is not set, it will by default read the properties.json file at the root of the CI module. string "" no
ci_privateworker_credentials_secret_crn The CRN of the private worker service apikey that runs the pipeline tasks. string "" no
ci_registry_region The IBM Cloud Region where the IBM Cloud Container Registry namespace is to be created. Use the short form of the regions. For example us-south. string "" no
ci_repositories_prefix Prefix name for the cloned compliance repos. For the repositories_prefix value only a-z, A-Z and 0-9 and the special characters -_ are allowed. In addition the string must not end with a special character or have two consecutive special characters. string "" no
ci_repository_properties Stringified JSON containing the repositories and triggers that get created in the CI toolchain pipelines. string "" no
ci_repository_properties_filepath The path to a file containing the repository and triggers JSON. If this is not set, it will by default read the repositories.json file at the root of the CI module. string "" no
ci_signing_key_secret_name Name of the signing key secret in the secret provider used for signing images/artifacts. string "signing-key" no
ci_slack_channel_name The name of the Slack channel where notifications are posted. string "" no
ci_slack_pipeline_fail Set to true to generate pipeline failed notifications. bool true no
ci_slack_pipeline_start Set to true to generate pipeline start notifications. bool true no
ci_slack_pipeline_success Set to true to generate pipeline succeeded notifications. bool true no
ci_slack_team_name The Slack team name, which is the word or phrase before .slack.com in the team URL. string "" no
ci_slack_toolchain_bind Set to true to Generate tool added to toolchain notifications. bool true no
ci_slack_toolchain_unbind Set to true to generate tool removed from toolchain notifications. bool true no
ci_slack_webhook_secret_crn The CRN of the Slack webhook secret used for accessing the specified Slack channel. string "" no
ci_slack_webhook_secret_group Secret group for the Slack webhook secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
ci_slack_webhook_secret_name Name of the webhook secret in the secret provider used for accessing the configured Slack channel. string "" no
ci_sm_instance_crn The CRN of the Secrets Manager instance. string "" no
ci_sm_location The region hosting the Secrets Manager instance. string "" no
ci_sm_name The name of an existing Secrets Manager instance where the secrets are stored. string "" no
ci_sm_resource_group The name of the existing resource group containing the Secrets Manager instance for your secrets. string "" no
ci_sm_secret_group The Secrets Manager secret group containing the secrets for the DevSecOps pipelines. string "" no
ci_sonarqube_integration_name The name of the SonarQube integration. string "" no
ci_sonarqube_is_blind_connection When set to true, instructs IBM Cloud Continuous Delivery to not validate the configuration of this integration. Set this to true if the SonarQube server is not addressable on the public internet. string "" no
ci_sonarqube_secret_crn The CRN of the secret used to access SonarQube. string "" no
ci_sonarqube_secret_group Secret group for the SonarQube secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
ci_sonarqube_secret_name The name of the SonarQube secret in the secrets provider. string "" no
ci_sonarqube_server_url The URL to the SonarQube server. string "" no
ci_sonarqube_user The name of the SonarQube user. string "" no
ci_toolchain_description Description for the CI Toolchain. string "Toolchain created with terraform template for DevSecOps CI Best Practices." no
ci_toolchain_name The name of the CI Toolchain. string "" no
ci_toolchain_region The region containing the CI toolchain. Use the short form of the regions. For example us-south. string "" no
ci_toolchain_resource_group The resource group within which the toolchain is created. string "" no
ci_trigger_git_enable Set to true to enable the CI pipeline Git trigger. bool true no
ci_trigger_git_name The name of the CI pipeline GIT trigger. string "Git CI Trigger" no
ci_trigger_manual_enable Set to true to enable the CI pipeline Manual trigger. bool true no
ci_trigger_manual_name The name of the CI pipeline Manual trigger. string "Manual Trigger" no
ci_trigger_manual_pruner_enable Set to true to enable the manual Pruner trigger. bool true no
ci_trigger_manual_pruner_name The name of the manual Pruner trigger. string "Evidence Pruner Manual Trigger" no
ci_trigger_pr_git_enable Set to true to enable the PR pipeline Git trigger. bool true no
ci_trigger_pr_git_name The name of the PR pipeline GIT trigger. string "Git PR Trigger" no
ci_trigger_timed_cron_schedule Only needed for timer triggers. Cron expression that indicates when this trigger will activate. Maximum frequency is every 5 minutes. The string is based on UNIX crontab syntax: minute, hour, day of month, month, day of week. Example: 0 *_/2 * * * - every 2 hours. string "0 4 * * *" no
ci_trigger_timed_enable Set to true to enable the CI pipeline Timed trigger. bool false no
ci_trigger_timed_name The name of the CI pipeline Timed trigger. string "Git CI Timed Trigger" no
ci_trigger_timed_pruner_enable Set to true to enable the timed Pruner trigger. bool false no
ci_trigger_timed_pruner_name The name of the timed Pruner trigger. string "Evidence Pruner Timed Trigger" no
cluster_name Name of the Kubernetes cluster where the application is deployed. This sets the same cluster name for both CI and CD toolchains. See ci_cluster_name and cd_cluster_name to set different cluster names. By default , the cluster namespace for CI will be set to dev and CD to prod. These can be changed using ci_cluster_namespace and cd_cluster_namespace. string "mycluster-free" no
code_engine_project The name of the Code Engine project to use. Created if it does not exist. Applies to both the CI and CD toolchains. To set individually use ci_code_engine_project and cd_code_engine_project. string "" no
compliance_pipeline_branch The Compliance Pipeline definitions branch. See ci_compliance_pipeline_branch, cd_compliance_pipeline_branch and cc_compliance_pipeline_branch to set independently. string "open-v10" no
compliance_pipeline_existing_repo_url The URL of an existing compliance pipelines repository. string "" no
compliance_pipeline_group Specify user or group for compliance pipline repository. string "" no
compliance_pipeline_repo_auth_type Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. string "" no
compliance_pipeline_repo_blind_connection Setting this value to true means the server is not addressable on the public internet. IBM Cloud will not be able to validate the connection details you provide. Certain functionality that requires API access to the git server will be disabled. Delivery pipeline will only work using a private worker that has network access to the git server. string "" no
compliance_pipeline_repo_git_id Set this value to github for github.com, or to the ID of a custom GitHub Enterprise server. string "" no
compliance_pipeline_repo_git_provider Git provider for compliance pipeline repo. If not set will default to hostedgit. string "" no
compliance_pipeline_repo_git_token_secret_crn The CRN of the Git token used for accessing the sample application repository. string "" no
compliance_pipeline_repo_git_token_secret_name Name of the Git token secret in the secret provider used for accessing the compliance pipelines repository. string "" no
compliance_pipeline_repo_name Sets the name for the compliance pipelines repository if cloned. The expected behaviour is to link to an existing compliance-pipelines repository. string "" no
compliance_pipeline_repo_root_url (Optional) The Root URL of the server. e.g. https://git.example.com. string "" no
compliance_pipeline_repo_secret_group Secret group for the Compliance Pipeline repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
compliance_pipeline_repo_title (Optional) The title of the server. e.g. My Git Enterprise Server. string "" no
compliance_pipeline_repo_use_group_settings Set to true to apply group level repository settings to the compliance pipeline repository. See repo_git_provider as an example. bool false no
compliance_pipeline_source_repo_url The URL of a compliance pipelines repository to clone. string "" no
continuous_delivery_service_name The name of the Continuous Delivery service instance. string "cd-devsecops" no
cos_api_key_secret_crn The CRN of the Cloud Object Storage apikey. Applies to the CI, CD and CC toolchains. Can beset independently using ci_cos_api_key_secret_crn,cd_cos_api_key_secret_crn,cc_cos_api_key_secret_crn. string "" no
cos_api_key_secret_group Secret group for the COS api key secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
cos_api_key_secret_name Name of the Cloud Object Storage API key secret in the secret provider for accessing the evidence COS bucket. In addition cos_endpoint and cos_bucket_name must be set. This setting sets the same API key for the COS settings in the CI, CD, and CC toolchains. string "" no
cos_bucket_name Set the name of your COS bucket. This applies the same COS bucket name for the CI, CD, and CC toolchains. See ci_cos_bucket_name, cd_cos_bucket_name, and cc_cos_bucket_name to set separately. string "" no
cos_endpoint The endpoint for the Cloud Object Stroage instance containing the evidence bucket. This setting sets the same endpoint for COS in the CI, CD, and CC toolchains. See ci_cos_endpoint, cd_cos_endpoint, and cc_cos_endpoint to set the endpoints independently. string "" no
create_cc_toolchain Boolean flag which determines if the DevSecOps CC toolchain is created. bool true no
create_cd_instance Set to true to create Continuous Delivery Service. bool false no
create_cd_toolchain Boolean flag which determines if the DevSecOps CD toolchain is created. bool true no
create_ci_toolchain Flag which determines if the DevSecOps CI toolchain is created. If this toolchain is not created then values must be set for the following variables, evidence_repo_url, issues_repo_url and inventory_repo_url. bool true no
create_code_engine_access_policy Add a Code Engine access policy to the generated IAM access key. See create_ibmcloud_api_key. bool false no
create_cos_api_key Set to true to create and add a cos-api-key to the Secrets Provider. bool false no
create_git_token Set to true to create and add the specified personal access token secret to the Secrets Provider. Use repo_git_token_secret_value for setting the value. bool false no
create_git_triggers Set to true to create the default Git triggers associated with the compliance repos and sample app. string "true" no
create_ibmcloud_api_key Set to true to create and add an ibmcloud-api-key to the Secrets Provider. bool false no
create_icr_namespace Set to true to have Terraform create the registry namespace. Setting to false will have the CI pipeline create the namespace if it does not already exist. Note: If a Terraform destroy is used, the ICR namespace along with all images will be removed. bool false no
create_kubernetes_access_policy Add a Kubernetes access policy to the generated IAM access key. See create_ibmcloud_api_key. bool false no
create_privateworker_secret Set to true to add a specified private worker service api key to the Secrets Provider. bool false no
create_secret_group Set to true to create the specified Secrets Manager secret group. bool false no
create_signing_key Set to true to create and add a signing-key and the signing-certificate to the Secrets Provider. bool false no
create_triggers Set to true to create the default triggers associated with the compliance repos and sample app. string "true" no
enable_key_protect Set to true to the enable Key Protect integrations. string "false" no
enable_pipeline_notifications When enabled, pipeline run events will be sent to the Event Notifications and Slack integrations in the enclosing toolchain. string "" no
enable_privateworker Set to true to enable private workers for the CI, CD, CC and PR pipelines. A valid service api key must be set in Secrets Manager. The name of this secret can be specified using privateworker_credentials_secret_name. string "false" no
enable_secrets_manager Set to true to enable the Secrets Manager integrations. string "true" no
enable_slack Set to true to create the Slack toolchain integration. This requires a valid slack_channel_name, slack_team_name, and a valid webhook (see slack_webhook_secret_name). This setting applies for CI, CD, and CC toolchains. string "false" no
environment_prefix By default ibm:yp:. This will be set as the prefix to regions automatically where required. For example ibm:yp:us-south. string "ibm:yp:" no
environment_tag Tag name that represents the target environment in the inventory. Example: prod_latest. string "prod_latest" no
event_notifications_crn Set the Event Notifications CRN to create an Events Notification integration. This paramater will apply to the CI, CD and CC toolchains. Can be set independently with ci_event_notifications_crn, cd_event_notifications_crn, cc_event_notifications_crn. string "" no
event_notifications_tool_name The name of the Event Notifications integration. string "Event Notifications" no
evidence_group Specify the Git user or group for the evidence repository. string "" no
evidence_repo_auth_type Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. string "" no
evidence_repo_existing_git_id Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. string "" no
evidence_repo_existing_git_provider Git provider for evidence repo. If not set will default to hostedgit. string "" no
evidence_repo_existing_url Set to use an existing evidence repository. string "" no
evidence_repo_git_token_secret_crn The CRN of the Git token used for accessing the Evidence repository. string "" no
evidence_repo_git_token_secret_name Name of the Git token secret in the secret provider used for accessing the evidence repository. string "" no
evidence_repo_integration_owner The name of the repository integration owner. string "" no
evidence_repo_name Set to use a custom name for the Evidence repository. string "" no
evidence_repo_secret_group Secret group for the Evidence repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
ibmcloud_api_key The API key used to create the toolchains. (See deployment guide.) string n/a yes
inventory_group Specify the Git user or group for the inventory repository. string "" no
inventory_repo_auth_type Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. string "" no
inventory_repo_existing_git_id Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. string "" no
inventory_repo_existing_git_provider Git provider for the inventory repo. If not set will default to hostedgit. string "" no
inventory_repo_existing_url Set to use an existing inventory repository. string "" no
inventory_repo_git_token_secret_crn The CRN of the Git token used for acessing the Inventory repository. string "" no
inventory_repo_git_token_secret_name Name of the Git token secret in the secret provider used for accessing the inventory repository. string "" no
inventory_repo_integration_owner The name of the repository integration owner. string "" no
inventory_repo_name Set to use a custom name for the Inventory repository. string "" no
inventory_repo_secret_group Secret group for the Inventory repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
issues_group Specify the Git user or group for the issues repository. string "" no
issues_repo_auth_type Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. string "" no
issues_repo_existing_git_id Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. string "" no
issues_repo_existing_git_provider Git provider for the issues repo. If not set will default to hostedgit. string "" no
issues_repo_existing_url By default this gets set as 'hostedgit', else set to 'githubconsolidated' for GitHub repositories. string "" no
issues_repo_git_token_secret_crn The CRN of the Git token used for accessing the Issues repository. string "" no
issues_repo_git_token_secret_name Name of the Git token secret in the secret provider used for accessing the issues repository. string "" no
issues_repo_integration_owner The name of the repository integration owner. string "" no
issues_repo_name Set to use a custom name for the Issues repository. string "" no
issues_repo_secret_group Secret group for the Issues repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
kp_integration_name The name of the Key Protect integration. string "kp-compliance-secrets" no
kp_location The region hosting the Key Protect instance. This applies to the CI, CD and CC Key Protect integrations. See ci_kp_location, cd_kp_location, and cc_kp_location to set these values . string "us-south" no
kp_name Name of the Key Protect instance where the secrets are stored. This applies to the CI, CD and CC Key Protect integrations. See ci_kp_name, cd_kp_name, and cc_kp_name to set these values independently. string "kp-compliance-secrets" no
kp_resource_group The resource group containing the Key Protect instance. This applies to the CI, CD and CC Key Protect integrations. See ci_kp_resource_group, cd_kp_resource_group, and cc_kp_resource_group to set these values independently. string "Default" no
pipeline_config_group Specify the Git user or group for the compliance pipeline repository. string "" no
pipeline_config_repo_auth_type Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. string "" no
pipeline_config_repo_branch Specify the branch containing the custom pipeline-config.yaml file. string "" no
pipeline_config_repo_clone_from_url Specify a repository containing a custom pipeline-config.yaml file. string "" no
pipeline_config_repo_existing_url Specify and link to an existing repository containing a custom pipeline-config.yaml file. string "" no
pipeline_config_repo_git_id Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. string "" no
pipeline_config_repo_git_provider Git provider for pipeline repo config string "" no
pipeline_config_repo_git_token_secret_crn The CRN of the Git token for accessing the pipeline config repository. string "" no
pipeline_config_repo_git_token_secret_name Name of the Git token secret in the secret provider used for accessing the pipeline config repository. string "" no
pipeline_config_repo_secret_group Secret group for the Pipeline Config repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
pipeline_doi_api_key_secret_crn The CRN of the DOI (DevOps Insights) apikey used for accessing a specific toolchain Insights instance. Applies to the CI, CD and CC toolchains. string "" no
pipeline_doi_api_key_secret_group Secret group for the pipeline DOI api key. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. Applies to the CI, CD and CC toolchains. string "" no
pipeline_doi_api_key_secret_name Name of the Cloud API key secret in the secret provider to access the toolchain containing the Devops Insights instance. This will apply to the CI, CD and CC toolchains. string "" no
pipeline_git_tag The GIT tag selector for the Compliance Pipelines definitions. string "" no
pipeline_ibmcloud_api_key_secret_crn The CRN of the IBMCloud apikey used for running the pipelines. string "" no
pipeline_ibmcloud_api_key_secret_group Secret group for the pipeline ibmcloud API key secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
pipeline_ibmcloud_api_key_secret_name Name of the Cloud API key secret in the secret provider for running the pipelines. Applies to the CI, CD and CC toolchains. string "ibmcloud-api-key" no
pr_pipeline_git_tag The GIT tag selector for the Compliance Pipelines definitions. string "" no
prefix A prefix that is added to the toolchain resources. string "" no
privateworker_credentials_secret_crn The CRN for the Private Worker secret secret. string "" no
privateworker_credentials_secret_group Secret group prefix for the Private Worker secret. Defaults to using sm_secret_group if not set. Only used with Secrets Manager. string "" no
privateworker_credentials_secret_name Name of the privateworker secret in the secret provider. string "" no
privateworker_name The name of the private worker tool integration. string "private-worker-tool-01" no
privateworker_secret_value The private worker service api key that will be added to the privateworker_credentials_secret_name secret in the secrets provider. string "" no
registry_namespace A unique namespace within the IBM Cloud Container Registry region where the application image is stored. string "" no
repo_blind_connection Setting this value to true means the server is not addressable on the public internet. IBM Cloud will not be able to validate the connection details you provide. Certain functionality that requires API access to the git server will be disabled. Delivery pipeline will only work using a private worker that has network access to the git server. string "" no
repo_git_id The Git ID for the compliance repositories. string "" no
repo_git_provider The Git provider type. string "" no
repo_git_token_secret_crn The CRN for the repositories Git Token. string "" no
repo_git_token_secret_name Name of the Git token secret in the secret provider. Specifying a secret name for the Git Token automatically sets the authentication type to pat. string "" no
repo_git_token_secret_value The personal access token that will be added to the repo_git_token_secret_name secret in the secrets provider. string "" no
repo_group Specify the Git user or group for your application. This must be set if the repository authentication type is pat (personal access token). string "" no
repo_root_url (Optional) The Root URL of the server. e.g. https://git.example.com. string "" no
repo_secret_group Secret group in Secrets Manager that contains the secret for the repository. This variable will set the same secret group for all the repositories. Can be overriden on a per secret group basis. Only applies when using Secrets Manager. string "" no
repo_title (Optional) The title of the server. e.g. My Git Enterprise Server. string "" no
repositories_prefix Prefix name for the cloned compliance repos. For the repositories_prefix value only a-z, A-Z and 0-9 and the special characters -_ are allowed. In addition the string must not end with a special character or have two consecutive special characters. string "compliance" no
rotate_signing_key Set to true to rotate the signing key and signing certificate. It is important to make a back up for the current code signing certificate as pending CD deployments might require image validation against the previous signing key. bool false no
rotation_period The number of days until the ibmcloud-api-key and the cos-api-key are auto rotated. number 90 no
sample_default_application The name of the sample application repository. The repository source URL is automatically computed based on the toolchain region. The other currently supported name is code-engine-compliance-app. Alternatively an integration can be created that can link to or clone from an existing repository. See app_repo_existing_url and app_repo_clone_from_url to override the sample application default behavior. string "hello-compliance-app" no
scc_attachment_id An attachment ID. An attachment is configured under a profile to define how a scan will be run. To find the attachment ID, in the browser, in the attachments list, click on the attachment link, and a panel appears with a button to copy the attachment ID. This parameter is only relevant when the scc_use_profile_attachment parameter is enabled. string "" no
scc_enable_scc Adds the SCC tool integration to the toolchain. string "true" no
scc_instance_crn The Security and Compliance Center service instance CRN (Cloud Resource Name). This parameter is only relevant when the scc_use_profile_attachment parameter is enabled. string "" no
scc_profile_name The name of a Security and Compliance Center profile. Use the IBM Cloud Framework for Financial Services profile, which contains the DevSecOps Toolchain rules. Or use a user-authored customized profile that has been configured to contain those rules. This parameter is only relevant when the scc_use_profile_attachment parameter is enabled. string "" no
scc_profile_version The version of a Security and Compliance Center profile, in SemVer format, like 0.0.0. This parameter is only relevant when the scc_use_profile_attachment parameter is enabled. string "" no
scc_scc_api_key_secret_crn The CRN for the SCC apikey. string "" no
scc_scc_api_key_secret_group Secret group for the Security and Compliance tool secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
scc_scc_api_key_secret_name The name of the Security and Compliance Center api-key secret in the secret provider. string "scc-api-key" no
scc_use_profile_attachment Set to enabled to enable use profile with attachment, so that the scripts in the pipeline can interact with the Security and Compliance Center service. When enabled, other parameters become relevant; scc_scc_api_key_secret_name, scc_instance_crn, scc_profile_name, scc_profile_version, scc_attachment_id. Can individually be enabled and disabled in the CD and CC toolchains using cd_scc_use_profile_attachment and cc_scc_use_profile_attachment. string "disabled" no
service_name_cos The name of the Service ID for COS access. string "cos-service-id" no
service_name_pipeline The name of the Service ID for pipeline and toolchain access. string "toolchain-pipeline-service-id" no
slack_channel_name The name of the Slack channel where notifications are posted. This applies to the CI, CD, and CC toolchains. To set independently see ci_slack_channel_name, cd_slack_channel_name, and cc_slack_channel_name. string "" no
slack_integration_name The name of the Slack integration. string "slack-compliance" no
slack_team_name The Slack team name, which is the word or phrase before .slack.com in the team URL. This applies to the CI, CD, and CC toolchains. To set independently, see ci_slack_team_name, cd_slack_team_name, and cc_slack_team_name. string "" no
slack_webhook_secret_crn The CRN of the Slack webhook secret used for accessing the specified Slack channel. string "" no
slack_webhook_secret_group Secret group for the Slack webhook secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
slack_webhook_secret_name Name of the webhook secret in the secret provider used for accessing the configured Slack channel. This applies to the CI, CD, and CC toolchains. To set independently, see ci_slack_webhook_secret_name, cd_slack_webhook_secret_name, and cc_slack_webhook_secret_name. string "slack-webhook" no
sm_endpoint_type The types of service endpoints to target for Secrets Manager. Valid values are private and public. string "private" no
sm_instance_crn The CRN of the Secrets Manager instance. Will apply to CI, CD and CC toolchains unless set individually. Setting up the Secrets Manager integration using a CRN takes precendence over the non CRN setup. string "" no
sm_integration_name The name of the Secrets Manager integration. string "sm-compliance-secrets" no
sm_location The region hosting the Secrets Manager instance. This applies to the CI, CD and CC Secret Manager integrations. string "us-south" no
sm_name The name of an existing Secret Managers instance. This applies to the CI, CD and CC Secret Manager integrations. string "sm-instance" no
sm_resource_group The name of the existing resource group containing the Secrets Manager instance for your secrets.. This applies to the CI, CD and CC Secret Manager integrations. See ci_sm_resource_group, cd_sm_resource_group, and cc_sm_resource_group to set these values independently. string "Default" no
sm_secret_expiration_period The number of days until the secrets expire. Leave empty to not set an expiration for the created secrets. string "" no
sm_secret_group The Secrets Manager secret group containing the secrets for the DevSecOps pipelines. This applies to the CI, CD and CC Secret Manager integrations. See ci_sm_secret_group, cd_sm_secret_group, and cc_sm_secret_group to set these values independently. string "Default" no
sonarqube_integration_name The name of the SonarQube integration. string "SonarQube" no
sonarqube_is_blind_connection When set to true, instructs IBM Cloud Continuous Delivery to not validate the configuration of this integration. Set this to true if the SonarQube server is not addressable on the public internet. string "true" no
sonarqube_secret_crn The CRN of the secret used to access SonarQube. string "" no
sonarqube_secret_group Secret group for the SonarQube secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. string "" no
sonarqube_secret_name The name of the SonarQube secret in the secrets provider. string "sonarqube-secret" no
sonarqube_server_url The URL to the SonarQube server. string "" no
sonarqube_user The name of the SonarQube user. string "" no
toolchain_name This variable specifies the root name for the CI, CD and CC toolchain names. A fixed suffix will automatically be appended. Setting DevSecOps will generate toolchains with the names DevSecOps-CI-Toolchain, DevSecOps-CD-Toolchain and DevSecOps-CC-Toolchain. The full name of each toolchain can be set independently using ci_toolchain_name, cd_toolchain_name, and cc_toolchain_name. string "DevSecOps" no
toolchain_region The region identifier that will be used, by default, for all resource creation and service instance lookup. string "us-south" no
toolchain_resource_group The resource group that will be used, by default, for all resource creation and service instance lookups. This can be overridden on a per resource/service basis. string "Default" no
use_app_repo_for_cd_deploy Set to true to use the CI sample application repository as the deployment repository in the CD pipeline. This will be set in the pipeline config integration. bool false no
worker_id The identifier for the pipeline worker. Applies to the CI, CD and CC pipelines. string "public" no

Outputs

Name Description
app_repo_url The App Repo URL
cc_pipeline_id The CC pipeline Id
cd_pipeline_id The CD pipeline Id
change_management_repo_url The Change Management Repo URL.
ci_pipeline_id The CI pipeline Id
compliance_cc_toolchain_id The ID of the Compliance CC Toolchain
compliance_cc_toolchain_url The Compliance CC Toolchain URL
compliance_cd_toolchain_id The ID of the Compliance CD Toolchain
compliance_cd_toolchain_url The Compliance CD Toolchain URL
compliance_ci_toolchain_id The ID of the Compliance CI Toolchain
compliance_ci_toolchain_url The Compliance CI Toolchain URL
evidence_repo_url The Evidence Repo URL
icr_namespace_name The name of the targets ICR namespace.
inventory_repo_url The Inventory Repo URL
issues_repo_url The Issues Repo URL
key_protect_instance_id The Key Protect Instance ID
pr_pipeline_id The PR pipeline Id
secrets_manager_instance_id The Secrets Manage Instance ID

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.