Cloud Build Connection (V2) Module This module allows to create a Cloud Build v2 connection with associated repositories and triggers linked to each of them. Additionally, it also facilitates the creation of IAM bindings for the connection.
module "project" {
source = " ./fabric/modules/project" billing_account = . billing_account_id
name = " my-project" parent = . folder_id
prefix = . prefix
services = " cloudbuild.googleapis.com" " secretmanager.googleapis.com" iam = " roles/logging.logWriter" = [
module.cb_service_account.iam_email
]
}
}
module "cb_service_account" {
source = " ./fabric/modules/iam-service-account" project_id = . project . id
name = " cloudbuild" module "secret_manager" {
source = " ./fabric/modules/secret-manager" project_id = . project . id
secrets = = {
versions = {
v1 = {
data = " ENTER HERE YOUR SECRET VALUE" = {
write_only_version = 1
}
}
}
iam = {
" roles/secretmanager.secretAccessor" = [module.project.service_agents.cloudbuild.iam_email]
}
}
}
}
module "cb_connection" {
source = " ./fabric/modules/cloud-build-v2-connection" project_id = . project . id
name = " my-connection" location = . region
context = = {
mygroup = " group:${ var . group_email } " connection_config = = {
authorizer_credential_secret_version = module.secret_manager.version_ids[" authorizer-credential/v1" = 1234567
}
}
repositories = = {
remote_uri = " https://github.com/my-user/my-repo.git" = {
my-trigger = {
push = {
branch = " main" = " cloudbuild.yaml" iam = " roles/cloudbuild.connectionViewer" = [" $iam_principals:mygroup" # tftest modules=4 resources=15 inventory=github.yaml skip-tofumodule "project" {
source = " ./fabric/modules/project" billing_account = . billing_account_id
name = " my-project" parent = . folder_id
prefix = . prefix
services = " cloudbuild.googleapis.com" " secretmanager.googleapis.com" iam = " roles/logging.logWriter" = [
module.cb_service_account.iam_email
]
}
}
module "cb_service_account" {
source = " ./fabric/modules/iam-service-account" project_id = . project . id
name = " cloudbuild" module "secret_manager" {
source = " ./fabric/modules/secret-manager" project_id = . project . id
secrets = = {
versions = {
v1 = {
data = " ENTER HERE YOUR SECRET VALUE" = {
write_only_version = 1
}
}
}
iam = {
" roles/secretmanager.secretAccessor" = [module.project.service_agents.cloudbuild.iam_email]
}
}
private-key-secret = {
versions = {
v1 = {
data = " ENTER HERE YOUR SECRET VALUE" = {
write_only_version = 1
}
}
}
iam = {
" roles/secretmanager.secretAccessor" = [module.project.service_agents.cloudbuild.iam_email]
}
}
}
}
module "cb_connection" {
source = " ./fabric/modules/cloud-build-v2-connection" project_id = . project . id
name = " my-connection" location = . region
context = = {
mygroup = " group:${ var . group_email } " connection_config = = {
host_uri = " https://mmy-ghe-server.net." = " 1234567" = " 123456789" = " https://my-ghe-server.net/settings/apps/app-slug" = module.secret_manager.version_ids[" private-key-secret/v1" = module.secret_manager.version_ids[" webhook-secret/v1" repositories = = {
remote_uri = " https://github.com/my-user/my-repo.git" = {
my-trigger = {
push = {
branch = " main" = " cloudbuild.yaml" iam = " roles/cloudbuild.connectionViewer" = [" $iam_principals:mygroup" # tftest modules=4 resources=18 inventory=github-enterprise.yaml skip-tofumodule "project" {
source = " ./fabric/modules/project" billing_account = . billing_account_id
name = " my-project" parent = . folder_id
prefix = . prefix
services = " cloudbuild.googleapis.com" " secretmanager.googleapis.com" iam = " roles/logging.logWriter" = [
module.cb_service_account.iam_email
]
}
}
module "cb_service_account" {
source = " ./fabric/modules/iam-service-account" project_id = . project . id
name = " cloudbuild" module "secret_manager" {
source = " ./fabric/modules/secret-manager" project_id = . project . id
secrets = = {
versions = {
v1 = {
data = " ENTER HERE YOUR SECRET VALUE" = {
write_only_version = 1
}
}
}
iam = {
" roles/secretmanager.secretAccessor" = [module.project.service_agents.cloudbuild.iam_email]
}
}
authorizer-credential = {
versions = {
v1 = {
data = " ENTER HERE YOUR SECRET VALUE" = {
write_only_version = 1
}
}
}
iam = {
" roles/secretmanager.secretAccessor" = [module.project.service_agents.cloudbuild.iam_email]
}
}
read-authorizer-credential = {
versions = {
v1 = {
data = " ENTER HERE YOUR SECRET VALUE" = {
write_only_version = 1
}
}
}
iam = {
" roles/secretmanager.secretAccessor" = [module.project.service_agents.cloudbuild.iam_email]
}
}
}
}
module "cb_connection" {
source = " ./fabric/modules/cloud-build-v2-connection" project_id = . project . id
name = " my-connection" location = . region
context = = {
mygroup = " group:${ var . group_email } " connection_config = = {
workspace = " my-workspace" = module.secret_manager.version_ids[" webhook-secret/v1" = module.secret_manager.version_ids[" authorizer-credential/v1" = module.secret_manager.version_ids[" read-authorizer-credential/v1" = 1234567
}
}
repositories = = {
remote_uri = " https://bitbucket.org/my-workspace/my-repository.git" = {
my-trigger = {
push = {
branch = " main" = " cloudbuild.yaml" iam = " roles/cloudbuild.connectionViewer" = [" $iam_principals:mygroup" # tftest modules=4 resources=21 inventory=bitbucket-cloud.yaml skip-tofumodule "project" {
source = " ./fabric/modules/project" billing_account = . billing_account_id
name = " my-project" parent = . folder_id
prefix = . prefix
services = " cloudbuild.googleapis.com" " secretmanager.googleapis.com" iam = " roles/logging.logWriter" = [
module.cb_service_account.iam_email
]
}
}
module "cb_service_account" {
source = " ./fabric/modules/iam-service-account" project_id = . project . id
name = " cloudbuild" module "secret_manager" {
source = " ./fabric/modules/secret-manager" project_id = . project . id
secrets = = {
versions = {
v1 = {
data = " ENTER HERE YOUR SECRET VALUE" = {
write_only_version = 1
}
}
}
iam = {
" roles/secretmanager.secretAccessor" = [module.project.service_agents.cloudbuild.iam_email]
}
}
authorizer-credential = {
versions = {
v1 = {
data = " ENTER HERE YOUR SECRET VALUE" = {
write_only_version = 1
}
}
}
iam = {
" roles/secretmanager.secretAccessor" = [module.project.service_agents.cloudbuild.iam_email]
}
}
read-authorizer-credential = {
versions = {
v1 = {
data = " ENTER HERE YOUR SECRET VALUE" = {
write_only_version = 1
}
}
}
iam = {
" roles/secretmanager.secretAccessor" = [module.project.service_agents.cloudbuild.iam_email]
}
}
}
}
module "cb_connection" {
source = " ./fabric/modules/cloud-build-v2-connection" project_id = . project . id
name = " my-connection" location = . region
context = = {
mygroup = " group:${ var . group_email } " connection_config = = {
host_uri = " https://bbdc-host.com" = module.secret_manager.version_ids[" webhook-secret/v1" = module.secret_manager.version_ids[" authorizer-credential/v1" = module.secret_manager.version_ids[" read-authorizer-credential/v1" = 1234567
}
}
repositories = = {
remote_uri = " https://bbdc-host.com/scm/my-project/my-repository.git." = {
my-trigger = {
push = {
branch = " main" = " cloudbuild.yaml" iam = " roles/cloudbuild.connectionViewer" = [" $iam_principals:mygroup" # tftest modules=4 resources=21 inventory=bitbucket-data-center.yaml skip-tofumodule "project" {
source = " ./fabric/modules/project" billing_account = . billing_account_id
name = " my-project" parent = . folder_id
prefix = . prefix
services = " cloudbuild.googleapis.com" " secretmanager.googleapis.com" iam = " roles/logging.logWriter" = [
module.cb_service_account.iam_email
]
}
}
module "cb_service_account" {
source = " ./fabric/modules/iam-service-account" project_id = . project . id
name = " cloudbuild" module "secret_manager" {
source = " ./fabric/modules/secret-manager" project_id = . project . id
secrets = = {
versions = {
v1 = {
data = " ENTER HERE YOUR SECRET VALUE" = {
write_only_version = 1
}
}
}
iam = {
" roles/secretmanager.secretAccessor" = [module.project.service_agents.cloudbuild.iam_email]
}
}
read-authorizer-credential = {
versions = {
v1 = {
data = " ENTER HERE YOUR SECRET VALUE" = {
write_only_version = 1
}
}
}
iam = {
" roles/secretmanager.secretAccessor" = [module.project.service_agents.cloudbuild.iam_email]
}
}
authorizer-credential = {
versions = {
v1 = {
data = " ENTER HERE YOUR SECRET VALUE" = {
write_only_version = 1
}
}
}
iam = {
" roles/secretmanager.secretAccessor" = [module.project.service_agents.cloudbuild.iam_email]
}
}
}
}
module "cb_connection" {
source = " ./fabric/modules/cloud-build-v2-connection" project_id = . project . id
name = " my-connection" location = . region
context = = {
mygroup = " group:${ var . group_email } " connection_config = = {
webhook_secret_secret_version = module.secret_manager.version_ids[" webhook-secret/v1" = module.secret_manager.version_ids[" read-authorizer-credential/v1" = module.secret_manager.version_ids[" authorizer-credential/v1" repositories = = {
remote_uri = " https://github.com/my-user/my-repo.git" = {
my-trigger = {
push = {
branch = " main" = " cloudbuild.yaml" iam = " roles/cloudbuild.connectionViewer" = [" $iam_principals:mygroup" # tftest modules=4 resources=21 inventory=gitlab.yaml skip-tofu
name
description
type
required
default
location Location.
string✓
name Name.
string✓
project_id Project ID.
string✓
annotations Annotations.
map(string){}
connection_config Connection configuration.
object({…}){}
connection_create Create connection.
booltrue
context Context-specific interpolations.
object({…}){}
disabled Flag indicating whether the connection is disabled or not.
boolfalse
iam IAM bindings in {ROLE => [MEMBERS]} format.
map(list(string)){}
iam_bindings Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary.
map(object({…})){}
iam_bindings_additive Individual additive IAM bindings. Keys are arbitrary.
map(object({…})){}
iam_by_principals Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the iam variable.
map(list(string)){}
repositories Repositories.
map(object({…})){}