Saltar para o conteúdo principal

DevSecOps Terraform Code - Explained

Overview

With our environments configured and secrets created, it's time to dive into the Terraform code that defines the DevSecOps pipeline infrastructure. This guide provides a detailed explanation of the critical components so you can fully understand how the system works.

Code Overview

All relevant code is located in the terraform folder, which contains multiple Terraform modules:

  1. Core Infrastructure
  2. CI/CD Pipelines

Core Infrastructure

This module provisions foundational infrastructure components such as storage, artifact registry, and secret management. It ensures that essential resources are available for secure DevSecOps operations.

  • Files:
    • main.tf: Defines storage buckets, artifact registries, and secret management resources.
    • variables.tf: Configures input variables, including project ID and region.
    • provider.tf: Configures the Google Cloud provider settings.

CI/CD Pipelines

This module sets up Cloud Build pipelines, IAM roles, and GitHub integration for CI/CD automation. Below are the key elements explained in detail:

Artifact Registry Configuration

  • Resource: google_artifact_registry_repository
  • Purpose:
    • Provisions a Docker artifact repository for storing container images.
    • Ensures that all built images are stored securely and version-controlled.
    • Enables seamless integration with Google Cloud Build for CI/CD pipelines.

Cloud Storage Bucket Configuration

  • Resource: google_storage_bucket
  • Purpose:
    • Provisions a Cloud Storage bucket for storing Cloud Build artifacts.
    • Standardizes bucket naming conventions using variables.
    • Ensures secure and centralized storage for build and deployment artifacts.

Secret Management Configuration

  • Resource: google_secret_manager_secret
  • Purpose:
    • Stores sensitive information such as API tokens securely.
    • Manages access control for secrets using IAM policies.
    • Ensures integration with Cloud Build and other services.

FastAPI Pipeline Configuration

  • Module: gcp_python_fastapi_pipeline
  • Purpose:
    • Establishes a CI/CD pipeline for the "GCP FastAPI" project.
    • Leverages the GitHub connection to pull source code from the repository.
    • Integrates the pipeline with the Cloud Storage bucket and Artifact Registry for seamless deployments.

Key Pipeline Parameters

  • GitHub Integration:
    • Dynamically links the GitHub connection to Cloud Build triggers.
    • Configures repository details:
      • Repository: The-DevSec-Blueprint/gcp-python-fastapi
      • Branch: main
  • Build and Deployment:
    • Buildspec: Located at cloudbuild.yaml.
    • Build environment:
      • Machine type: E2_SMALL
      • Image: gcr.io/cloud-builders/gcloud
      • Privileged mode enabled for containerized builds.
  • Security Scanning:
    • Integrates Snyk for container security scanning.
    • Uses SNYK_TOKEN and project_id variables for authentication.

By understanding the purpose and structure of these Terraform configurations, you'll have a clearer picture of how the DevSecOps pipeline functions, from provisioning infrastructure to enabling secure and automated CI/CD workflows.