DevSecOps Application Lifecycle Management
-green){kind=icon}
A Terraform module for provisioning the DevSecOps CI, CD, and CC toolchains.
Reference architectures
Usage
module "terraform_devsecops_alm" {
source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-alm?ref=v1.0.4"
toolchain_region = var.toolchain_region
toolchain_resource_group = var.toolchain_resource_group
registry_namespace = var.registry_namespace
cluster_name = var.cluster_name
sm_resource_group = var.sm_resource_group
sm_name = var.sm_name
sm_location = var.sm_location
sm_secret_group = var.sm_secret_group
}
Required IAM access policies
Examples
| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| ibm | =1.70.0 |
| null | = 3.2.2 |
| random | = 3.6.2 |
Modules
| Name | Source | Version |
|---|---|---|
| devsecops_cc_toolchain | git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-cc-toolchain | v2.1.0 |
| devsecops_cd_toolchain | git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-cd-toolchain | v2.1.0 |
| devsecops_ci_toolchain | git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-ci-toolchain | v2.1.0 |
| prereqs | ./prereqs | n/a |
Resources
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| add_code_engine_prefix | Set to true to use prefix to add a prefix to the code engine project names. |
bool |
true |
no |
| add_container_name_suffix | Set to true to add a random suffix to the specified ICR name. |
bool |
false |
no |
| add_pipeline_definitions | Set to true to add pipeline definitions. |
string |
"true" |
no |
| app_group | Specify the Git user or group for the application repository. | string |
"" |
no |
| app_repo_auth_type | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. |
string |
"" |
no |
| app_repo_branch | This is the repository branch used by the default sample application. Alternatively if app_repo_existing_url is provided, then the branch must reflect the default branch for that repository. Typically these branches are main or master. |
string |
"master" |
no |
| app_repo_clone_from_url | Override the default sample app by providing your own sample app URL, which is cloned into the app repository. Note, uses clone_if_not_exists mode, so if the app repository already exists the repository contents are unchanged. |
string |
"" |
no |
| app_repo_clone_to_git_id | Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. |
string |
"" |
no |
| app_repo_clone_to_git_provider | By default this gets set as 'hostedgit', else set to 'githubconsolidated' for GitHub repositories. | string |
"" |
no |
| app_repo_existing_git_id | Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. |
string |
"" |
no |
| app_repo_existing_git_provider | Git provider for application repo. If not set will default to hostedgit. |
string |
"" |
no |
| app_repo_existing_url | Bring your own existing application repository by providing the URL. This will create an integration for your application repository instead of cloning the default sample. Repositories existing in a different org will require the use of Git token. See app_repo_git_token_secret_name under optional variables. |
string |
"__NOTSET__" |
no |
| app_repo_git_token_secret_crn | The CRN of the Git token used for accessing the sample application repository. | string |
"" |
no |
| app_repo_git_token_secret_name | Name of the Git token secret in the secret provider used for accessing the sample (or bring your own) application repository. | string |
"" |
no |
| app_repo_secret_group | Secret group for the App repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| authorization_policy_creation | Disable Toolchain Service to Secrets Manager/Key Protect/Notifications Service authorization policy creation. To disable set the value to disabled. This applies to the CI, CD, and CC toolchains. To set independently, see ci_authorization_policy_creation, cd_authorization_policy_creation, and cc_authorization_policy_creation. |
string |
"" |
no |
| autostart | Set to true to auto run the CI pipeline in the CI toolchain after creation. |
bool |
false |
no |
| cc_app_group | Specify user or group for app repository. | string |
"" |
no |
| cc_app_repo_auth_type | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. |
string |
"" |
no |
| cc_app_repo_branch | The default branch of the app repository. | string |
"" |
no |
| cc_app_repo_git_id | The Git Id of the repository. | string |
"" |
no |
| cc_app_repo_git_provider | Git provider for the application repo. If not set will default to hostedgit. |
string |
"" |
no |
| cc_app_repo_git_token_secret_crn | The CRN of the Git token used for accessing the application repository. | string |
"" |
no |
| cc_app_repo_git_token_secret_name | Name of the Git token secret in the secret provider used for accessing the sample (or bring your own) application repository. | string |
"" |
no |
| cc_app_repo_secret_group | Secret group for the App repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| cc_app_repo_url | This Git URL for the application repository. | string |
"" |
no |
| cc_artifactory_token_secret_crn | The CRN for the Artifactory access secret. | string |
"" |
no |
| cc_authorization_policy_creation | Disable Toolchain Service to Secrets Manager/Key Protect/Notifications Service authorization policy creation. To disable set the value to disabled. |
string |
"" |
no |
| cc_compliance_pipeline_branch | The CC Pipeline Compliance Pipeline branch. | string |
"" |
no |
| cc_compliance_pipeline_group | Specify user or group for compliance pipline repository. | string |
"" |
no |
| cc_compliance_pipeline_repo_auth_type | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. |
string |
"" |
no |
| cc_compliance_pipeline_repo_git_token_secret_crn | The CRN of the Git token used for accessing the Compliance Pipelines repository. | string |
"" |
no |
| cc_compliance_pipeline_repo_git_token_secret_name | Name of the Git token secret in the secret provider used for accessing the compliance pipelines repository. | string |
"" |
no |
| cc_compliance_pipeline_repo_secret_group | Secret group for the Compliance Pipeline repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| cc_cos_api_key_secret_crn | The CRN of the Cloud Object Storage apikey. | string |
"" |
no |
| cc_cos_api_key_secret_group | Secret group for the COS API key secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| cc_cos_api_key_secret_name | Name of the Cloud Object Storage API key secret in the secret provider used for accessing the evidence COS bucket. | string |
"" |
no |
| cc_cos_bucket_name | The name of the Cloud Object Storage bucket used for storing the evidence. | string |
"" |
no |
| cc_cos_endpoint | The endpoint for the Cloud Object Stroage instance containing the evidence bucket. | string |
"" |
no |
| cc_doi_toolchain_id | The ID of the toolchain containing the DevOps Insights integration. This variable is used to link the DevOps Insights toolcard to a specific instance. | string |
"" |
no |
| cc_enable_key_protect | Set to true to the enable Key Protect integrations. |
string |
"" |
no |
| cc_enable_pipeline_notifications | When enabled, pipeline run events will be sent to the Event Notifications and Slack integrations in the enclosing toolchain. | string |
"" |
no |
| cc_enable_secrets_manager | Set to true to enable the Secrets Manager integrations. |
string |
"" |
no |
| cc_enable_slack | Set to true to create the Slack toolchain integration. |
string |
"" |
no |
| cc_event_notifications_crn | Set the Event Notifications CRN to create an Events Notification integration. | string |
"" |
no |
| cc_evidence_group | Specify the Git user or group for the evidence repository. | string |
"" |
no |
| cc_evidence_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat' | string |
"" |
no |
| cc_evidence_repo_git_token_secret_crn | The CRN of the Git token used for accessing the Evidence repository. | string |
"" |
no |
| cc_evidence_repo_git_token_secret_name | Name of the Git token secret in the secret provider used for accessing the evidence repository. | string |
"" |
no |
| cc_evidence_repo_secret_group | Secret group for the Evidence repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| cc_inventory_group | Specify the Git user or group for the inventory repository. | string |
"" |
no |
| cc_inventory_repo_auth_type | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. |
string |
"" |
no |
| cc_inventory_repo_git_token_secret_crn | The CRN of the Git token used for acessing the Inventory repository. | string |
"" |
no |
| cc_inventory_repo_git_token_secret_name | Name of the Git token secret in the secret provider used for accessing the inventory repository. | string |
"" |
no |
| cc_inventory_repo_secret_group | Secret group for the Inventory repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| cc_issues_group | Specify the Git user or group for the issues repository. | string |
"" |
no |
| cc_issues_repo_auth_type | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. |
string |
"" |
no |
| cc_issues_repo_git_token_secret_crn | The CRN of the Git token used for accessing the Issues repository. | string |
"" |
no |
| cc_issues_repo_git_token_secret_name | Name of the Git token secret in the secret provider used for accessing the issues repository. | string |
"" |
no |
| cc_issues_repo_secret_group | Secret group for the Issues repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| cc_kp_location | The region hosting the Key Protect instance. | string |
"" |
no |
| cc_kp_name | Name of the Key Protect instance where the secrets are stored. | string |
"" |
no |
| cc_kp_resource_group | The resource group containing the Key Protect instance. | string |
"" |
no |
| cc_link_to_doi_toolchain | Enable a link to a DevOps Insights instance in another toolchain, true or false. | bool |
true |
no |
| cc_pipeline_config_group | Specify the Git user or group for the compliance pipeline repository. | string |
"" |
no |
| cc_pipeline_config_repo_auth_type | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. |
string |
"" |
no |
| cc_pipeline_config_repo_branch | Specify the branch containing the custom pipeline-config.yaml file. | string |
"" |
no |
| cc_pipeline_config_repo_clone_from_url | Specify a repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
| cc_pipeline_config_repo_existing_url | Specify a repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
| cc_pipeline_config_repo_git_token_secret_crn | The CRN of the Git token for accessing the pipeline config repository. | string |
"" |
no |
| cc_pipeline_config_repo_git_token_secret_name | Name of the Git token secret in the secret provider used for accessing the pipeline config repository. | string |
"" |
no |
| cc_pipeline_config_repo_secret_group | Secret group for the Pipeline Config repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| cc_pipeline_doi_api_key_secret_crn | The CRN of the DOI (DevOps Insights) apikey used for accessing a specific toolchain Insights instance. | string |
"" |
no |
| cc_pipeline_doi_api_key_secret_group | Secret group for the pipeline DOI api key. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| cc_pipeline_doi_api_key_secret_name | Name of the Cloud API key secret in the secret provider to access the toolchain containing the Devops Insights instance. | string |
"" |
no |
| cc_pipeline_git_tag | The GIT tag selector for the Compliance Pipelines definitions. | string |
"" |
no |
| cc_pipeline_ibmcloud_api_key_secret_crn | The CRN of the IBMCloud apikey used for running the pipelines. | string |
"" |
no |
| cc_pipeline_ibmcloud_api_key_secret_group | Secret group for the pipeline ibmcloud API key secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| cc_pipeline_ibmcloud_api_key_secret_name | Name of the Cloud API key secret in the secret provider for running the pipelines. | string |
"" |
no |
| cc_pipeline_properties | This JSON represents the pipeline properties belonging to the CC pipeline in the CC toolchain. Each element in the JSON represents a seperate pipeline property. Three attributes are required to create a property. These are the name field (how the name appears in the pipeline properties), the type (text, secure and enum) and then the value. Do not put secrets directly into JSON for the secure type, instead the value for a secret type should be a CRN to a secret in the configured secrets provider or a secret reference to a secret in the configured secrets provider. |
string |
"" |
no |
| cc_pipeline_properties_filepath | The path to the file containing the property JSON. If this is not set, it will by default read the properties.json file at the root of the module. |
string |
"" |
no |
| cc_repositories_prefix | The prefix for the compliance repositories. For the repositories_prefix value only a-z, A-Z and 0-9 and the special characters -_ are allowed. In addition the string must not end with a special character or have two consecutive special characters. |
string |
"" |
no |
| cc_repository_properties | Stringified JSON containing the repositories and triggers that get created in the CI toolchain pipelines. | string |
"" |
no |
| cc_repository_properties_filepath | The path to the file containing the repository and triggers JSON. If this is not set, it will by default read the repositories.json file at the root of the module. |
string |
"" |
no |
| cc_scc_enable_scc | Adds the SCC tool integration to the toolchain. | string |
"" |
no |
| cc_scc_integration_name | The name of the SCC integration. | string |
"Security and Compliance" |
no |
| cc_scc_use_profile_attachment | Set to enabled to enable use profile with attachment, so that the scripts in the pipeline can interact with the Security and Compliance Center service. When enabled, other parameters become relevant; scc_scc_api_key_secret_name, scc_instance_crn, scc_profile_name, scc_profile_version, scc_attachment_id. |
string |
"" |
no |
| cc_slack_channel_name | The name of the Slack channel where notifications are posted. | string |
"" |
no |
| cc_slack_pipeline_fail | Set to true to generate pipeline failed notifications. |
bool |
true |
no |
| cc_slack_pipeline_start | Set to true to generate pipeline start notifications. |
bool |
true |
no |
| cc_slack_pipeline_success | Set to true to generate pipeline succeeded notifications. |
bool |
true |
no |
| cc_slack_team_name | The Slack team name, which is the word or phrase before .slack.com in the team URL. | string |
"" |
no |
| cc_slack_toolchain_bind | Generate tool added to toolchain notifications. | bool |
true |
no |
| cc_slack_toolchain_unbind | Set to true to generate tool removed from toolchain notifications. |
bool |
true |
no |
| cc_slack_webhook_secret_crn | The CRN of the Slack webhook secret used for accessing the specified Slack channel. | string |
"" |
no |
| cc_slack_webhook_secret_group | Secret group for the Slack webhook secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| cc_slack_webhook_secret_name | Name of the webhook secret in the secret provider used for accessing the configured Slack channel. | string |
"" |
no |
| cc_sm_instance_crn | The CRN of the Secrets Manager instance. | string |
"" |
no |
| cc_sm_location | The region hosting the Secrets Manager instance. | string |
"" |
no |
| cc_sm_name | The name of an existing Secrets Manager instance where the secrets are stored. | string |
"" |
no |
| cc_sm_resource_group | The name of the existing resource group containing the Secrets Manager instance for your secrets. | string |
"" |
no |
| cc_sm_secret_group | The Secrets Manager secret group containing the secrets for the DevSecOps pipelines. | string |
"" |
no |
| cc_sonarqube_integration_name | The name of the SonarQube integration. | string |
"" |
no |
| cc_sonarqube_is_blind_connection | When set to true, instructs IBM Cloud Continuous Delivery to not validate the configuration of this integration. Set this to true if the SonarQube server is not addressable on the public internet. |
string |
"" |
no |
| cc_sonarqube_secret_crn | The CRN of the secret used to access SonarQube. | string |
"" |
no |
| cc_sonarqube_secret_group | Secret group for the SonarQube secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| cc_sonarqube_secret_name | The name of the SonarQube secret in the secrets provider. | string |
"" |
no |
| cc_sonarqube_server_url | The URL to the SonarQube server. | string |
"" |
no |
| cc_sonarqube_user | The name of the SonarQube user. | string |
"" |
no |
| cc_toolchain_description | Description for the CC Toolchain. | string |
"Toolchain created with terraform template for DevSecOps CC Best Practices." |
no |
| cc_toolchain_name | The name of the CC Toolchain. | string |
"" |
no |
| cc_toolchain_region | The region containing the CI toolchain. Use the short form of the regions. For example us-south. |
string |
"" |
no |
| cc_toolchain_resource_group | Resource group within which the toolchain is created. | string |
"" |
no |
| cc_trigger_manual_enable | Set to true to enable the CC pipeline Manual trigger. |
bool |
true |
no |
| cc_trigger_manual_name | The name of the CC pipeline Manual trigger. | string |
"CC Manual Trigger" |
no |
| cc_trigger_manual_pruner_enable | Set to true to enable the manual Pruner trigger. |
bool |
true |
no |
| cc_trigger_manual_pruner_name | The name of the manual Pruner trigger. | string |
"Evidence Pruner Manual Trigger" |
no |
| cc_trigger_timed_cron_schedule | Only needed for timer triggers. Cron expression that indicates when this trigger will activate. Maximum frequency is every 5 minutes. The string is based on UNIX crontab syntax: minute, hour, day of month, month, day of week. Example: 0 _/2 - every 2 hours. | string |
"0 4 * * *" |
no |
| cc_trigger_timed_enable | Set to true to enable the CI pipeline Timed trigger. |
bool |
false |
no |
| cc_trigger_timed_name | The name of the CC pipeline Timed trigger. | string |
"CC Timed Trigger" |
no |
| cc_trigger_timed_pruner_enable | Set to true to enable the timed Pruner trigger. |
bool |
false |
no |
| cc_trigger_timed_pruner_name | The name of the timed Pruner trigger. | string |
"Evidence Pruner Timed Trigger" |
no |
| cd_artifactory_token_secret_crn | The CRN for the Artifactory access secret. | string |
"" |
no |
| cd_authorization_policy_creation | Disable Toolchain Service to Secrets Manager/Key Protect/Notifications Service authorization policy creation. To disable set the value to disabled. |
string |
"" |
no |
| cd_change_management_group | Specify group for change management repository | string |
"" |
no |
| cd_change_management_repo_auth_type | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. |
string |
"" |
no |
| cd_change_management_repo_git_provider | Git provider for the change management repo. If not set will default to hostedgit. |
string |
"" |
no |
| cd_change_management_repo_git_token_secret_crn | The CRN for the Change Management repository Git Token. | string |
"" |
no |
| cd_change_management_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
| cd_change_management_repo_secret_group | Secret group for the Change Management repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| cd_change_repo_clone_from_url | Override the default management repository, which is cloned into the application repository. Note, using clone_if_not_exists mode, so if the application repository already exists the repository contents are unchanged. | string |
"" |
no |
| cd_cluster_name | Name of the cluster where the application is deployed. | string |
"" |
no |
| cd_cluster_namespace | Name of the cluster namespace where the application is deployed. | string |
"prod" |
no |
| cd_cluster_region | Region hosting the cluster where the application is deployed. Use the short form of the regions. For example us-south. |
string |
"" |
no |
| cd_code_engine_project | The name of the Code Engine project to use for the CD pipeline promoted code. The project is created if it does not already exist. | string |
"Sample_CD_Project" |
no |
| cd_code_engine_region | The region to create/lookup for the Code Engine project. | string |
"" |
no |
| cd_code_engine_resource_group | The resource group of the Code Engine project. | string |
"" |
no |
| cd_code_signing_cert_secret_name | This is the name of the secret in the secrets provider for storing the code signing certificate. | string |
"signing-certificate" |
no |
| cd_compliance_pipeline_branch | The CD Pipeline Compliance Pipeline branch. | string |
"" |
no |
| cd_compliance_pipeline_group | Specify user or group for compliance pipline repository. | string |
"" |
no |
| cd_compliance_pipeline_repo_auth_type | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. |
string |
"" |
no |
| cd_compliance_pipeline_repo_git_token_secret_crn | The CRN of the Git token used for accessing the Compliance Pipelines repository. | string |
"" |
no |
| cd_compliance_pipeline_repo_git_token_secret_name | Name of the Git token secret in the secret provider used for accessing the compliance pipelines repository. | string |
"" |
no |
| cd_compliance_pipeline_repo_secret_group | Secret group for the Compliance Pipeline repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| cd_cos_api_key_secret_crn | The CRN of the Cloud Object Storage apikey. | string |
"" |
no |
| cd_cos_api_key_secret_group | Secret group for the COS API key secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| cd_cos_api_key_secret_name | Name of the Cloud Object Storage API key secret in the secret provider used for accessing the evidence COS bucket. | string |
"" |
no |
| cd_cos_bucket_name | The name of the Cloud Object Storage bucket used for storing the evidence. | string |
"" |
no |
| cd_cos_endpoint | The endpoint for the Cloud Object Stroage instance containing the evidence bucket. | string |
"" |
no |
| cd_deployment_group | Specify group for deployment. | string |
"" |
no |
| cd_deployment_repo_auth_type | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. |
string |
"" |
no |
| cd_deployment_repo_clone_from_branch | Used when deployment_repo_clone_from_url is provided, the default branch that is used by the CD build, usually either main or master. | string |
"" |
no |
| cd_deployment_repo_clone_from_url | Override the default sample app by providing your own sample deployment URL, which is cloned into the app repository. Note, using clone_if_not_exists mode, so if the app repository already exists the repository contents are unchanged. | string |
"" |
no |
| cd_deployment_repo_clone_to_git_id | By default absent, else custom server GUID, or other options for 'git_id' field in the browser UI. | string |
"" |
no |
| cd_deployment_repo_clone_to_git_provider | By default 'hostedgit', else use 'githubconsolidated' or 'gitlab'. | string |
"" |
no |
| cd_deployment_repo_existing_branch | Used when deployment_repo_existing_url is provided, the default branch that is by the CD build, usually either main or master. | string |
"" |
no |
| cd_deployment_repo_existing_git_id | Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. |
string |
"" |
no |
| cd_deployment_repo_existing_git_provider | Git provider for the deployment repo. If not set will default to hostedgit. |
string |
"" |
no |
| cd_deployment_repo_existing_url | Override to bring your own existing deployment repository URL, which is used directly instead of cloning the default deployment sample. | string |
"" |
no |
| cd_deployment_repo_git_token_secret_crn | The CRN for the Deployment repository Git Token. | string |
"" |
no |
| cd_deployment_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
| cd_deployment_repo_secret_group | Secret group for the Deployment repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| cd_doi_toolchain_id | The ID of the toolchain containing the DevOps Insights integration. This variable is used to link the DevOps Insights toolcard to a specific instance. | string |
"" |
no |
| cd_enable_key_protect | Set to true to the enable Key Protect integrations. |
string |
"" |
no |
| cd_enable_pipeline_notifications | When enabled, pipeline run events will be sent to the Event Notifications and Slack integrations in the enclosing toolchain. | string |
"" |
no |
| cd_enable_secrets_manager | Set to true to enable the Secrets Manager integrations. |
string |
"" |
no |
| cd_enable_slack | Set to true to create the Slack toolchain integration. |
string |
"" |
no |
| cd_event_notifications_crn | Set the Event Notifications CRN to create an Events Notification integration. | string |
"" |
no |
| cd_evidence_group | Specify the Git user or group for the evidence repository. | string |
"" |
no |
| cd_evidence_repo_auth_type | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. |
string |
"" |
no |
| cd_evidence_repo_git_token_secret_crn | The CRN of the Git token used for accessing the Evidence repository. | string |
"" |
no |
| cd_evidence_repo_git_token_secret_name | Name of the Git token secret in the secret provider used for accessing the evidence repository. | string |
"" |
no |
| cd_evidence_repo_secret_group | Secret group for the Evidence repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| cd_inventory_group | Specify the Git user or group for the inventory repository. | string |
"" |
no |
| cd_inventory_repo_auth_type | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. |
string |
"" |
no |
| cd_inventory_repo_git_token_secret_crn | The CRN of the Git token used for acessing the Inventory repository. | string |
"" |
no |
| cd_inventory_repo_git_token_secret_name | Name of the Git token secret in the secret provider used for accessing the inventory repository. | string |
"" |
no |
| cd_inventory_repo_secret_group | Secret group for the Inventory repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| cd_issues_group | Specify the Git user or group for the issues repository. | string |
"" |
no |
| cd_issues_repo_auth_type | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. |
string |
"" |
no |
| cd_issues_repo_git_token_secret_crn | The CRN of the Git token used for accessing the Issues repository. | string |
"" |
no |
| cd_issues_repo_git_token_secret_name | Name of the Git token secret in the secret provider used for accessing the issues repository. | string |
"" |
no |
| cd_issues_repo_secret_group | Secret group for the Issues repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| cd_kp_location | The region hosting the Key Protect instance. | string |
"" |
no |
| cd_kp_name | Name of the Key Protect instance where the secrets are stored. | string |
"" |
no |
| cd_kp_resource_group | The resource group containing the Key Protect instance. | string |
"" |
no |
| cd_link_to_doi_toolchain | Enable a link to a DevOps Insights instance in another toolchain, true or false. | bool |
true |
no |
| cd_pipeline_config_group | Specify the Git user or group for the compliance pipeline repository. | string |
"" |
no |
| cd_pipeline_config_repo_auth_type | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. |
string |
"" |
no |
| cd_pipeline_config_repo_branch | Specify the branch containing the custom pipeline-config.yaml file. | string |
"" |
no |
| cd_pipeline_config_repo_clone_from_url | Specify a repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
| cd_pipeline_config_repo_existing_url | Specify a repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
| cd_pipeline_config_repo_git_token_secret_crn | The CRN of the Git token for accessing the pipeline config repository. | string |
"" |
no |
| cd_pipeline_config_repo_git_token_secret_name | Name of the Git token secret in the secret provider used for accessing the pipeline config repository. | string |
"" |
no |
| cd_pipeline_config_repo_secret_group | Secret group for the Pipeline Config repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| cd_pipeline_doi_api_key_secret_crn | The CRN of the DOI (DevOps Insights) apikey used for accessing a specific toolchain Insights instance. | string |
"" |
no |
| cd_pipeline_doi_api_key_secret_group | Secret group for the pipeline DOI api key. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| cd_pipeline_doi_api_key_secret_name | Name of the Cloud API key secret in the secret provider to access the toolchain containing the Devops Insights instance. | string |
"" |
no |
| cd_pipeline_git_tag | The GIT tag selector for the Compliance Pipelines definitions. | string |
"" |
no |
| cd_pipeline_ibmcloud_api_key_secret_crn | The CRN of the IBMCloud apikey used for running the pipelines. | string |
"" |
no |
| cd_pipeline_ibmcloud_api_key_secret_group | Secret group for the pipeline ibmcloud API key secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| cd_pipeline_ibmcloud_api_key_secret_name | Name of the Cloud API key secret in the secret provider for running the pipelines. | string |
"" |
no |
| cd_pipeline_properties | This JSON represents the pipeline properties belonging to the CD pipeline in the CD toolchain. Each element in the JSON represents a seperate pipeline property. Three attributes are required to create a property. These are the name field (how the name appears in the pipeline properties), the type (text, secure and enum) and then the value. Do not put secrets directly into JSON for the secure type, instead the value for a secret type should be a CRN to a secret in the configured secrets provider or a secret reference to a secret in the configured secrets provider. |
string |
"" |
no |
| cd_pipeline_properties_filepath | The path to the file containing the property JSON. If this is not set, it will by default read the properties.json file at the root of the module. |
string |
"" |
no |
| cd_privateworker_credentials_secret_crn | The CRN of the private worker service apikey that runs the pipeline tasks. | string |
"" |
no |
| cd_region | IBM Cloud region used to prefix the prod_latest inventory repository branch. |
string |
"" |
no |
| cd_repositories_prefix | Prefix name for the cloned compliance repos. For the repositories_prefix value only a-z, A-Z and 0-9 and the special characters -_ are allowed. In addition the string must not end with a special character or have two consecutive special characters. |
string |
"" |
no |
| cd_repository_properties | Stringified JSON containing the repositories and triggers that get created in the CI toolchain pipelines. | string |
"" |
no |
| cd_repository_properties_filepath | The path to the file containing the repository and triggers JSON. If this is not set, it will by default read the repositories.json file at the root of the module. |
string |
"" |
no |
| cd_scc_enable_scc | Adds the SCC tool integration to the toolchain. | string |
"" |
no |
| cd_scc_integration_name | The name of the SCC integration. | string |
"Security and Compliance" |
no |
| cd_scc_use_profile_attachment | Set to enabled to enable use profile with attachment, so that the scripts in the pipeline can interact with the Security and Compliance Center service. When enabled, other parameters become relevant; scc_scc_api_key_secret_name, scc_instance_crn, scc_profile_name, scc_profile_version, scc_attachment_id. |
string |
"" |
no |
| cd_service_plan | The Continuous Delivery service plan. Can be lite or professional. |
string |
"professional" |
no |
| cd_slack_channel_name | The name of the Slack channel where notifications are posted. | string |
"" |
no |
| cd_slack_pipeline_fail | Set to true to generate pipeline failed notifications. |
bool |
true |
no |
| cd_slack_pipeline_start | Set to true to generate pipeline start notifications. |
bool |
true |
no |
| cd_slack_pipeline_success | Set to true to generate pipeline succeeded notifications. |
bool |
true |
no |
| cd_slack_team_name | The Slack team name, which is the word or phrase before .slack.com in the team URL. | string |
"" |
no |
| cd_slack_toolchain_bind | Set to true to Generate tool added to toolchain notifications. |
bool |
true |
no |
| cd_slack_toolchain_unbind | Set to true to generate tool removed from toolchain notifications. |
bool |
true |
no |
| cd_slack_webhook_secret_crn | The CRN of the Slack webhook secret used for accessing the specified Slack channel. | string |
"" |
no |
| cd_slack_webhook_secret_group | Secret group for the Slack webhook secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| cd_slack_webhook_secret_name | Name of the webhook secret in the secret provider used for accessing the configured Slack channel. | string |
"" |
no |
| cd_sm_instance_crn | The CRN of the Secrets Manager instance. | string |
"" |
no |
| cd_sm_location | The region hosting the Secrets Manager instance. | string |
"" |
no |
| cd_sm_name | The name of an existing Secrets Manager instance where the secrets are stored. | string |
"" |
no |
| cd_sm_resource_group | The name of the existing resource group containing the Secrets Manager instance for your secrets. | string |
"" |
no |
| cd_sm_secret_group | The Secrets Manager secret group containing the secrets for the DevSecOps pipelines. | string |
"" |
no |
| cd_toolchain_description | Description for the CD toolchain. | string |
"Toolchain created with terraform template for DevSecOps CD Best Practices." |
no |
| cd_toolchain_name | The name of the CD Toolchain. | string |
"" |
no |
| cd_toolchain_region | The region containing the CD toolchain. Use the short form of the regions. For example us-south. |
string |
"" |
no |
| cd_toolchain_resource_group | Resource group within which the toolchain is created. | string |
"" |
no |
| cd_trigger_git_enable | Set to true to enable the CD pipeline Git trigger. |
bool |
false |
no |
| cd_trigger_git_name | The name of the CD pipeline GIT trigger. | string |
"Git CD Trigger" |
no |
| cd_trigger_git_promotion_validation_branch | Branch for Git promotion validation listener. | string |
"prod" |
no |
| cd_trigger_git_promotion_validation_enable | Enable Git promotion validation for Git promotion listener. | bool |
false |
no |
| cd_trigger_git_promotion_validation_listener | Select a Tekton EventListener to use when Git promotion validation listener trigger is fired. | string |
"promotion-validation-listener-gitlab" |
no |
| cd_trigger_git_promotion_validation_name | Name of Git Promotion Validation Trigger | string |
"Git Promotion Validation Trigger" |
no |
| cd_trigger_manual_enable | Set to true to enable the CD pipeline Manual trigger. |
bool |
true |
no |
| cd_trigger_manual_name | The name of the CI pipeline Manual trigger. | string |
"Manual CD Trigger" |
no |
| cd_trigger_manual_promotion_enable | Set to true to enable the CD pipeline Manual Promotion trigger. |
bool |
true |
no |
| cd_trigger_manual_promotion_name | The name of the CD pipeline Manual Promotion trigger. | string |
"Manual Promotion Trigger" |
no |
| cd_trigger_manual_pruner_enable | Set to true to enable the manual Pruner trigger. |
bool |
true |
no |
| cd_trigger_manual_pruner_name | The name of the manual Pruner trigger. | string |
"Evidence Pruner Manual Trigger" |
no |
| cd_trigger_timed_cron_schedule | Only needed for timer triggers. Cron expression that indicates when this trigger will activate. Maximum frequency is every 5 minutes. The string is based on UNIX crontab syntax: minute, hour, day of month, month, day of week. Example: 0 _/2 - every 2 hours. | string |
"0 4 * * *" |
no |
| cd_trigger_timed_enable | Set to true to enable the CD pipeline Timed trigger. |
bool |
false |
no |
| cd_trigger_timed_name | The name of the CD pipeline Timed trigger. | string |
"Git CD Timed Trigger" |
no |
| cd_trigger_timed_pruner_enable | Set to true to enable the timed Pruner trigger. |
bool |
false |
no |
| cd_trigger_timed_pruner_name | The name of the timed Pruner trigger. | string |
"Evidence Pruner Timed Trigger" |
no |
| change_management_existing_url | The URL for an existing Change Management repository. | string |
"" |
no |
| change_management_repo_git_id | Set this value to github for github.com, or to the ID of a custom GitHub Enterprise server. |
string |
"" |
no |
| ci_app_group | Specify the Git user or group for the application repository. | string |
"" |
no |
| ci_app_name | Name of the application image and inventory entry. | string |
"hello-compliance-app" |
no |
| ci_app_repo_auth_type | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. |
string |
"" |
no |
| ci_app_repo_branch | This is the repository branch used by the default sample application. Alternatively if app_repo_existing_url is provided, then the branch must reflect the default branch for that repository. Typically these branches are main or master. |
string |
"" |
no |
| ci_app_repo_clone_from_url | Override the default sample app by providing your own sample app URL, which is cloned into the app repository. Note, uses clone_if_not_exists mode, so if the app repository already exists the repository contents are unchanged. |
string |
"" |
no |
| ci_app_repo_clone_to_git_id | Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. |
string |
"" |
no |
| ci_app_repo_clone_to_git_provider | By default this gets set as 'hostedgit', else set to 'githubconsolidated' for GitHub repositories. | string |
"" |
no |
| ci_app_repo_existing_git_id | Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. |
string |
"" |
no |
| ci_app_repo_existing_git_provider | Git provider for application repo. If not set will default to hostedgit. |
string |
"" |
no |
| ci_app_repo_existing_url | Bring your own existing application repository by providing the URL. This will create an integration for your application repository instead of cloning the default sample. Repositories existing in a different org will require the use of Git token. See app_repo_git_token_secret_name under optional variables. |
string |
"" |
no |
| ci_app_repo_git_token_secret_crn | The CRN of the Git token used for accessing the application repository. | string |
"" |
no |
| ci_app_repo_git_token_secret_name | Name of the Git token secret in the secret provider used for accessing the sample (or bring your own) application repository. | string |
"" |
no |
| ci_app_repo_secret_group | Secret group for the App repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| ci_artifactory_token_secret_crn | The CRN for the Artifactory access secret. | string |
"" |
no |
| ci_authorization_policy_creation | Disable Toolchain Service to Secrets Manager/Key Protect/Notifications Service authorization policy creation. To disable set the value to disabled. |
string |
"" |
no |
| ci_cluster_name | Name of the cluster where the application is deployed. (can be the same cluster used for prod) | string |
"" |
no |
| ci_cluster_namespace | Name of the cluster namespace where the application is deployed. | string |
"dev" |
no |
| ci_cluster_region | Region hosting the cluster where the application is deployed. Use the short form of the regions. For example us-south. |
string |
"" |
no |
| ci_cluster_resource_group | The cluster resource group. | string |
"" |
no |
| ci_code_engine_project | The name of the Code Engine project to use. | string |
"DevSecOps_CE" |
no |
| ci_code_engine_region | The region to create/lookup for the Code Engine project. | string |
"" |
no |
| ci_code_engine_resource_group | The resource group of the Code Engine project. | string |
"" |
no |
| ci_compliance_pipeline_branch | The CI Pipeline Compliance Pipeline branch. | string |
"" |
no |
| ci_compliance_pipeline_group | Specify the Git user or group for the compliance pipeline repository. | string |
"" |
no |
| ci_compliance_pipeline_pr_branch | The PR Pipeline Compliance Pipeline branch. | string |
"" |
no |
| ci_compliance_pipeline_repo_auth_type | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. |
string |
"" |
no |
| ci_compliance_pipeline_repo_git_token_secret_crn | The CRN of the Git token used for accessing the Compliance Pipelines repository. | string |
"" |
no |
| ci_compliance_pipeline_repo_git_token_secret_name | Name of the Git token secret in the secret provider used for accessing the compliance pipelines repository. | string |
"" |
no |
| ci_compliance_pipeline_repo_secret_group | Secret group for the Compliance Pipeline repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| ci_cos_api_key_secret_crn | The CRN of the Cloud Object Storage apikey. | string |
"" |
no |
| ci_cos_api_key_secret_group | Secret group for the COS API key secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| ci_cos_api_key_secret_name | Name of the Cloud Object Storage API key secret in the secret provider used for accessing the evidence COS bucket. | string |
"" |
no |
| ci_cos_bucket_name | The name of the Cloud Object Storage bucket used for storing the evidence. | string |
"" |
no |
| ci_cos_endpoint | The endpoint for the Cloud Object Stroage instance containing the evidence bucket. | string |
"" |
no |
| ci_doi_toolchain_id | The ID of the toolchain containing the DevOps Insights integration. This variable is used to link the DevOps Insights toolcard to a specific instance. | string |
"" |
no |
| ci_doi_toolchain_id_pipeline_property | The pipeline property for the DevOps Insights instance toolchain ID. | string |
"" |
no |
| ci_enable_key_protect | Set to true to the enable Key Protect integrations. |
string |
"" |
no |
| ci_enable_pipeline_notifications | When enabled, pipeline run events will be sent to the Event Notifications and Slack integrations in the enclosing toolchain. | string |
"" |
no |
| ci_enable_secrets_manager | Set to true to enable the Secrets Manager integrations. |
string |
"" |
no |
| ci_enable_slack | Set to true to create the Slack toolchain integration. |
string |
"" |
no |
| ci_event_notifications_crn | Set the Event Notifications CRN to create an Events Notification integration. | string |
"" |
no |
| ci_evidence_group | Specify the Git user or group for the evidence repository. | string |
"" |
no |
| ci_evidence_repo_auth_type | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. |
string |
"" |
no |
| ci_evidence_repo_git_token_secret_crn | The CRN of the Git token used for accessing the Evidence repository. | string |
"" |
no |
| ci_evidence_repo_git_token_secret_name | Name of the Git token secret in the secret provider used for accessing the evidence repository. | string |
"" |
no |
| ci_evidence_repo_secret_group | Secret group for the Evidence repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| ci_inventory_group | Specify the Git user or group for the inventory repository. | string |
"" |
no |
| ci_inventory_repo_auth_type | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. |
string |
"" |
no |
| ci_inventory_repo_git_token_secret_crn | The CRN of the Git token used for acessing the Inventory repository. | string |
"" |
no |
| ci_inventory_repo_git_token_secret_name | Name of the Git token secret in the secret provider used for accessing the inventory repository. | string |
"" |
no |
| ci_inventory_repo_secret_group | Secret group for the Inventory repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| ci_issues_group | Specify the Git user or group for the issues repository. | string |
"" |
no |
| ci_issues_repo_auth_type | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. |
string |
"" |
no |
| ci_issues_repo_git_token_secret_crn | The CRN of the Git token used for accessing the Issues repository. | string |
"" |
no |
| ci_issues_repo_git_token_secret_name | Name of the Git token secret in the secret provider used for accessing the issues repository. | string |
"" |
no |
| ci_issues_repo_secret_group | Secret group for the Issues repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| ci_kp_location | The region hosting the Key Protect instance. | string |
"" |
no |
| ci_kp_name | Name of the Key Protect instance where the secrets are stored. | string |
"" |
no |
| ci_kp_resource_group | The resource group containing the Key Protect instance. | string |
"" |
no |
| ci_link_to_doi_toolchain | Enable a link to a DevOps Insights instance in another toolchain. | bool |
false |
no |
| ci_pipeline_config_group | Specify the Git user or group for the pipeline config repository. | string |
"" |
no |
| ci_pipeline_config_repo_auth_type | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. |
string |
"" |
no |
| ci_pipeline_config_repo_branch | Specify the branch containing the custom pipeline-config.yaml file. | string |
"" |
no |
| ci_pipeline_config_repo_clone_from_url | Specify a repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
| ci_pipeline_config_repo_existing_url | Specify and link to an existing repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
| ci_pipeline_config_repo_git_token_secret_crn | The CRN of the Git token for accessing the pipeline config repository. | string |
"" |
no |
| ci_pipeline_config_repo_git_token_secret_name | Name of the Git token secret in the secret provider used for accessing the pipeline config repository. | string |
"" |
no |
| ci_pipeline_config_repo_secret_group | Secret group for the Pipeline Config repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| ci_pipeline_doi_api_key_secret_crn | The CRN of the DOI (DevOps Insights) apikey used for accessing a specific toolchain Insights instance. | string |
"" |
no |
| ci_pipeline_doi_api_key_secret_group | Secret group for the pipeline DOI api key. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| ci_pipeline_doi_api_key_secret_name | Name of the Cloud API key secret in the secret provider to access the toolchain containing the Devops Insights instance. | string |
"" |
no |
| ci_pipeline_git_tag | The GIT tag selector for the Compliance Pipelines definitions. | string |
"" |
no |
| ci_pipeline_ibmcloud_api_key_secret_crn | The CRN of the IBMCloud apikey used for running the pipelines. | string |
"" |
no |
| ci_pipeline_ibmcloud_api_key_secret_group | Secret group for the pipeline ibmcloud API key secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| ci_pipeline_ibmcloud_api_key_secret_name | Name of the Cloud API key secret in the secret provider for running the pipelines. | string |
"" |
no |
| ci_pipeline_properties | This JSON represents the pipeline properties belonging to the both the CI and PR pipelines in the CI toolchain. Each element in the JSON represents a seperate pipeline property. Three attributes are required to create a property. These are the name field (how the name appears in the pipeline properties), the type (text, secure and enum) and then the value. Do not put secrets directly into JSON for the secure type, instead the value for a secret type should be a CRN to a secret in the configured secrets provider or a secret reference to a secret in the configured secrets provider. |
string |
"" |
no |
| ci_pipeline_properties_filepath | The path to the file containing the properties JSON. If this is not set, it will by default read the properties.json file at the root of the CI module. |
string |
"" |
no |
| ci_privateworker_credentials_secret_crn | The CRN of the private worker service apikey that runs the pipeline tasks. | string |
"" |
no |
| ci_registry_region | The IBM Cloud Region where the IBM Cloud Container Registry namespace is to be created. Use the short form of the regions. For example us-south. |
string |
"" |
no |
| ci_repositories_prefix | Prefix name for the cloned compliance repos. For the repositories_prefix value only a-z, A-Z and 0-9 and the special characters -_ are allowed. In addition the string must not end with a special character or have two consecutive special characters. |
string |
"" |
no |
| ci_repository_properties | Stringified JSON containing the repositories and triggers that get created in the CI toolchain pipelines. | string |
"" |
no |
| ci_repository_properties_filepath | The path to a file containing the repository and triggers JSON. If this is not set, it will by default read the repositories.json file at the root of the CI module. |
string |
"" |
no |
| ci_signing_key_secret_name | Name of the signing key secret in the secret provider used for signing images/artifacts. | string |
"signing-key" |
no |
| ci_slack_channel_name | The name of the Slack channel where notifications are posted. | string |
"" |
no |
| ci_slack_pipeline_fail | Set to true to generate pipeline failed notifications. |
bool |
true |
no |
| ci_slack_pipeline_start | Set to true to generate pipeline start notifications. |
bool |
true |
no |
| ci_slack_pipeline_success | Set to true to generate pipeline succeeded notifications. |
bool |
true |
no |
| ci_slack_team_name | The Slack team name, which is the word or phrase before .slack.com in the team URL. |
string |
"" |
no |
| ci_slack_toolchain_bind | Set to true to Generate tool added to toolchain notifications. |
bool |
true |
no |
| ci_slack_toolchain_unbind | Set to true to generate tool removed from toolchain notifications. |
bool |
true |
no |
| ci_slack_webhook_secret_crn | The CRN of the Slack webhook secret used for accessing the specified Slack channel. | string |
"" |
no |
| ci_slack_webhook_secret_group | Secret group for the Slack webhook secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| ci_slack_webhook_secret_name | Name of the webhook secret in the secret provider used for accessing the configured Slack channel. | string |
"" |
no |
| ci_sm_instance_crn | The CRN of the Secrets Manager instance. | string |
"" |
no |
| ci_sm_location | The region hosting the Secrets Manager instance. | string |
"" |
no |
| ci_sm_name | The name of an existing Secrets Manager instance where the secrets are stored. | string |
"" |
no |
| ci_sm_resource_group | The name of the existing resource group containing the Secrets Manager instance for your secrets. | string |
"" |
no |
| ci_sm_secret_group | The Secrets Manager secret group containing the secrets for the DevSecOps pipelines. | string |
"" |
no |
| ci_sonarqube_integration_name | The name of the SonarQube integration. | string |
"" |
no |
| ci_sonarqube_is_blind_connection | When set to true, instructs IBM Cloud Continuous Delivery to not validate the configuration of this integration. Set this to true if the SonarQube server is not addressable on the public internet. |
string |
"" |
no |
| ci_sonarqube_secret_crn | The CRN of the secret used to access SonarQube. | string |
"" |
no |
| ci_sonarqube_secret_group | Secret group for the SonarQube secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| ci_sonarqube_secret_name | The name of the SonarQube secret in the secrets provider. | string |
"" |
no |
| ci_sonarqube_server_url | The URL to the SonarQube server. | string |
"" |
no |
| ci_sonarqube_user | The name of the SonarQube user. | string |
"" |
no |
| ci_toolchain_description | Description for the CI Toolchain. | string |
"Toolchain created with terraform template for DevSecOps CI Best Practices." |
no |
| ci_toolchain_name | The name of the CI Toolchain. | string |
"" |
no |
| ci_toolchain_region | The region containing the CI toolchain. Use the short form of the regions. For example us-south. |
string |
"" |
no |
| ci_toolchain_resource_group | The resource group within which the toolchain is created. | string |
"" |
no |
| ci_trigger_git_enable | Set to true to enable the CI pipeline Git trigger. |
bool |
true |
no |
| ci_trigger_git_name | The name of the CI pipeline GIT trigger. | string |
"Git CI Trigger" |
no |
| ci_trigger_manual_enable | Set to true to enable the CI pipeline Manual trigger. |
bool |
true |
no |
| ci_trigger_manual_name | The name of the CI pipeline Manual trigger. | string |
"Manual Trigger" |
no |
| ci_trigger_manual_pruner_enable | Set to true to enable the manual Pruner trigger. |
bool |
true |
no |
| ci_trigger_manual_pruner_name | The name of the manual Pruner trigger. | string |
"Evidence Pruner Manual Trigger" |
no |
| ci_trigger_pr_git_enable | Set to true to enable the PR pipeline Git trigger. |
bool |
true |
no |
| ci_trigger_pr_git_name | The name of the PR pipeline GIT trigger. | string |
"Git PR Trigger" |
no |
| ci_trigger_timed_cron_schedule | Only needed for timer triggers. Cron expression that indicates when this trigger will activate. Maximum frequency is every 5 minutes. The string is based on UNIX crontab syntax: minute, hour, day of month, month, day of week. Example: 0 _/2 - every 2 hours. | string |
"0 4 * * *" |
no |
| ci_trigger_timed_enable | Set to true to enable the CI pipeline Timed trigger. |
bool |
false |
no |
| ci_trigger_timed_name | The name of the CI pipeline Timed trigger. | string |
"Git CI Timed Trigger" |
no |
| ci_trigger_timed_pruner_enable | Set to true to enable the timed Pruner trigger. |
bool |
false |
no |
| ci_trigger_timed_pruner_name | The name of the timed Pruner trigger. | string |
"Evidence Pruner Timed Trigger" |
no |
| cluster_name | Name of the Kubernetes cluster where the application is deployed. This sets the same cluster name for both CI and CD toolchains. See ci_cluster_name and cd_cluster_name to set different cluster names. By default , the cluster namespace for CI will be set to dev and CD to prod. These can be changed using ci_cluster_namespace and cd_cluster_namespace. |
string |
"mycluster-free" |
no |
| code_engine_project | The name of the Code Engine project to use. Created if it does not exist. Applies to both the CI and CD toolchains. To set individually use ci_code_engine_project and cd_code_engine_project. |
string |
"" |
no |
| compliance_pipeline_branch | The Compliance Pipeline definitions branch. See ci_compliance_pipeline_branch, cd_compliance_pipeline_branch and cc_compliance_pipeline_branch to set independently. |
string |
"open-v10" |
no |
| compliance_pipeline_existing_repo_url | The URL of an existing compliance pipelines repository. | string |
"" |
no |
| compliance_pipeline_group | Specify user or group for compliance pipline repository. | string |
"" |
no |
| compliance_pipeline_repo_auth_type | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. |
string |
"" |
no |
| compliance_pipeline_repo_blind_connection | Setting this value to true means the server is not addressable on the public internet. IBM Cloud will not be able to validate the connection details you provide. Certain functionality that requires API access to the git server will be disabled. Delivery pipeline will only work using a private worker that has network access to the git server. |
string |
"" |
no |
| compliance_pipeline_repo_git_id | Set this value to github for github.com, or to the ID of a custom GitHub Enterprise server. |
string |
"" |
no |
| compliance_pipeline_repo_git_provider | Git provider for compliance pipeline repo. If not set will default to hostedgit. |
string |
"" |
no |
| compliance_pipeline_repo_git_token_secret_crn | The CRN of the Git token used for accessing the sample application repository. | string |
"" |
no |
| compliance_pipeline_repo_git_token_secret_name | Name of the Git token secret in the secret provider used for accessing the compliance pipelines repository. | string |
"" |
no |
| compliance_pipeline_repo_root_url | (Optional) The Root URL of the server. e.g. https://git.example.com. | string |
"" |
no |
| compliance_pipeline_repo_secret_group | Secret group for the Compliance Pipeline repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| compliance_pipeline_repo_title | (Optional) The title of the server. e.g. My Git Enterprise Server. | string |
"" |
no |
| compliance_pipeline_repo_use_group_settings | Set to true to apply group level repository settings to the compliance pipeline repository. See repo_git_provider as an example. |
bool |
false |
no |
| compliance_pipeline_source_repo_url | The URL of a compliance pipelines repository to clone. | string |
"" |
no |
| continuous_delivery_service_name | The name of the Continuous Delivery service instance. | string |
"cd-devsecops" |
no |
| cos_api_key_secret_crn | The CRN of the Cloud Object Storage apikey. Applies to the CI, CD and CC toolchains. Can beset independently using ci_cos_api_key_secret_crn,cd_cos_api_key_secret_crn,cc_cos_api_key_secret_crn. |
string |
"" |
no |
| cos_api_key_secret_group | Secret group for the COS api key secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| cos_api_key_secret_name | Name of the Cloud Object Storage API key secret in the secret provider for accessing the evidence COS bucket. In addition cos_endpoint and cos_bucket_name must be set. This setting sets the same API key for the COS settings in the CI, CD, and CC toolchains. |
string |
"" |
no |
| cos_bucket_name | Set the name of your COS bucket. This applies the same COS bucket name for the CI, CD, and CC toolchains. See ci_cos_bucket_name, cd_cos_bucket_name, and cc_cos_bucket_name to set separately. |
string |
"" |
no |
| cos_endpoint | The endpoint for the Cloud Object Stroage instance containing the evidence bucket. This setting sets the same endpoint for COS in the CI, CD, and CC toolchains. See ci_cos_endpoint, cd_cos_endpoint, and cc_cos_endpoint to set the endpoints independently. |
string |
"" |
no |
| create_cc_toolchain | Boolean flag which determines if the DevSecOps CC toolchain is created. | bool |
true |
no |
| create_cd_instance | Set to true to create Continuous Delivery Service. |
bool |
false |
no |
| create_cd_toolchain | Boolean flag which determines if the DevSecOps CD toolchain is created. | bool |
true |
no |
| create_ci_toolchain | Flag which determines if the DevSecOps CI toolchain is created. If this toolchain is not created then values must be set for the following variables, evidence_repo_url, issues_repo_url and inventory_repo_url. | bool |
true |
no |
| create_code_engine_access_policy | Add a Code Engine access policy to the generated IAM access key. See create_ibmcloud_api_key. |
bool |
false |
no |
| create_cos_api_key | Set to true to create and add a cos-api-key to the Secrets Provider. |
bool |
false |
no |
| create_git_token | Set to true to create and add the specified personal access token secret to the Secrets Provider. Use repo_git_token_secret_value for setting the value. |
bool |
false |
no |
| create_git_triggers | Set to true to create the default Git triggers associated with the compliance repos and sample app. |
string |
"true" |
no |
| create_ibmcloud_api_key | Set to true to create and add an ibmcloud-api-key to the Secrets Provider. |
bool |
false |
no |
| create_icr_namespace | Set to true to have Terraform create the registry namespace. Setting to false will have the CI pipeline create the namespace if it does not already exist. Note: If a Terraform destroy is used, the ICR namespace along with all images will be removed. |
bool |
false |
no |
| create_kubernetes_access_policy | Add a Kubernetes access policy to the generated IAM access key. See create_ibmcloud_api_key. |
bool |
false |
no |
| create_secret_group | Set to true to create the specified Secrets Manager secret group. |
bool |
false |
no |
| create_signing_key | Set to true to create and add a signing-key and the signing-certificate to the Secrets Provider. |
bool |
false |
no |
| create_triggers | Set to true to create the default triggers associated with the compliance repos and sample app. |
string |
"true" |
no |
| enable_key_protect | Set to true to the enable Key Protect integrations. |
string |
"false" |
no |
| enable_pipeline_notifications | When enabled, pipeline run events will be sent to the Event Notifications and Slack integrations in the enclosing toolchain. | string |
"" |
no |
| enable_secrets_manager | Set to true to enable the Secrets Manager integrations. |
string |
"true" |
no |
| enable_slack | Set to true to create the Slack toolchain integration. This requires a valid slack_channel_name, slack_team_name, and a valid webhook (see slack_webhook_secret_name). This setting applies for CI, CD, and CC toolchains. |
string |
"false" |
no |
| environment_prefix | By default ibm:yp:. This will be set as the prefix to regions automatically where required. For example ibm:yp:us-south. |
string |
"ibm:yp:" |
no |
| environment_tag | Tag name that represents the target environment in the inventory. Example: prod_latest. | string |
"prod_latest" |
no |
| event_notifications_crn | Set the Event Notifications CRN to create an Events Notification integration. This paramater will apply to the CI, CD and CC toolchains. Can be set independently with ci_event_notifications_crn, cd_event_notifications_crn, cc_event_notifications_crn. |
string |
"" |
no |
| event_notifications_tool_name | The name of the Event Notifications integration. | string |
"Event Notifications" |
no |
| evidence_group | Specify the Git user or group for the evidence repository. | string |
"" |
no |
| evidence_repo_auth_type | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. |
string |
"" |
no |
| evidence_repo_existing_git_id | Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. |
string |
"" |
no |
| evidence_repo_existing_git_provider | Git provider for evidence repo. If not set will default to hostedgit. |
string |
"" |
no |
| evidence_repo_existing_url | Set to use an existing evidence repository. | string |
"" |
no |
| evidence_repo_git_token_secret_crn | The CRN of the Git token used for accessing the Evidence repository. | string |
"" |
no |
| evidence_repo_git_token_secret_name | Name of the Git token secret in the secret provider used for accessing the evidence repository. | string |
"" |
no |
| evidence_repo_integration_owner | The name of the repository integration owner. | string |
"" |
no |
| evidence_repo_name | Set to use a custom name for the Evidence repository. | string |
"" |
no |
| evidence_repo_secret_group | Secret group for the Evidence repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| ibmcloud_api_key | The API key used to create the toolchains. (See deployment guide.) | string |
n/a | yes |
| inventory_group | Specify the Git user or group for the inventory repository. | string |
"" |
no |
| inventory_repo_auth_type | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. |
string |
"" |
no |
| inventory_repo_existing_git_id | Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. |
string |
"" |
no |
| inventory_repo_existing_git_provider | Git provider for the inventory repo. If not set will default to hostedgit. |
string |
"" |
no |
| inventory_repo_existing_url | Set to use an existing inventory repository. | string |
"" |
no |
| inventory_repo_git_token_secret_crn | The CRN of the Git token used for acessing the Inventory repository. | string |
"" |
no |
| inventory_repo_git_token_secret_name | Name of the Git token secret in the secret provider used for accessing the inventory repository. | string |
"" |
no |
| inventory_repo_integration_owner | The name of the repository integration owner. | string |
"" |
no |
| inventory_repo_name | Set to use a custom name for the Inventory repository. | string |
"" |
no |
| inventory_repo_secret_group | Secret group for the Inventory repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| issues_group | Specify the Git user or group for the issues repository. | string |
"" |
no |
| issues_repo_auth_type | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. |
string |
"" |
no |
| issues_repo_existing_git_id | Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. |
string |
"" |
no |
| issues_repo_existing_git_provider | Git provider for the issues repo. If not set will default to hostedgit. |
string |
"" |
no |
| issues_repo_existing_url | By default this gets set as 'hostedgit', else set to 'githubconsolidated' for GitHub repositories. | string |
"" |
no |
| issues_repo_git_token_secret_crn | The CRN of the Git token used for accessing the Issues repository. | string |
"" |
no |
| issues_repo_git_token_secret_name | Name of the Git token secret in the secret provider used for accessing the issues repository. | string |
"" |
no |
| issues_repo_integration_owner | The name of the repository integration owner. | string |
"" |
no |
| issues_repo_name | Set to use a custom name for the Issues repository. | string |
"" |
no |
| issues_repo_secret_group | Secret group for the Issues repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| kp_integration_name | The name of the Key Protect integration. | string |
"kp-compliance-secrets" |
no |
| kp_location | The region hosting the Key Protect instance. This applies to the CI, CD and CC Key Protect integrations. See ci_kp_location, cd_kp_location, and cc_kp_location to set these values . |
string |
"us-south" |
no |
| kp_name | Name of the Key Protect instance where the secrets are stored. This applies to the CI, CD and CC Key Protect integrations. See ci_kp_name, cd_kp_name, and cc_kp_name to set these values independently. |
string |
"kp-compliance-secrets" |
no |
| kp_resource_group | The resource group containing the Key Protect instance. This applies to the CI, CD and CC Key Protect integrations. See ci_kp_resource_group, cd_kp_resource_group, and cc_kp_resource_group to set these values independently. |
string |
"Default" |
no |
| pipeline_config_group | Specify the Git user or group for the compliance pipeline repository. | string |
"" |
no |
| pipeline_config_repo_auth_type | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to oauth when unset. pat is a git personal access token. |
string |
"" |
no |
| pipeline_config_repo_branch | Specify the branch containing the custom pipeline-config.yaml file. | string |
"" |
no |
| pipeline_config_repo_clone_from_url | Specify a repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
| pipeline_config_repo_existing_url | Specify and link to an existing repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
| pipeline_config_repo_git_id | Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. |
string |
"" |
no |
| pipeline_config_repo_git_provider | Git provider for pipeline repo config | string |
"" |
no |
| pipeline_config_repo_git_token_secret_crn | The CRN of the Git token for accessing the pipeline config repository. | string |
"" |
no |
| pipeline_config_repo_git_token_secret_name | Name of the Git token secret in the secret provider used for accessing the pipeline config repository. | string |
"" |
no |
| pipeline_config_repo_secret_group | Secret group for the Pipeline Config repository secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| pipeline_doi_api_key_secret_crn | The CRN of the DOI (DevOps Insights) apikey used for accessing a specific toolchain Insights instance. Applies to the CI, CD and CC toolchains. | string |
"" |
no |
| pipeline_doi_api_key_secret_group | Secret group for the pipeline DOI api key. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. Applies to the CI, CD and CC toolchains. |
string |
"" |
no |
| pipeline_doi_api_key_secret_name | Name of the Cloud API key secret in the secret provider to access the toolchain containing the Devops Insights instance. This will apply to the CI, CD and CC toolchains. | string |
"" |
no |
| pipeline_git_tag | The GIT tag selector for the Compliance Pipelines definitions. | string |
"" |
no |
| pipeline_ibmcloud_api_key_secret_crn | The CRN of the IBMCloud apikey used for running the pipelines. | string |
"" |
no |
| pipeline_ibmcloud_api_key_secret_group | Secret group for the pipeline ibmcloud API key secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| pipeline_ibmcloud_api_key_secret_name | Name of the Cloud API key secret in the secret provider for running the pipelines. Applies to the CI, CD and CC toolchains. | string |
"ibmcloud-api-key" |
no |
| pr_pipeline_git_tag | The GIT tag selector for the Compliance Pipelines definitions. | string |
"" |
no |
| prefix | A prefix that is added to the toolchain resources. | string |
"" |
no |
| registry_namespace | A unique namespace within the IBM Cloud Container Registry region where the application image is stored. | string |
"" |
no |
| repo_blind_connection | Setting this value to true means the server is not addressable on the public internet. IBM Cloud will not be able to validate the connection details you provide. Certain functionality that requires API access to the git server will be disabled. Delivery pipeline will only work using a private worker that has network access to the git server. |
string |
"" |
no |
| repo_git_id | The Git ID for the compliance repositories. | string |
"" |
no |
| repo_git_provider | The Git provider type. | string |
"" |
no |
| repo_git_token_secret_crn | The CRN for the repositories Git Token. | string |
"" |
no |
| repo_git_token_secret_name | Name of the Git token secret in the secret provider. Specifying a secret name for the Git Token automatically sets the authentication type to pat. |
string |
"" |
no |
| repo_git_token_secret_value | The personal access token that will be added to the repo_git_token_secret_name secret in the secrets provider. |
string |
"" |
no |
| repo_group | Specify the Git user or group for your application. This must be set if the repository authentication type is pat (personal access token). |
string |
"" |
no |
| repo_root_url | (Optional) The Root URL of the server. e.g. https://git.example.com. | string |
"" |
no |
| repo_secret_group | Secret group in Secrets Manager that contains the secret for the repository. This variable will set the same secret group for all the repositories. Can be overriden on a per secret group basis. Only applies when using Secrets Manager. | string |
"" |
no |
| repo_title | (Optional) The title of the server. e.g. My Git Enterprise Server. | string |
"" |
no |
| repositories_prefix | Prefix name for the cloned compliance repos. For the repositories_prefix value only a-z, A-Z and 0-9 and the special characters -_ are allowed. In addition the string must not end with a special character or have two consecutive special characters. |
string |
"compliance" |
no |
| rotate_signing_key | Set to true to rotate the signing key and signing certificate. It is important to make a back up for the current code signing certificate as pending CD deployments might require image validation against the previous signing key. |
bool |
false |
no |
| rotation_period | The number of days until the ibmcloud-api-key and the cos-api-key are auto rotated. |
number |
90 |
no |
| sample_default_application | The name of the sample application repository. The repository source URL is automatically computed based on the toolchain region. The other currently supported name is code-engine-compliance-app. Alternatively an integration can be created that can link to or clone from an existing repository. See app_repo_existing_url and app_repo_clone_from_url to override the sample application default behavior. |
string |
"hello-compliance-app" |
no |
| scc_attachment_id | An attachment ID. An attachment is configured under a profile to define how a scan will be run. To find the attachment ID, in the browser, in the attachments list, click on the attachment link, and a panel appears with a button to copy the attachment ID. This parameter is only relevant when the scc_use_profile_attachment parameter is enabled. |
string |
"" |
no |
| scc_enable_scc | Adds the SCC tool integration to the toolchain. | string |
"true" |
no |
| scc_instance_crn | The Security and Compliance Center service instance CRN (Cloud Resource Name). This parameter is only relevant when the scc_use_profile_attachment parameter is enabled. |
string |
"" |
no |
| scc_profile_name | The name of a Security and Compliance Center profile. Use the IBM Cloud Framework for Financial Services profile, which contains the DevSecOps Toolchain rules. Or use a user-authored customized profile that has been configured to contain those rules. This parameter is only relevant when the scc_use_profile_attachment parameter is enabled. |
string |
"" |
no |
| scc_profile_version | The version of a Security and Compliance Center profile, in SemVer format, like 0.0.0. This parameter is only relevant when the scc_use_profile_attachment parameter is enabled. |
string |
"" |
no |
| scc_scc_api_key_secret_crn | The CRN for the SCC apikey. | string |
"" |
no |
| scc_scc_api_key_secret_group | Secret group for the Security and Compliance tool secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| scc_scc_api_key_secret_name | The name of the Security and Compliance Center api-key secret in the secret provider. | string |
"scc-api-key" |
no |
| scc_use_profile_attachment | Set to enabled to enable use profile with attachment, so that the scripts in the pipeline can interact with the Security and Compliance Center service. When enabled, other parameters become relevant; scc_scc_api_key_secret_name, scc_instance_crn, scc_profile_name, scc_profile_version, scc_attachment_id. Can individually be enabled and disabled in the CD and CC toolchains using cd_scc_use_profile_attachment and cc_scc_use_profile_attachment. |
string |
"disabled" |
no |
| service_name_cos | The name of the Service ID for COS access. | string |
"cos-service-id" |
no |
| service_name_pipeline | The name of the Service ID for pipeline and toolchain access. | string |
"toolchain-pipeline-service-id" |
no |
| slack_channel_name | The name of the Slack channel where notifications are posted. This applies to the CI, CD, and CC toolchains. To set independently see ci_slack_channel_name, cd_slack_channel_name, and cc_slack_channel_name. |
string |
"" |
no |
| slack_integration_name | The name of the Slack integration. | string |
"slack-compliance" |
no |
| slack_team_name | The Slack team name, which is the word or phrase before .slack.com in the team URL. This applies to the CI, CD, and CC toolchains. To set independently, see ci_slack_team_name, cd_slack_team_name, and cc_slack_team_name. |
string |
"" |
no |
| slack_webhook_secret_crn | The CRN of the Slack webhook secret used for accessing the specified Slack channel. | string |
"" |
no |
| slack_webhook_secret_group | Secret group for the Slack webhook secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| slack_webhook_secret_name | Name of the webhook secret in the secret provider used for accessing the configured Slack channel. This applies to the CI, CD, and CC toolchains. To set independently, see ci_slack_webhook_secret_name, cd_slack_webhook_secret_name, and cc_slack_webhook_secret_name. |
string |
"slack-webhook" |
no |
| sm_endpoint_type | The types of service endpoints to target for Secrets Manager. Valid values are private and public. |
string |
"private" |
no |
| sm_instance_crn | The CRN of the Secrets Manager instance. Will apply to CI, CD and CC toolchains unless set individually. Setting up the Secrets Manager integration using a CRN takes precendence over the non CRN setup. | string |
"" |
no |
| sm_integration_name | The name of the Secrets Manager integration. | string |
"sm-compliance-secrets" |
no |
| sm_location | The region hosting the Secrets Manager instance. This applies to the CI, CD and CC Secret Manager integrations. | string |
"us-south" |
no |
| sm_name | The name of an existing Secret Managers instance. This applies to the CI, CD and CC Secret Manager integrations. | string |
"sm-instance" |
no |
| sm_resource_group | The name of the existing resource group containing the Secrets Manager instance for your secrets.. This applies to the CI, CD and CC Secret Manager integrations. See ci_sm_resource_group, cd_sm_resource_group, and cc_sm_resource_group to set these values independently. |
string |
"Default" |
no |
| sm_secret_expiration_period | The number of days until the secrets expire. Leave empty to not set an expiration for the created secrets. | string |
"" |
no |
| sm_secret_group | The Secrets Manager secret group containing the secrets for the DevSecOps pipelines. This applies to the CI, CD and CC Secret Manager integrations. See ci_sm_secret_group, cd_sm_secret_group, and cc_sm_secret_group to set these values independently. |
string |
"Default" |
no |
| sonarqube_integration_name | The name of the SonarQube integration. | string |
"SonarQube" |
no |
| sonarqube_is_blind_connection | When set to true, instructs IBM Cloud Continuous Delivery to not validate the configuration of this integration. Set this to true if the SonarQube server is not addressable on the public internet. |
string |
"true" |
no |
| sonarqube_secret_crn | The CRN of the secret used to access SonarQube. | string |
"" |
no |
| sonarqube_secret_group | Secret group for the SonarQube secret. Defaults to the value set in sm_secret_group if not set. Only used with Secrets Manager. |
string |
"" |
no |
| sonarqube_secret_name | The name of the SonarQube secret in the secrets provider. | string |
"sonarqube-secret" |
no |
| sonarqube_server_url | The URL to the SonarQube server. | string |
"" |
no |
| sonarqube_user | The name of the SonarQube user. | string |
"" |
no |
| toolchain_name | This variable specifies the root name for the CI, CD and CC toolchain names. A fixed suffix will automatically be appended. Setting DevSecOps will generate toolchains with the names DevSecOps-CI-Toolchain, DevSecOps-CD-Toolchain and DevSecOps-CC-Toolchain. The full name of each toolchain can be set independently using ci_toolchain_name, cd_toolchain_name, and cc_toolchain_name. |
string |
"DevSecOps" |
no |
| toolchain_region | The region identifier that will be used, by default, for all resource creation and service instance lookup. | string |
"us-south" |
no |
| toolchain_resource_group | The resource group that will be used, by default, for all resource creation and service instance lookups. This can be overridden on a per resource/service basis. | string |
"Default" |
no |
| use_app_repo_for_cd_deploy | Set to true to use the CI sample application repository as the deployment repository in the CD pipeline. This will be set in the pipeline config integration. |
bool |
false |
no |
| worker_id | The identifier for the pipeline worker. Applies to the CI, CD and CC pipelines. | string |
"public" |
no |
Outputs
| Name | Description |
|---|---|
| app_repo_url | The App Repo URL |
| cc_pipeline_id | The CC pipeline Id |
| cd_pipeline_id | The CD pipeline Id |
| change_management_repo_url | The Change Management Repo URL. |
| ci_pipeline_id | The CI pipeline Id |
| compliance_cc_toolchain_id | The ID of the Compliance CC Toolchain |
| compliance_cc_toolchain_url | The Compliance CC Toolchain URL |
| compliance_cd_toolchain_id | The ID of the Compliance CD Toolchain |
| compliance_cd_toolchain_url | The Compliance CD Toolchain URL |
| compliance_ci_toolchain_id | The ID of the Compliance CI Toolchain |
| compliance_ci_toolchain_url | The Compliance CI Toolchain URL |
| evidence_repo_url | The Evidence Repo URL |
| icr_namespace_name | The name of the targets ICR namespace. |
| inventory_repo_url | The Inventory Repo URL |
| issues_repo_url | The Issues Repo URL |
| key_protect_instance_id | The Key Protect Instance ID |
| pr_pipeline_id | The PR pipeline Id |
| secrets_manager_instance_id | The Secrets Manage Instance ID |
Contributing
You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.
To set up your local development environment, see Local development setup in the project documentation.