-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into BartoszBlizniak-patch-1
- Loading branch information
Showing
13 changed files
with
212 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
resource "cloudsmith_package_deny_policy" "left_pad_policy" { | ||
name = "Deny left-pad" | ||
description = "Deny left-pad versions greater than 1.1.2" | ||
package_query = "format:npm AND name:left-pad AND version:>1.1.2" | ||
namespace = data.cloudsmith_organization.org-demo.slug | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
terraform { | ||
required_providers { | ||
cloudsmith = { | ||
source = "cloudsmith-io/cloudsmith" | ||
} | ||
} | ||
} | ||
|
||
provider "cloudsmith" { | ||
api_key = var.api_key | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# Terraform iterative structure example | ||
|
||
This terraform example project will setup 3 repositories using a loop-based approach for instances where each repository | ||
shares many attributes with the others, but changes slightly based on their individual needs. | ||
|
||
* Creates a Development, Staging and Production repository | ||
* Disables User entitlements. The default entitlement token can then be disabled so that authentication can only be done via API keys! | ||
* Creates an individual CI service account for each repository which gets write access | ||
* Configures Github OIDC for authenticating as the service accounts (see our documentation [here](https://help.cloudsmith.io/docs/setup-cloudsmith-to-authenticate-with-oidc-in-github-actions) for how to configure that on the Github side) | ||
* Creates a Developers team which gets write permission on the Development repository | ||
* Configures DockerHub and Chainguard upstreams on each repository | ||
* Configures a Vulnerablity policy that blocks high severity vulnerabilities. | ||
* Configures a license policy that blocks AGPL licensed packages. | ||
|
||
## Usage | ||
|
||
To get started, supply your API key and org name in `global-variables.tf` file. | ||
Run `terraform init` and then run `terraform apply` to execute the plan. | ||
|
||
Configuration can be done in the `terraform.tfvars` file. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
data "cloudsmith_organization" "cloudsmith-org" { | ||
slug = "YOUR-ORG-NAME" | ||
} | ||
|
||
variable "api_key" { | ||
type = string | ||
default = "YOUR-API-KEY" | ||
} | ||
|
||
variable "default_storage_region" { | ||
type = string | ||
default = "us-ohio" | ||
} | ||
|
||
variable "chainguard_api_user" { | ||
type = string | ||
default = "YOUR-CHAINGUARD-API-USER" | ||
} | ||
|
||
variable "chainguard_api_secret" { | ||
type = string | ||
default = "YOUR-CHAINGUARD-API-SECRET" | ||
} | ||
|
||
variable "repositories" { | ||
type = map(object({ | ||
add_developers = optional(bool) | ||
oidc_claims = optional(map(string)) | ||
})) | ||
description = "A map of repositories with their configurations." | ||
default = { | ||
"staging" = { | ||
add_developers = false | ||
}, | ||
"production" = { | ||
add_developers = false | ||
} | ||
} | ||
} | ||
|
||
variable "oidc_claims" { | ||
type = map(string) | ||
default = { | ||
"repository" = "Owner/GitHubRepoName" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
resource "cloudsmith_license_policy" "agpl-policy" { | ||
name = "Block AGPL" | ||
description = "Block AGPL licensed packages" | ||
spdx_identifiers = ["AGPL-1.0", "AGPL-1.0-only", "AGPL-1.0-or-later", "AGPL-3.0", "AGPL-3.0-only", "AGPL-3.0-or-later"] | ||
on_violation_quarantine = true | ||
organization = data.cloudsmith_organization.cloudsmith-org.slug | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
resource "cloudsmith_oidc" "org-oidc" { | ||
for_each = var.repositories | ||
namespace = data.cloudsmith_organization.cloudsmith-org.slug | ||
name = "Github OIDC - ${each.key}" | ||
enabled = true | ||
provider_url = "https://token.actions.githubusercontent.com" | ||
service_accounts = [cloudsmith_service.ci-service[each.key].slug] | ||
claims = (each.value.oidc_claims != null) ? each.value.oidc_claims : var.oidc_claims | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
terraform { | ||
required_providers { | ||
cloudsmith = { | ||
source = "cloudsmith-io/cloudsmith" | ||
} | ||
} | ||
} | ||
|
||
provider "cloudsmith" { | ||
api_key = var.api_key | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
resource "cloudsmith_repository" "repositories" { | ||
for_each = var.repositories | ||
description = "${title(each.key)} repository" | ||
name = "${each.key}" | ||
namespace = data.cloudsmith_organization.cloudsmith-org.slug_perm | ||
slug = "${each.key}" | ||
repository_type = "Private" | ||
storage_region = var.default_storage_region | ||
user_entitlements_enabled = false | ||
|
||
} | ||
|
||
resource "cloudsmith_repository_privileges" "repo-privs" { | ||
for_each = var.repositories | ||
organization = data.cloudsmith_organization.cloudsmith-org.slug | ||
repository = cloudsmith_repository.repositories[each.key].slug | ||
|
||
# if you're using a service account to provision, be sure to include it as an Admin here! | ||
service { | ||
privilege = "Write" | ||
slug = cloudsmith_service.ci-service[each.key].slug | ||
} | ||
|
||
dynamic "team" { | ||
for_each = each.value.add_developers == true ? [1] : [] | ||
content { | ||
privilege = "Write" | ||
slug = cloudsmith_team.developers.slug | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
resource "cloudsmith_service" "ci-service" { | ||
for_each = var.repositories | ||
name = "${lower(each.key)}-ci-service" | ||
organization = data.cloudsmith_organization.cloudsmith-org.slug | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
resource "cloudsmith_team" "developers" { | ||
organization = data.cloudsmith_organization.cloudsmith-org.slug_perm | ||
name = "Developers" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
repositories = { | ||
"development": { | ||
"add_developers": true | ||
}, | ||
"staging": { | ||
"add_developers": false | ||
}, | ||
"production": { | ||
"add_developers": false | ||
"oidc_claims": { | ||
"repository" = "Owner/ProductionGithubRepoName" | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
# Chainguard public repositories, no authentication, affix /chainguard/ to URL when pulling. | ||
resource "cloudsmith_repository_upstream" "cgr-public" { | ||
for_each = var.repositories | ||
name = "cgr-public" | ||
namespace = data.cloudsmith_organization.cloudsmith-org.slug_perm | ||
repository = cloudsmith_repository.repositories[each.key].slug_perm | ||
is_active = true | ||
upstream_type = "docker" | ||
upstream_url = "https://cgr.dev" | ||
mode = "Cache and Proxy" | ||
priority = 2 | ||
} | ||
|
||
# Chainguard private repositories, uses authentication, affix /<your-chainguard-id>/ to URL when pulling. | ||
resource "cloudsmith_repository_upstream" "cgr-private" { | ||
for_each = var.repositories | ||
name = "cgr-private" | ||
namespace = data.cloudsmith_organization.cloudsmith-org.slug_perm | ||
repository = cloudsmith_repository.repositories[each.key].slug_perm | ||
is_active = true | ||
upstream_type = "docker" | ||
upstream_url = "https://cgr.dev" | ||
mode = "Cache and Proxy" | ||
auth_mode = "Username and Password" | ||
auth_username = var.chainguard_api_user | ||
auth_secret = var.chainguard_api_secret | ||
priority = 2 | ||
} | ||
|
||
resource "cloudsmith_repository_upstream" "dockerhub" { | ||
for_each = var.repositories | ||
name = "dockerhub" | ||
namespace = data.cloudsmith_organization.cloudsmith-org.slug_perm | ||
repository = cloudsmith_repository.repositories[each.key].slug_perm | ||
upstream_type = "docker" | ||
upstream_url = "https://index.docker.io" | ||
mode = "Cache and Proxy" | ||
priority = 1 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
resource "cloudsmith_vulnerability_policy" "container-policy-test" { | ||
name = "Container policy" | ||
description = "Block high severity issues in docker images" | ||
min_severity = "High" | ||
on_violation_quarantine = true | ||
allow_unknown_severity = true | ||
package_query_string = "format:docker" | ||
organization = data.cloudsmith_organization.cloudsmith-org.slug | ||
} |