A Terraform module for provisioning the DevSecOps CI, CD, and CC toolchains.
module "terraform_devsecops_alm" {
source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-alm?ref=v1.0.4"
toolchain_region = var.toolchain_region
toolchain_resource_group = var.toolchain_resource_group
registry_namespace = var.registry_namespace
cluster_name = var.cluster_name
sm_resource_group = var.sm_resource_group
sm_name = var.sm_name
sm_location = var.sm_location
sm_secret_group = var.sm_secret_group
}
Name | Version |
---|---|
terraform | >= 1.0.0 |
ibm | >=1.60.0 |
null | >= 3.2.2 |
random | >= 3.6.2 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
authorization_policy_creation | Disable Toolchain Service to Secrets Manager Service authorization policy creation. To disable set the value to disabled . This applies to the CI, CD, and CC toolchains. To set separately, see ci_authorization_policy_creation , cd_authorization_policy_creation , and cc_authorization_policy_creation . |
string |
"" |
no |
autostart | Set to true to auto run the CI pipeline in the CI toolchain after creation. |
bool |
false |
no |
cc_app_group | Specify user or group for app repo. | string |
"" |
no |
cc_app_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
cc_app_repo_branch | The default branch of the app repo. | string |
"master" |
no |
cc_app_repo_git_id | The Git Id of the repository. | string |
"" |
no |
cc_app_repo_git_provider | The type of the Git provider. | string |
"hostedgit" |
no |
cc_app_repo_git_token_secret_crn | The CRN for the app repository Git Token. | string |
"" |
no |
cc_app_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
cc_app_repo_secret_group | Secret group prefix for the App repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cc_app_repo_url | This Git URL for the application repository. | string |
"" |
no |
cc_artifactory_token_secret_crn | The CRN for the Artifactory secret. | string |
"" |
no |
cc_authorization_policy_creation | Disable Toolchain service to Secrets Manager Service authorization policy creation. | string |
"" |
no |
cc_compliance_base_image | Pipeline baseimage to run most of the built-in pipeline code. | string |
"" |
no |
cc_compliance_pipeline_branch | The CC Pipeline Compliance Pipeline branch. | string |
"" |
no |
cc_compliance_pipeline_group | Specify user or group for compliance pipline repo. | string |
"" |
no |
cc_compliance_pipeline_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
cc_compliance_pipeline_repo_git_token_secret_crn | The CRN for the Compliance Pipeline repository Git Token. | string |
"" |
no |
cc_compliance_pipeline_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
cc_compliance_pipeline_repo_secret_group | Secret group prefix for the Compliance Pipeline repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cc_cos_api_key_secret_crn | The CRN for the Cloud Object Storage apikey. | string |
"" |
no |
cc_cos_api_key_secret_group | Secret group prefix for the COS API key secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cc_cos_api_key_secret_name | Name of the COS API key secret in the secret provider. | string |
"" |
no |
cc_cos_bucket_name | COS bucket name. | string |
"" |
no |
cc_cos_endpoint | COS endpoint name. | string |
"" |
no |
cc_cra_bom_generate | Set this flag to 1 to generate cra bom |
string |
"1" |
no |
cc_cra_deploy_analysis | Set this flag to 1 for cra deployment analysis to be done. |
string |
"1" |
no |
cc_cra_vulnerability_scan | Set this flag to 1 and cra-bom-generate to 1 for cra vulnerability scan. If this value is set to 1 and cra-bom-generate is set to 0, the scan will be marked as failure |
string |
"1" |
no |
cc_doi_environment | DevOps Insights environment for DevSecOps CD deployment. | string |
"" |
no |
cc_doi_toolchain_id | DevOps Insights toolchain ID to link to. | string |
"" |
no |
cc_enable_key_protect | Enable the Key Protect integration. | bool |
false |
no |
cc_enable_pipeline_dockerconfigjson | Enable to add the pipeline-dockerconfigjson property to the pipeline properties. | bool |
false |
no |
cc_enable_pipeline_notifications | When enabled, pipeline run events will be sent to the Event Notifications and Slack integrations in the enclosing toolchain. | bool |
false |
no |
cc_enable_secrets_manager | Enable the Secrets Manager integration. | bool |
false |
no |
cc_enable_slack | Set to true to create the integration. | bool |
false |
no |
cc_environment_tag | Tag name that represents the target environment in the inventory. Example: prod_latest. | string |
"" |
no |
cc_event_notifications | To enable event notification, set event_notifications to 1 | string |
"0" |
no |
cc_event_notifications_crn | Set the Event Notifications CRN to create an Events Notification integration. | string |
"" |
no |
cc_evidence_group | Specify Git user or group for evidence repository. | string |
"" |
no |
cc_evidence_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat' | string |
"" |
no |
cc_evidence_repo_git_token_secret_crn | The CRN for the Evidence repository Git Token. | string |
"" |
no |
cc_evidence_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
cc_evidence_repo_secret_group | Secret group prefix for the Evidence repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cc_gosec_private_repository_host | Your private repository base URL. | string |
"" |
no |
cc_gosec_private_repository_ssh_key_secret_crn | The CRN for the Deployment repository Git Token. | string |
"" |
no |
cc_gosec_repo_ssh_key_secret_group | Secret group prefix for the gosec private repository ssh key secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cc_gosec_repo_ssh_key_secret_name | Name of the SSH key token for the private repository in the secret provider. | string |
"git-ssh-key" |
no |
cc_inventory_group | Specify Git user or group for inventory repository. | string |
"" |
no |
cc_inventory_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
cc_inventory_repo_git_token_secret_crn | The CRN for the Inventory repository Git Token. | string |
"" |
no |
cc_inventory_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
cc_inventory_repo_secret_group | Secret group prefix for the Inventory repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cc_issues_group | Specify Git user or group for issues repository. | string |
"" |
no |
cc_issues_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
cc_issues_repo_git_token_secret_crn | The CRN for the Issues repository Git Token. | string |
"" |
no |
cc_issues_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
cc_issues_repo_secret_group | Secret group prefix for the Issues repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cc_kp_location | IBM Cloud location/region containing the Key Protect instance. | string |
"" |
no |
cc_kp_name | Name of the Key Protect instance where the secrets are stored. | string |
"" |
no |
cc_kp_resource_group | The resource group containing the Key Protect instance for your secrets. | string |
"" |
no |
cc_link_to_doi_toolchain | Enable a link to a DevOps Insights instance in another toolchain, true or false. | bool |
true |
no |
cc_opt_in_auto_close | Enables auto-closing of issues coming from vulnerabilities, once the vulnerability is no longer detected by the CC pipeline run. | string |
"1" |
no |
cc_opt_in_cra_auto_remediation | Enables auto-remediation for your pipeline. Set to true to enable. |
bool |
false |
no |
cc_opt_in_cra_auto_remediation_enabled_repos | Specifies specific repos where you want to enable auto-remediation. | string |
"" |
no |
cc_opt_in_cra_auto_remediation_force | Forces a major package update as part of the pull request that is opened. | bool |
false |
no |
cc_opt_in_dynamic_api_scan | To enable the OWASP Zap API scan. '1' enable or '0' disable. | string |
"" |
no |
cc_opt_in_dynamic_scan | To enable the OWASP Zap scan. '1' enable or '0' disable. | string |
"" |
no |
cc_opt_in_dynamic_ui_scan | To enable the OWASP Zap UI scan. '1' enable or '0' disable. | string |
"" |
no |
cc_opt_in_gosec | Enables gosec scans | string |
"" |
no |
cc_peer_review_compliance | Set to 0 to disable. Set to 1 to enable peer review evidence collection. |
string |
"" |
no |
cc_pipeline_config_group | Specify user or group for pipeline config repo. | string |
"" |
no |
cc_pipeline_config_path | The name and path of the pipeline-config.yaml file within the pipeline-config repo. | string |
".pipeline-config.yaml" |
no |
cc_pipeline_config_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
cc_pipeline_config_repo_branch | Specify the branch containing the custom pipeline-config.yaml file. | string |
"" |
no |
cc_pipeline_config_repo_clone_from_url | Specify a repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
cc_pipeline_config_repo_existing_url | Specify a repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
cc_pipeline_config_repo_git_token_secret_crn | The CRN for the Pipeline Config repository Git Token. | string |
"" |
no |
cc_pipeline_config_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
cc_pipeline_config_repo_secret_group | Secret group prefix for the Pipeline Config repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cc_pipeline_debug | '0' by default. Set to '1' to enable debug logging. | string |
"0" |
no |
cc_pipeline_dockerconfigjson_secret_crn | The CRN for the Dockerconfig json secret. | string |
"" |
no |
cc_pipeline_dockerconfigjson_secret_group | Secret group prefix for the pipeline DockerConfigJson secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cc_pipeline_dockerconfigjson_secret_name | Name of the pipeline docker config JSON secret in the secret provider. | string |
"pipeline_dockerconfigjson_secret_name" |
no |
cc_pipeline_doi_api_key_secret_crn | The CRN for the pipeline DOI apikey. | string |
"" |
no |
cc_pipeline_doi_api_key_secret_group | Secret group prefix for the pipeline DOI api key. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cc_pipeline_doi_api_key_secret_name | Name of the Cloud API key secret in the secret provider to access the toolchain containing the Devops Insights instance. | string |
"" |
no |
cc_pipeline_git_tag | The GIT tag within the pipeline definitions repository for the Compliance CC Pipeline. | string |
"" |
no |
cc_pipeline_git_token_secret_crn | The CRN for pipeline Git token property. | string |
"" |
no |
cc_pipeline_ibmcloud_api_key_secret_crn | The CRN for the IBMCloud apikey. | string |
"" |
no |
cc_pipeline_ibmcloud_api_key_secret_group | Secret group prefix for the pipeline ibmcloud API key secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cc_pipeline_ibmcloud_api_key_secret_name | Name of the Cloud API key secret in the secret provider. | string |
"" |
no |
cc_pipeline_properties | Stringified JSON containing the properties for the CC toolchain pipelines. | string |
"" |
no |
cc_pipeline_properties_filepath | The path to the file containing the property JSON. If this is not set, it will by default read the properties.json file at the root of the module. |
string |
"" |
no |
cc_repositories_prefix | The prefix for the compliance repositories. For the repositories_prefix value only a-z, A-Z and 0-9 and the special characters -_ are allowed. In addition the string must not end with a special character or have two consecutive special characters. |
string |
"" |
no |
cc_repository_properties | Stringified JSON containing the repositories and triggers that get created in the CI toolchain pipelines. | string |
"" |
no |
cc_repository_properties_filepath | The path to the file containing the repository and triggers JSON. If this is not set, it will by default read the repositories.json file at the root of the module. |
string |
"" |
no |
cc_scc_enable_scc | Adds the SCC tool integration to the toolchain. | bool |
true |
no |
cc_scc_integration_name | The name of the SCC integration. | string |
"Security and Compliance" |
no |
cc_scc_use_profile_attachment | Set to enabled to enable use profile with attachment, so that the scripts in the pipeline can interact with the Security and Compliance Center service. When enabled, other parameters become relevant; scc_scc_api_key_secret_name , scc_instance_crn , scc_profile_name , scc_profile_version , scc_attachment_id . |
string |
"" |
no |
cc_slack_channel_name | The Slack channel that notifications are posted to. | string |
"" |
no |
cc_slack_notifications | The switch that turns the Slack notification on (1 ) or off (0 ). |
string |
"" |
no |
cc_slack_pipeline_fail | Generate pipeline failed notifications. | bool |
true |
no |
cc_slack_pipeline_start | Generate pipeline start notifications. | bool |
true |
no |
cc_slack_pipeline_success | Generate pipeline succeeded notifications. | bool |
true |
no |
cc_slack_team_name | The Slack team name, which is the word or phrase before .slack.com in the team URL. | string |
"" |
no |
cc_slack_toolchain_bind | Generate tool added to toolchain notifications. | bool |
true |
no |
cc_slack_toolchain_unbind | Generate tool removed from toolchain notifications. | bool |
true |
no |
cc_slack_webhook_secret_crn | The CRN for Slack webhook secret. | string |
"" |
no |
cc_slack_webhook_secret_group | Secret group prefix for the Slack webhook secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cc_slack_webhook_secret_name | Name of the webhook secret in the secret provider. | string |
"" |
no |
cc_sm_instance_crn | The CRN of the Secrets Manager instance. | string |
"" |
no |
cc_sm_location | IBM Cloud location/region containing the Secrets Manager instance. | string |
"" |
no |
cc_sm_name | Name of the Secrets Manager instance where the secrets are stored. | string |
"" |
no |
cc_sm_resource_group | The resource group containing the Secrets Manager instance for your secrets. | string |
"" |
no |
cc_sm_secret_group | Group in Secrets Manager for organizing/grouping secrets. | string |
"" |
no |
cc_sonarqube_config | Runs a SonarQube scan in an isolated Docker-in-Docker container (default configuration) or in an existing Kubernetes cluster (custom configuration). Options: default or custom. Default is default. | string |
"default" |
no |
cc_sonarqube_integration_name | The name of the SonarQube integration. | string |
"SonarQube" |
no |
cc_sonarqube_is_blind_connection | When set to true , instructs IBM Cloud Continuous Delivery to not validate the configuration of this integration. Set this to true if the SonarQube server is not addressable on the public internet. |
string |
true |
no |
cc_sonarqube_secret_crn | The CRN for the SonarQube secret. | string |
"" |
no |
cc_sonarqube_secret_name | The name of the SonarQube secret. | string |
"sonarqube-secret" |
no |
cc_sonarqube_server_url | The URL to the SonarQube server. | string |
"" |
no |
cc_sonarqube_user | The name of the SonarQube user. | string |
"" |
no |
cc_toolchain_description | Description for the CC Toolchain. | string |
"Toolchain created with terraform template for DevSecOps CC Best Practices." |
no |
cc_toolchain_name | The name of the CC Toolchain. | string |
"" |
no |
cc_toolchain_region | The region containing the CI toolchain. Use the short form of the regions. For example us-south . |
string |
"" |
no |
cc_toolchain_resource_group | Resource group within which the toolchain is created. | string |
"" |
no |
cc_trigger_manual_enable | Set to true to enable the CC pipeline Manual trigger. |
bool |
true |
no |
cc_trigger_manual_name | The name of the CC pipeline Manual trigger. | string |
"CC Manual Trigger" |
no |
cc_trigger_manual_pruner_enable | Set to true to enable the manual Pruner trigger. |
bool |
true |
no |
cc_trigger_manual_pruner_name | The name of the manual Pruner trigger. | string |
"Evidence Pruner Manual Trigger" |
no |
cc_trigger_timed_cron_schedule | Only needed for timer triggers. Cron expression that indicates when this trigger will activate. Maximum frequency is every 5 minutes. The string is based on UNIX crontab syntax: minute, hour, day of month, month, day of week. Example: 0 *_/2 * * * - every 2 hours. | string |
"0 4 * * *" |
no |
cc_trigger_timed_enable | Set to true to enable the CI pipeline Timed trigger. |
bool |
false |
no |
cc_trigger_timed_name | The name of the CC pipeline Timed trigger. | string |
"CC Timed Trigger" |
no |
cc_trigger_timed_pruner_enable | Set to true to enable the timed Pruner trigger. |
bool |
false |
no |
cc_trigger_timed_pruner_name | The name of the timed Pruner trigger. | string |
"Evidence Pruner Timed Trigger" |
no |
cd_app_version | The version of the app to deploy. | string |
"v1" |
no |
cd_artifactory_token_secret_crn | The CRN for the Artifactory secret. | string |
"" |
no |
cd_authorization_policy_creation | Disable Toolchain service to Secrets Manager Service authorization policy creation. | string |
"" |
no |
cd_change_management_group | Specify group for change management repository | string |
"" |
no |
cd_change_management_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
cd_change_management_repo_git_token_secret_crn | The CRN for the Change Management repository Git Token. | string |
"" |
no |
cd_change_management_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
cd_change_management_repo_secret_group | Secret group prefix for the Change Management repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cd_change_repo_clone_from_url | Override the default management repo, which is cloned into the app repo. Note, using clone_if_not_exists mode, so if the app repo already exists the repo contents are unchanged. | string |
"" |
no |
cd_change_request_id | The ID of an open change request. If this parameter is set to 'notAvailable' by default, a change request is automatically created by the continuous deployment pipeline. | string |
"notAvailable" |
no |
cd_cluster_name | Name of the Kubernetes cluster where the application is deployed. | string |
"" |
no |
cd_cluster_namespace | Name of the Kubernetes cluster namespace where the application is deployed. | string |
"prod" |
no |
cd_cluster_region | Region of the Kubernetes cluster where the application is deployed. Use the short form of the regions. For example us-south . |
string |
"" |
no |
cd_code_signing_cert_secret_crn | The CRN for the public signing key cert in the secrets provider. | string |
"" |
no |
cd_code_signing_cert_secret_group | Secret group prefix for the pipeline Public signing key cert secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cd_code_signing_cert_secret_name | This is the name of the secret in the secrets provider for storing the code signing certificate. | string |
"signing-certificate" |
no |
cd_compliance_base_image | Pipeline baseimage to run most of the built-in pipeline code. | string |
"" |
no |
cd_compliance_pipeline_branch | The CD Pipeline Compliance Pipeline branch. | string |
"" |
no |
cd_compliance_pipeline_group | Specify user or group for compliance pipline repo. | string |
"" |
no |
cd_compliance_pipeline_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
cd_compliance_pipeline_repo_git_token_secret_crn | The CRN for the Compliance Pipeline repository Git Token. | string |
"" |
no |
cd_compliance_pipeline_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
cd_compliance_pipeline_repo_secret_group | Secret group prefix for the Compliance Pipeline repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cd_cos_api_key_secret_crn | The CRN for the Cloud Object Storage apikey. | string |
"" |
no |
cd_cos_api_key_secret_group | Secret group prefix for the COS API key secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cd_cos_api_key_secret_name | Name of the COS API key secret in the secret provider. | string |
"" |
no |
cd_cos_bucket_name | COS bucket name. | string |
"" |
no |
cd_cos_endpoint | COS endpoint name. | string |
"" |
no |
cd_customer_impact | Custom impact of the change request. | string |
"no_impact" |
no |
cd_deployment_group | Specify group for deployment. | string |
"" |
no |
cd_deployment_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
cd_deployment_repo_clone_from_branch | Used when deployment_repo_clone_from_url is provided, the default branch that is used by the CD build, usually either main or master. | string |
"" |
no |
cd_deployment_repo_clone_from_url | Override the default sample app by providing your own sample deployment URL, which is cloned into the app repo. Note, using clone_if_not_exists mode, so if the app repo already exists the repo contents are unchanged. | string |
"" |
no |
cd_deployment_repo_clone_to_git_id | By default absent, else custom server GUID, or other options for 'git_id' field in the browser UI. | string |
"" |
no |
cd_deployment_repo_clone_to_git_provider | By default 'hostedgit', else use 'githubconsolidated' or 'gitlab'. | string |
"" |
no |
cd_deployment_repo_existing_branch | Used when deployment_repo_existing_url is provided, the default branch that is by the CD build, usually either main or master. | string |
"" |
no |
cd_deployment_repo_existing_git_id | By default absent, else custom server GUID, or other options for 'git_id' field in the browser UI. | string |
"" |
no |
cd_deployment_repo_existing_git_provider | By default 'hostedgit', else use 'githubconsolidated' or 'gitlab'. | string |
"hostedgit" |
no |
cd_deployment_repo_existing_url | Override to bring your own existing deployment repository URL, which is used directly instead of cloning the default deployment sample. | string |
"" |
no |
cd_deployment_repo_git_token_secret_crn | The CRN for the Deployment repository Git Token. | string |
"" |
no |
cd_deployment_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
cd_deployment_repo_secret_group | Secret group prefix for the Deployment repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cd_doi_environment | DevOps Insights environment for DevSecOps CD deployment. | string |
"" |
no |
cd_doi_toolchain_id | DevOps Insights toolchain ID to link to. | string |
"" |
no |
cd_emergency_label | Identifies the pull request as an emergency. | string |
"EMERGENCY" |
no |
cd_enable_key_protect | Use the Key Protect integration. | bool |
false |
no |
cd_enable_pipeline_notifications | When enabled, pipeline run events will be sent to the Event Notifications and Slack integrations in the enclosing toolchain. | bool |
false |
no |
cd_enable_secrets_manager | Use the Secrets Manager integration. | bool |
false |
no |
cd_enable_slack | Default: false. Set to true to create the integration. | bool |
false |
no |
cd_event_notifications | To enable event notification, set event_notifications to 1 | string |
"0" |
no |
cd_event_notifications_crn | Set the Event Notifications CRN to create an Events Notification integration. | string |
"" |
no |
cd_evidence_group | Specify Git user or group for evidence repository. | string |
"" |
no |
cd_evidence_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
cd_evidence_repo_git_token_secret_crn | The CRN for the Evidence repository Git Token. | string |
"" |
no |
cd_evidence_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
cd_evidence_repo_secret_group | Secret group prefix for the Evidence repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cd_instance_name | The name of the CD instance. | string |
"cd-devsecops" |
no |
cd_inventory_group | Specify Git user or group for inventory repository. | string |
"" |
no |
cd_inventory_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
cd_inventory_repo_git_token_secret_crn | The CRN for the Inventory repository Git Token. | string |
"" |
no |
cd_inventory_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
cd_inventory_repo_secret_group | Secret group prefix for the Inventory repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cd_issues_group | Specify Git user or group for issues repository. | string |
"" |
no |
cd_issues_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
cd_issues_repo_git_token_secret_crn | The CRN for the Issues repository Git Token. | string |
"" |
no |
cd_issues_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
cd_issues_repo_secret_group | Secret group prefix for the Issues repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cd_kp_location | IBM Cloud location/region containing the Key Protect instance. | string |
"" |
no |
cd_kp_name | Name of the Key Protect instance where the secrets are stored. | string |
"" |
no |
cd_kp_resource_group | The resource group containing the Key Protect instance for your secrets. | string |
"" |
no |
cd_link_to_doi_toolchain | Enable a link to a DevOps Insights instance in another toolchain, true or false. | bool |
true |
no |
cd_merge_cra_sbom | Merge the SBOM | string |
"1" |
no |
cd_peer_review_compliance | Set to 0 to disable. Set to 1 to enable peer review evidence collection. |
string |
"" |
no |
cd_pipeline_config_group | Specify user or group for pipeline config repo. | string |
"" |
no |
cd_pipeline_config_path | The name and path of the pipeline-config.yaml file within the pipeline-config repo. | string |
".pipeline-config.yaml" |
no |
cd_pipeline_config_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
cd_pipeline_config_repo_branch | Specify the branch containing the custom pipeline-config.yaml file. | string |
"" |
no |
cd_pipeline_config_repo_clone_from_url | Specify a repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
cd_pipeline_config_repo_existing_url | Specify a repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
cd_pipeline_config_repo_git_token_secret_crn | The CRN for the Config repository Git Token. | string |
"" |
no |
cd_pipeline_config_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
cd_pipeline_config_repo_secret_group | Secret group prefix for the Pipeline Config repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cd_pipeline_debug | '0' by default. Set to '1' to enable debug logging. | string |
"0" |
no |
cd_pipeline_doi_api_key_secret_crn | The CRN for the DOI apikey. | string |
"" |
no |
cd_pipeline_doi_api_key_secret_group | Secret group prefix for the pipeline DOI api key. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cd_pipeline_doi_api_key_secret_name | Name of the Cloud API key secret in the secret provider to access the toolchain containing the Devops Insights instance. | string |
"" |
no |
cd_pipeline_git_tag | The GIT tag within the pipeline definitions repository for the Compliance CD Pipeline. | string |
"" |
no |
cd_pipeline_git_token_secret_crn | The CRN for the Git Token secret in the pipeline properties. | string |
"" |
no |
cd_pipeline_git_token_secret_group | Secret group prefix for the pipeline Git token secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cd_pipeline_git_token_secret_name | Name of the pipeline Git token secret in the secret provider. | string |
"pipeline-git-token" |
no |
cd_pipeline_ibmcloud_api_key_secret_crn | The CRN for the pipeline apikey. | string |
"" |
no |
cd_pipeline_ibmcloud_api_key_secret_group | Secret group prefix for the pipeline ibmcloud API key secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cd_pipeline_ibmcloud_api_key_secret_name | Name of the Cloud API key secret in the secret provider. | string |
"" |
no |
cd_pipeline_properties | Stringified JSON containing the properties for the CD toolchain pipelines. | string |
"" |
no |
cd_pipeline_properties_filepath | The path to the file containing the property JSON. If this is not set, it will by default read the properties.json file at the root of the module. |
string |
"" |
no |
cd_pre_prod_evidence_collection | Set this flag to collect the pre-prod evidences and the change requests in the production deployment (target-environment-purpose set to production). Default value is 0. | string |
"0" |
no |
cd_privateworker_credentials_secret_crn | The CRN for the Private Worker apikey. | string |
"" |
no |
cd_region | IBM Cloud region used to prefix the prod_latest inventory repo branch. |
string |
"" |
no |
cd_repositories_prefix | Prefix name for the cloned compliance repos. For the repositories_prefix value only a-z, A-Z and 0-9 and the special characters -_ are allowed. In addition the string must not end with a special character or have two consecutive special characters. |
string |
"" |
no |
cd_repository_properties | Stringified JSON containing the repositories and triggers that get created in the CI toolchain pipelines. | string |
"" |
no |
cd_repository_properties_filepath | The path to the file containing the repository and triggers JSON. If this is not set, it will by default read the repositories.json file at the root of the module. |
string |
"" |
no |
cd_satellite_cluster_group | The Satellite cluster group | string |
"" |
no |
cd_scc_enable_scc | Adds the SCC tool integration to the toolchain. | bool |
true |
no |
cd_scc_integration_name | The name of the SCC integration. | string |
"Security and Compliance" |
no |
cd_scc_use_profile_attachment | Set to enabled to enable use profile with attachment, so that the scripts in the pipeline can interact with the Security and Compliance Center service. When enabled, other parameters become relevant; scc_scc_api_key_secret_name , scc_instance_crn , scc_profile_name , scc_profile_version , scc_attachment_id . |
string |
"" |
no |
cd_service_plan | The Continuous Delivery service plan. Can be lite or professional . |
string |
"professional" |
no |
cd_slack_channel_name | The Slack channel that notifications are posted to. | string |
"" |
no |
cd_slack_notifications | The switch that turns the Slack notification on (1 ) or off (0 ). |
string |
"" |
no |
cd_slack_pipeline_fail | Generate pipeline failed notifications. | bool |
true |
no |
cd_slack_pipeline_start | Generate pipeline start notifications. | bool |
true |
no |
cd_slack_pipeline_success | Generate pipeline succeeded notifications. | bool |
true |
no |
cd_slack_team_name | The Slack team name, which is the word or phrase before .slack.com in the team URL. | string |
"" |
no |
cd_slack_toolchain_bind | Generate tool added to toolchain notifications. | bool |
true |
no |
cd_slack_toolchain_unbind | Generate tool removed from toolchain notifications. | bool |
true |
no |
cd_slack_webhook_secret_crn | The CRN for the Slack webhook secret. | string |
"" |
no |
cd_slack_webhook_secret_group | Secret group prefix for the Slack webhook secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
cd_slack_webhook_secret_name | Name of the webhook secret in the secret provider. | string |
"" |
no |
cd_sm_instance_crn | The CRN of the Secrets Manager instance. | string |
"" |
no |
cd_sm_location | IBM Cloud location/region containing the Secrets Manager instance. | string |
"" |
no |
cd_sm_name | Name of the Secrets Manager instance where the secrets are stored. | string |
"" |
no |
cd_sm_resource_group | The resource group containing the Secrets Manager instance for your secrets. | string |
"" |
no |
cd_sm_secret_group | Group in Secrets Manager for organizing/grouping secrets. | string |
"" |
no |
cd_source_environment | The source environment that the app is promoted from. | string |
"master" |
no |
cd_target_environment | The target environment that the app is deployed to. | string |
"prod" |
no |
cd_target_environment_detail | Details of the environment being updated. | string |
"Production target environment" |
no |
cd_target_environment_purpose | Purpose of the environment being updated. | string |
"production" |
no |
cd_toolchain_description | Description for the CD toolchain. | string |
"Toolchain created with terraform template for DevSecOps CD Best Practices." |
no |
cd_toolchain_name | The name of the CD Toolchain. | string |
"" |
no |
cd_toolchain_region | The region containing the CI toolchain. Use the short form of the regions. For example us-south . |
string |
"" |
no |
cd_toolchain_resource_group | Resource group within which toolchain is created. | string |
"" |
no |
cd_trigger_git_enable | Set to true to enable the CD pipeline Git trigger. |
bool |
false |
no |
cd_trigger_git_name | The name of the CD pipeline GIT trigger. | string |
"Git CD Trigger" |
no |
cd_trigger_git_promotion_validation_branch | Branch for Git promotion validation listener. | string |
"prod" |
no |
cd_trigger_git_promotion_validation_enable | Enable Git promotion validation for Git promotion listener. | bool |
false |
no |
cd_trigger_git_promotion_validation_listener | Select a Tekton EventListener to use when Git promotion validation listener trigger is fired. | string |
"promotion-validation-listener-gitlab" |
no |
cd_trigger_git_promotion_validation_name | Name of Git Promotion Validation Trigger | string |
"Git Promotion Validation Trigger" |
no |
cd_trigger_manual_enable | Set to true to enable the CD pipeline Manual trigger. |
bool |
true |
no |
cd_trigger_manual_name | The name of the CI pipeline Manual trigger. | string |
"Manual CD Trigger" |
no |
cd_trigger_manual_promotion_enable | Set to true to enable the CD pipeline Manual Promotion trigger. |
bool |
true |
no |
cd_trigger_manual_promotion_name | The name of the CD pipeline Manual Promotion trigger. | string |
"Manual Promotion Trigger" |
no |
cd_trigger_manual_pruner_enable | Set to true to enable the manual Pruner trigger. |
bool |
true |
no |
cd_trigger_manual_pruner_name | The name of the manual Pruner trigger. | string |
"Evidence Pruner Manual Trigger" |
no |
cd_trigger_timed_cron_schedule | Only needed for timer triggers. Cron expression that indicates when this trigger will activate. Maximum frequency is every 5 minutes. The string is based on UNIX crontab syntax: minute, hour, day of month, month, day of week. Example: 0 *_/2 * * * - every 2 hours. | string |
"0 4 * * *" |
no |
cd_trigger_timed_enable | Set to true to enable the CD pipeline Timed trigger. |
bool |
false |
no |
cd_trigger_timed_name | The name of the CD pipeline Timed trigger. | string |
"Git CD Timed Trigger" |
no |
cd_trigger_timed_pruner_enable | Set to true to enable the timed Pruner trigger. |
bool |
false |
no |
cd_trigger_timed_pruner_name | The name of the timed Pruner trigger. | string |
"Evidence Pruner Timed Trigger" |
no |
ci_app_group | Specify Git user or group for your application. | string |
"" |
no |
ci_app_name | Name of the application image and inventory entry. | string |
"hello-compliance-app" |
no |
ci_app_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
ci_app_repo_clone_from_branch | Used when app_repo_clone_from_url is provided, the default branch that is used by the CI build, usually either main or master. | string |
"" |
no |
ci_app_repo_clone_from_url | Override the default sample app by providing your own sample app URL, which is cloned into the app repo. Note, using clone_if_not_exists mode, so if the app repo already exists the repo contents are unchanged. | string |
"" |
no |
ci_app_repo_clone_to_git_id | By default absent, otherwise use custom server GUID, or other options for git_id field in the browser UI. |
string |
"" |
no |
ci_app_repo_clone_to_git_provider | By default 'hostedgit', else use 'githubconsolidated' or 'gitlab'. | string |
"" |
no |
ci_app_repo_existing_branch | Used when app_repo_existing_url is provided, the default branch that is used by the CI build, usually either main or master. | string |
"" |
no |
ci_app_repo_existing_git_id | By default absent, otherwise use custom server GUID, or other options for git_id field in the browser UI. |
string |
"" |
no |
ci_app_repo_existing_git_provider | By default 'hostedgit', else use 'githubconsolidated' or 'gitlab'. | string |
"" |
no |
ci_app_repo_existing_url | Override to bring your own existing application repository URL, which is used directly instead of cloning the default sample. | string |
"" |
no |
ci_app_repo_git_token_secret_crn | The CRN for the app repository Git Token. | string |
"" |
no |
ci_app_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
ci_app_repo_secret_group | Secret group prefix for the App repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
ci_app_version | The version of the app to deploy. | string |
"v1" |
no |
ci_artifactory_token_secret_crn | The CRN for the Artifactory secret. | string |
"" |
no |
ci_authorization_policy_creation | Disable Toolchain Service to Secrets Manager Service authorization policy creation. | string |
"" |
no |
ci_cluster_name | Name of the Kubernetes cluster where the application is deployed. (can be the same cluster used for prod) | string |
"" |
no |
ci_cluster_namespace | Name of the Kubernetes cluster namespace where the application is deployed. | string |
"dev" |
no |
ci_cluster_region | Region of the Kubernetes cluster where the application is deployed. Use the short form of the regions. For example us-south . |
string |
"" |
no |
ci_cluster_resource_group | The cluster resource group. | string |
"" |
no |
ci_code_engine_build_strategy | The build strategy for the Code Engine entity. Default strategy is 'dockerfile'. Set as 'buildpacks' for 'buildpacks' build. | string |
"" |
no |
ci_code_engine_entity_type | Deprecated: See Code Engine variant and ci_code_engine_deployment_type . Type of Code Engine entity to create/update as part of deployment. Default type is 'application'. Set as 'job' for 'job' type. |
string |
"" |
no |
ci_code_engine_project | The name of the Code Engine project to use (or create). | string |
"DevSecOps_CE" |
no |
ci_code_engine_region | The region to create/lookup for the Code Engine project. | string |
"ibm:yp:us-south" |
no |
ci_code_engine_resource_group | The resource group of the Code Engine project. | string |
"Default" |
no |
ci_code_engine_source | The path to the location of code to build in the repository. | string |
"" |
no |
ci_compliance_base_image | Pipeline baseimage to run most of the built-in pipeline code. | string |
"" |
no |
ci_compliance_pipeline_branch | The CI Pipeline Compliance Pipeline branch. | string |
"" |
no |
ci_compliance_pipeline_group | Specify user or group for compliance pipline repo. | string |
"" |
no |
ci_compliance_pipeline_pr_branch | The PR Pipeline Compliance Pipeline branch. | string |
"" |
no |
ci_compliance_pipeline_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
ci_compliance_pipeline_repo_git_token_secret_crn | The CRN for the Compliance Pipeline repository Git Token. | string |
"" |
no |
ci_compliance_pipeline_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
ci_compliance_pipeline_repo_secret_group | Secret group prefix for the Compliance Pipeline repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
ci_cos_api_key_secret_crn | The CRN for the Cloud Object Storage apikey. | string |
"" |
no |
ci_cos_api_key_secret_group | Secret group prefix for the COS API key secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
ci_cos_api_key_secret_name | Name of the COS API key secret in the secret provider. | string |
"" |
no |
ci_cos_bucket_name | COS bucket name. | string |
"" |
no |
ci_cos_endpoint | COS endpoint name. | string |
"" |
no |
ci_cra_bom_generate | Set this flag to 1 to generate cra bom in CI pipeline. |
string |
"1" |
no |
ci_cra_deploy_analysis | Set this flag to 1 for cra deployment analysis to be done in CI pipeline. |
string |
"1" |
no |
ci_cra_generate_cyclonedx_format | If set to 1, CRA also generates the BOM in cyclonedx format (defaults to 1). | string |
"1" |
no |
ci_cra_vulnerability_scan | Set this flag to 1 and ci-cra-bom-generate to 1 for cra vulnerability scan in CI pipeline. If this value is set to 1 and ci-cra-bom-generate is set to 0 , the scan will be marked as failure |
string |
"1" |
no |
ci_custom_image_tag | The custom tag for the image in a comma-separated list. | string |
"" |
no |
ci_deployment_target | The deployment target, cluster or code-engine. | string |
"cluster" |
no |
ci_dev_region | (Deprecated. Use ci_cluster_region ) Region of the Kubernetes cluster where the application is deployed. Use the short form of the regions. For example us-south |
string |
"" |
no |
ci_dev_resource_group | (Deprecated. Use ci_cluster_resource_group ) The cluster resource group. |
string |
"" |
no |
ci_doi_environment | The DevOps Insights target environment. | string |
"" |
no |
ci_doi_toolchain_id | DevOps Insights toolchain ID to link to. | string |
"" |
no |
ci_doi_toolchain_id_pipeline_property | The DevOps Insights instance toolchain ID. | string |
"" |
no |
ci_enable_key_protect | Set to enable Key Protect Integration. | bool |
false |
no |
ci_enable_pipeline_dockerconfigjson | Enable to add the pipeline-dockerconfigjson property to the pipeline properties. | bool |
false |
no |
ci_enable_pipeline_notifications | When enabled, pipeline run events will be sent to the Event Notifications and Slack integrations in the enclosing toolchain. | bool |
false |
no |
ci_enable_secrets_manager | Set to enable Secrets Manager Integration. | bool |
false |
no |
ci_enable_slack | Default: false. Set to true to create the integration. | bool |
false |
no |
ci_event_notifications | To enable event notification, set event_notifications to 1 | string |
"0" |
no |
ci_event_notifications_crn | Set the Event Notifications CRN to create an Events Notification integration. | string |
"" |
no |
ci_evidence_group | Specify Git user or group for evidence repository. | string |
"" |
no |
ci_evidence_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
ci_evidence_repo_git_token_secret_crn | The CRN for the Evidence repository Git Token. | string |
"" |
no |
ci_evidence_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
ci_evidence_repo_secret_group | Secret group prefix for the Evidence repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
ci_gosec_private_repository_host | Your private repository base URL. | string |
"" |
no |
ci_gosec_private_repository_ssh_key_secret_crn | The CRN for the GoSec repository secret. | string |
"" |
no |
ci_gosec_repo_ssh_key_secret_group | Secret group prefix for the gosec private repository ssh key secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
ci_gosec_repo_ssh_key_secret_name | Name of the SSH key token for the private repository in the secret provider. | string |
"git-ssh-key" |
no |
ci_inventory_group | Specify Git user or group for inventory repository. | string |
"" |
no |
ci_inventory_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
ci_inventory_repo_git_token_secret_crn | The CRN for the Inventory repository Git Token. | string |
"" |
no |
ci_inventory_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
ci_inventory_repo_secret_group | Secret group prefix for the Inventory repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
ci_issues_group | Specify Git user or group for issues repository. | string |
"" |
no |
ci_issues_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
ci_issues_repo_git_token_secret_crn | The CRN for the Issues repository Git Token. | string |
"" |
no |
ci_issues_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
ci_issues_repo_secret_group | Secret group prefix for the Issues repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
ci_kp_location | IBM Cloud location/region containing the Key Protect instance. | string |
"" |
no |
ci_kp_name | Name of the Key Protect instance where the secrets are stored. | string |
"" |
no |
ci_kp_resource_group | The resource group containing the Key Protect instance. | string |
"" |
no |
ci_link_to_doi_toolchain | Enable a link to a DevOps Insights instance in another toolchain. | bool |
false |
no |
ci_opt_in_dynamic_api_scan | To enable the OWASP Zap API scan. '1' enable or '0' disable. | string |
"1" |
no |
ci_opt_in_dynamic_scan | To enable the OWASP Zap scan. '1' enable or '0' disable. | string |
"1" |
no |
ci_opt_in_dynamic_ui_scan | To enable the OWASP Zap UI scan. '1' enable or '0' disable. | string |
"1" |
no |
ci_opt_in_gosec | Enables gosec scans | string |
"" |
no |
ci_opt_in_sonar | Opt in for Sonarqube | string |
"1" |
no |
ci_peer_review_compliance | Set to 0 to disable. Set to 1 to enable peer review evidence collection. |
string |
"" |
no |
ci_pipeline_config_group | Specify user or group for pipeline config repo. | string |
"" |
no |
ci_pipeline_config_path | The name and path of the pipeline-config.yaml file within the pipeline-config repo. | string |
".pipeline-config.yaml" |
no |
ci_pipeline_config_repo_auth_type | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat'. | string |
"" |
no |
ci_pipeline_config_repo_branch | Specify the branch containing the custom pipeline-config.yaml file. | string |
"" |
no |
ci_pipeline_config_repo_clone_from_url | Specify a repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
ci_pipeline_config_repo_existing_url | Specify a repository containing a custom pipeline-config.yaml file. | string |
"" |
no |
ci_pipeline_config_repo_git_token_secret_crn | The CRN for the Pipeline Config repository Git Token. | string |
"" |
no |
ci_pipeline_config_repo_git_token_secret_name | Name of the Git token secret in the secret provider. | string |
"" |
no |
ci_pipeline_config_repo_secret_group | Secret group prefix for the Pipeline Config repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
ci_pipeline_debug | '0' by default. Set to '1' to enable debug logging. | string |
"0" |
no |
ci_pipeline_dockerconfigjson_secret_crn | The CRN for Dockerconfig json secret. | string |
"" |
no |
ci_pipeline_dockerconfigjson_secret_group | Secret group prefix for the pipeline DockerConfigJson secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
ci_pipeline_dockerconfigjson_secret_name | Name of the pipeline docker config JSON secret in the secret provider. | string |
"pipeline_dockerconfigjson_secret_name" |
no |
ci_pipeline_doi_api_key_secret_crn | The CRN for the pipeline DOI apikey. | string |
"" |
no |
ci_pipeline_doi_api_key_secret_group | Secret group prefix for the pipeline DOI api key. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
ci_pipeline_doi_api_key_secret_name | Name of the Cloud API key secret in the secret provider to access the toolchain containing the Devops Insights instance. | string |
"" |
no |
ci_pipeline_git_tag | The GIT tag within the pipeline definitions repository for the Compliance CI Pipeline. | string |
"" |
no |
ci_pipeline_git_token_secret_crn | The CRN for the Git Token pipeline property. | string |
"" |
no |
ci_pipeline_git_token_secret_group | Secret group prefix for the pipeline Git token secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
ci_pipeline_git_token_secret_name | Name of the pipeline Git token secret in the secret provider. | string |
"pipeline-git-token" |
no |
ci_pipeline_ibmcloud_api_key_secret_crn | The CRN for the IBMCloud apikey. | string |
"" |
no |
ci_pipeline_ibmcloud_api_key_secret_group | Secret group prefix for the pipeline ibmcloud API key secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
ci_pipeline_ibmcloud_api_key_secret_name | Name of the Cloud API key secret in the secret provider. | string |
"" |
no |
ci_pipeline_properties | Stringified JSON containing the properties for the CI toolchain pipelines. | string |
"" |
no |
ci_pipeline_properties_filepath | The path to the file containing the property JSON. If this is not set, it will by default read the properties.json file at the root of the module. |
string |
"" |
no |
ci_print_code_signing_certificate | Set to 1 to enable printing of the public signing certificate in the logs. |
string |
"1" |
no |
ci_privateworker_credentials_secret_crn | The CRN for the Private Worker secret secret. | string |
"" |
no |
ci_registry_namespace | A unique namespace within the IBM Cloud Container Registry region where the application image is stored. (deprecated. Use registry_namespace ) |
string |
"" |
no |
ci_registry_region | The IBM Cloud Region where the IBM Cloud Container Registry namespace is to be created. Use the short form of the regions. For example us-south . |
string |
"" |
no |
ci_repositories_prefix | Prefix name for the cloned compliance repos. For the repositories_prefix value only a-z, A-Z and 0-9 and the special characters -_ are allowed. In addition the string must not end with a special character or have two consecutive special characters. |
string |
"" |
no |
ci_repository_properties | Stringified JSON containing the repositories and triggers that get created in the CI toolchain pipelines. | string |
"" |
no |
ci_repository_properties_filepath | The path to the file containing the repository and triggers JSON. If this is not set, it will by default read the repositories.json file at the root of the module. |
string |
"" |
no |
ci_signing_key_secret_crn | The CRN for Signing Key secret. | string |
"" |
no |
ci_signing_key_secret_group | Secret group prefix for the signing key secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
ci_signing_key_secret_name | Name of the signing key secret in the secret provider. | string |
"signing_key" |
no |
ci_slack_channel_name | The Slack channel that notifications are posted to. | string |
"" |
no |
ci_slack_notifications | The switch that turns the Slack notification on (1 ) or off (0 ). |
string |
"" |
no |
ci_slack_pipeline_fail | Generate pipeline failed notifications. | bool |
true |
no |
ci_slack_pipeline_start | Generate pipeline start notifications. | bool |
true |
no |
ci_slack_pipeline_success | Generate pipeline succeeded notifications. | bool |
true |
no |
ci_slack_team_name | The Slack team name, which is the word or phrase before .slack.com in the team URL. |
string |
"" |
no |
ci_slack_toolchain_bind | Generate tool added to toolchain notifications. | bool |
true |
no |
ci_slack_toolchain_unbind | Generate tool removed from toolchain notifications. | bool |
true |
no |
ci_slack_webhook_secret_crn | The CRN for the Slack webhook secret. | string |
"" |
no |
ci_slack_webhook_secret_group | Secret group prefix for the Slack webhook secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
ci_slack_webhook_secret_name | Name of the webhook secret in the secret provider. | string |
"" |
no |
ci_sm_instance_crn | The CRN of the Secrets Manager instance for the CI toolchain. | string |
"" |
no |
ci_sm_location | IBM Cloud location/region containing the Secrets Manager instance. | string |
"" |
no |
ci_sm_name | Name of the Secrets Manager instance where the secrets are stored. | string |
"" |
no |
ci_sm_resource_group | The resource group containing the Secrets Manager instance. | string |
"" |
no |
ci_sm_secret_group | Group in Secrets Manager for organizing/grouping secrets. | string |
"" |
no |
ci_sonarqube_config | Runs a SonarQube scan in an isolated Docker-in-Docker container (default configuration) or in an existing Kubernetes cluster (custom configuration). Options: default or custom. Default is default. | string |
"default" |
no |
ci_sonarqube_integration_name | The name of the SonarQube integration. | string |
"SonarQube" |
no |
ci_sonarqube_is_blind_connection | When set to true , instructs IBM Cloud Continuous Delivery to not validate the configuration of this integration. Set this to true if the SonarQube server is not addressable on the public internet. |
string |
true |
no |
ci_sonarqube_secret_crn | The CRN for the SonarQube secret. | string |
"" |
no |
ci_sonarqube_secret_name | The name of the SonarQube secret. | string |
"sonarqube-secret" |
no |
ci_sonarqube_server_url | The URL to the SonarQube server. | string |
"" |
no |
ci_sonarqube_user | The name of the SonarQube user. | string |
"" |
no |
ci_toolchain_description | Description for the CI Toolchain. | string |
"Toolchain created with terraform template for DevSecOps CI Best Practices." |
no |
ci_toolchain_name | The name of the CI Toolchain. | string |
"" |
no |
ci_toolchain_region | The region containing the CI toolchain. Use the short form of the regions. For example us-south . |
string |
"" |
no |
ci_toolchain_resource_group | The resource group within which the toolchain is created. | string |
"" |
no |
ci_trigger_git_enable | Set to true to enable the CI pipeline Git trigger. |
bool |
true |
no |
ci_trigger_git_name | The name of the CI pipeline GIT trigger. | string |
"Git CI Trigger" |
no |
ci_trigger_manual_enable | Set to true to enable the CI pipeline Manual trigger. |
bool |
true |
no |
ci_trigger_manual_name | The name of the CI pipeline Manual trigger. | string |
"Manual Trigger" |
no |
ci_trigger_manual_pruner_enable | Set to true to enable the manual Pruner trigger. |
bool |
true |
no |
ci_trigger_manual_pruner_name | The name of the manual Pruner trigger. | string |
"Evidence Pruner Manual Trigger" |
no |
ci_trigger_pr_git_enable | Set to true to enable the PR pipeline Git trigger. |
bool |
true |
no |
ci_trigger_pr_git_name | The name of the PR pipeline GIT trigger. | string |
"Git PR Trigger" |
no |
ci_trigger_timed_cron_schedule | Only needed for timer triggers. Cron expression that indicates when this trigger will activate. Maximum frequency is every 5 minutes. The string is based on UNIX crontab syntax: minute, hour, day of month, month, day of week. Example: 0 *_/2 * * * - every 2 hours. | string |
"0 4 * * *" |
no |
ci_trigger_timed_enable | Set to true to enable the CI pipeline Timed trigger. |
bool |
false |
no |
ci_trigger_timed_name | The name of the CI pipeline Timed trigger. | string |
"Git CI Timed Trigger" |
no |
ci_trigger_timed_pruner_enable | Set to true to enable the timed Pruner trigger. |
bool |
false |
no |
ci_trigger_timed_pruner_name | The name of the timed Pruner trigger. | string |
"Evidence Pruner Timed Trigger" |
no |
cluster_name | Name of the Kubernetes cluster where the application is deployed. This sets the same cluster for both CI and CD toolchains. See ci_cluster_name and cd_cluster_name to set different clusters. By default , the cluster namespace for CI will be set to dev and CD to prod . These can be changed using ci_cluster_namespace and cd_cluster_namespace . |
string |
"mycluster-free" |
no |
compliance_base_image | Pipeline baseimage to run most of the built-in pipeline code. | string |
"" |
no |
compliance_pipeline_branch | The Compliance Pipeline branch. | string |
"open-v10" |
no |
cos_api_key_secret_crn | The CRN for the Cloud Object Storage apikey. | string |
"" |
no |
cos_api_key_secret_name | To enable the use of COS, a secret name to a COS API key secret in the secret provider is required. In addition cos_endpoint and cos_bucket_name must be set. This setting sets the same API key for the COS settings in the CI, CD, and CC toolchains. See ci_cos_api_key_secret_name , cd_cos_api_key_secret_name , and cc_cos_api_key_secret_name to set separately. |
string |
"cos-api-key" |
no |
cos_bucket_name | Set the name of your COS bucket. This applies the same COS bucket name for the CI, CD, and CC toolchains. See ci_cos_bucket_name , cd_cos_bucket_name , and cc_cos_bucket_name to set separately. |
string |
"" |
no |
cos_endpoint | Set the Cloud Object Storage endpoint for accessing your COS bucket. This setting sets the same endpoint for COS in the CI, CD, and CC toolchains. See ci_cos_endpoint , cd_cos_endpoint , and cc_cos_endpoint to set the endpoints separately. |
string |
"" |
no |
create_cc_toolchain | Boolean flag which determines if the DevSecOps CC toolchain is created. | bool |
true |
no |
create_cd_instance | Set to true to create Continuous Delivery Service. |
bool |
false |
no |
create_cd_toolchain | Boolean flag which determines if the DevSecOps CD toolchain is created. | bool |
true |
no |
create_ci_toolchain | Flag which determines if the DevSecOps CI toolchain is created. If this toolchain is not created then values must be set for the following variables, evidence_repo_url, issues_repo_url and inventory_repo_url. | bool |
true |
no |
deployment_repo_url | This is the repository to clone deployment for DevSecOps toolchain template. | string |
"" |
no |
enable_key_protect | Set to enable Key Protect Integrations. | bool |
false |
no |
enable_secrets_manager | Enable the Secrets Manager integrations. | bool |
true |
no |
enable_slack | Set to true to create the integration. This requires a valid slack_channel_name , slack_team_name , and a valid webhook (see slack_webhook_secret_name ). This setting applies for CI, CD, and CC toolchains. To enable Slack separately, see ci_enable_slack , cd_enable_slack , and cc_enable_slack . |
bool |
false |
no |
environment_prefix | By default ibm:yp: . This will be set as the prefix to regions automatically where required. For example ibm:yp:us-south . |
string |
"ibm:yp:" |
no |
event_notifications_crn | Set the Event Notifications CRN to create an Events Notification integration. This paramater will apply to the CI, CD and CC toolchains. Can be set individually with ci_event_notifications_crn , cd_event_notifications_crn , cc_event_notifications_crn . |
string |
"" |
no |
event_notifications_tool_name | The name of the Event Notifications integration. | string |
"Event Notifications" |
no |
evidence_repo_existing_git_id | Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. |
string |
"" |
no |
evidence_repo_existing_git_provider | Git provider for evidence repo | string |
"hostedgit" |
no |
evidence_repo_existing_url | This is a template repository to clone compliance-evidence-locker for reference DevSecOps toolchain templates. | string |
"" |
no |
evidence_repo_integration_owner | The name of the integration owner. | string |
"" |
no |
evidence_repo_name | The repository name. | string |
"" |
no |
evidence_repo_url | Deprecated: Use evidence_repo_existing_url . This is a template repository to link compliance-evidence-locker for reference DevSecOps toolchain templates. |
string |
"" |
no |
gosec_private_repository_host | Your private repository base URL. | string |
"" |
no |
gosec_private_repository_ssh_key_secret_crn | The CRN for the GoSec repository secret. | string |
"" |
no |
gosec_repo_ssh_key_secret_group | Secret group prefix for the gosec private repository ssh key secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
gosec_repo_ssh_key_secret_name | Name of the SSH key token for the private repository in the secret provider. | string |
"git-ssh-key" |
no |
ibmcloud_api | IBM Cloud API Endpoint. | string |
"https://cloud.ibm.com" |
no |
ibmcloud_api_key | API key used to create the toolchains. (See deployment guide.) | string |
n/a | yes |
inventory_repo_existing_git_id | Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. |
string |
"" |
no |
inventory_repo_existing_git_provider | Git provider for inventory repo | string |
"hostedgit" |
no |
inventory_repo_existing_url | This is a template repository to clone compliance-inventory for reference DevSecOps toolchain templates. | string |
"" |
no |
inventory_repo_integration_owner | The name of the integration owner. | string |
"" |
no |
inventory_repo_name | The repository name. | string |
"" |
no |
inventory_repo_url | Deprecated: Use inventory_repo_existing_url . This is a template repository to link compliance-inventory for reference DevSecOps toolchain templates. |
string |
"" |
no |
issues_repo_existing_git_id | Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. |
string |
"" |
no |
issues_repo_existing_git_provider | Git provider for issue repo | string |
"hostedgit" |
no |
issues_repo_existing_url | This is a template repository to clone compliance-issues for reference DevSecOps toolchain templates. | string |
"" |
no |
issues_repo_integration_owner | The name of the integration owner. | string |
"" |
no |
issues_repo_name | The repository name. | string |
"" |
no |
issues_repo_url | Deprecated: Use issues_repo_existing_url . This is a template repository to link compliance-issues for reference DevSecOps toolchain templates. |
string |
"" |
no |
kp_integration_name | The name of the Key Protect integration. | string |
"kp-compliance-secrets" |
no |
kp_location | The region location of the Key Protect instance. This applies to the CI, CD and CC Key Protect integrations. See ci_kp_location , cd_kp_location , and cc_kp_location to set separately. |
string |
"us-south" |
no |
kp_name | Name of the Key Protect instance where the secrets are stored. This applies to the CI, CD and CC Key Protect integrations. See ci_kp_name , cd_kp_name , and cc_kp_name to set separately. |
string |
"kp-compliance-secrets" |
no |
kp_resource_group | The resource group containing the Key Protect instance. This applies to the CI, CD and CC Key Protect integrations. See ci_kp_resource_group , cd_kp_resource_group , and cc_kp_resource_group to set separately. |
string |
"Default" |
no |
opt_in_gosec | Enables gosec scans | string |
"" |
no |
peer_review_compliance | Set to 0 to disable. Set to 1 to enable peer review evidence collection. This parameter will apply to the CI, CD and CC pipelines. Can be set individually with ci_peer_review_compliance , cd_peer_review_compliance , cc_peer_review_compliance . |
string |
"1" |
no |
pipeline_doi_api_key_secret_crn | The CRN for the pipeline DOI apikey. | string |
"" |
no |
pipeline_doi_api_key_secret_group | Secret group prefix for the pipeline DOI api key. Defaults to sm_secret_group if not set. Only used with Secrets Manager . Applies to the CI, CD and CC toolchains. |
string |
"" |
no |
pipeline_doi_api_key_secret_name | Name of the Cloud API key secret in the secret provider to access the toolchain containing the Devops Insights instance. This will apply to the CI, CD and CC toolchains. | string |
"" |
no |
pipeline_git_tag | The GIT tag within the pipeline definitions repository for the Compliance Pipelines. | string |
"" |
no |
pipeline_ibmcloud_api_key_secret_crn | The CRN for the IBMCloud apikey. | string |
"" |
no |
pipeline_ibmcloud_api_key_secret_name | Name of the Cloud API key secret in the secret provider. Applies to the CI, CD and CC toolchains. For specific versions see ci_pipeline_ibmcloud_api_key_secret_name , cd_pipeline_ibmcloud_api_key_secret_name and cc_pipeline_ibmcloud_api_key_secret_name . |
string |
"ibmcloud-api-key" |
no |
pr_cra_bom_generate | Set this flag to 1 to generate cra bom in PR pipeline |
string |
"1" |
no |
pr_cra_deploy_analysis | Set this flag to 1 for cra deployment analysis to be done in PR pipeline. |
string |
"1" |
no |
pr_cra_vulnerability_scan | Set this flag to 1 and pr-cra-bom-generate to 1 for cra vulnerability scan in PR pipeline. If this value is set to 1 and pr-cra-bom-generate is set to 0 , the scan will be marked as failure |
string |
"1" |
no |
pr_pipeline_git_tag | The GIT tag within the pipeline definitions repository for the Compliance PR Pipeline. | string |
"" |
no |
registry_namespace | A unique namespace within the IBM Cloud Container Registry region where the application image is stored. | string |
"" |
no |
repo_git_token_secret_crn | The CRN for the repositories Git Token. | string |
"" |
no |
repo_git_token_secret_name | Name of the Git token secret in the secret provider. Specifying a secret name for the Git Token automatically sets the authentication type to pat . |
string |
"" |
no |
repo_group | Specify Git user or group for your application. This must be set if the repository authentication type is pat (personal access token). |
string |
"" |
no |
repo_secret_group | Secret group in Secrets Manager that contains the secret for the repo. This variable will set the same secret group for all the repositories. Can be overriden on a per secret group basis. Only applies when using Secrets Manager. | string |
"" |
no |
repositories_prefix | Prefix name for the cloned compliance repos. For the repositories_prefix value only a-z, A-Z and 0-9 and the special characters -_ are allowed. In addition the string must not end with a special character or have two consecutive special characters. |
string |
"compliance" |
no |
scc_attachment_id | An attachment ID. An attachment is configured under a profile to define how a scan will be run. To find the attachment ID, in the browser, in the attachments list, click on the attachment link, and a panel appears with a button to copy the attachment ID. This parameter is only relevant when the scc_use_profile_attachment parameter is enabled. |
string |
"" |
no |
scc_instance_crn | The Security and Compliance Center service instance CRN (Cloud Resource Name). This parameter is only relevant when the scc_use_profile_attachment parameter is enabled. The value must match the regular expression. |
string |
"" |
no |
scc_profile_name | The name of a Security and Compliance Center profile. Use the IBM Cloud Framework for Financial Services profile, which contains the DevSecOps Toolchain rules. Or use a user-authored customized profile that has been configured to contain those rules. This parameter is only relevant when the scc_use_profile_attachment parameter is enabled. |
string |
"" |
no |
scc_profile_version | The version of a Security and Compliance Center profile, in SemVer format, like 0.0.0 . This parameter is only relevant when the scc_use_profile_attachment parameter is enabled. |
string |
"" |
no |
scc_scc_api_key_secret_crn | The CRN for the SCC apikey. | string |
"" |
no |
scc_scc_api_key_secret_group | Secret group prefix for the Security and Compliance tool secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager . |
string |
"" |
no |
scc_scc_api_key_secret_name | The Security and Compliance Center api-key secret in the secret provider. | string |
"scc-api-key" |
no |
scc_use_profile_attachment | Set to enabled to enable use profile with attachment, so that the scripts in the pipeline can interact with the Security and Compliance Center service. When enabled, other parameters become relevant; scc_scc_api_key_secret_name , scc_instance_crn , scc_profile_name , scc_profile_version , scc_attachment_id . Can individually be enabled and disabled in the CD and CC toolchains using cd_scc_use_profile_attachment and cc_scc_use_profile_attachment . |
string |
"disabled" |
no |
slack_channel_name | The Slack channel that notifications are posted to. This applies to the CI, CD, and CC toolchains. To set separately see ci_slack_channel_name , cd_slack_channel_name , and cc_slack_channel_name |
string |
"" |
no |
slack_integration_name | The name of the Slack integration. | string |
"slack-compliance" |
no |
slack_notifications | This is enabled automatically when a Slack integration is created. The switch overrides the Slack notifications. Set 1 for on and 0 for off. This applies to the CI, CD, and CC toolchains. To set separately, see ci_slack_notifications , cd_slack_notifications , and cc_slack_notifications . |
string |
"" |
no |
slack_team_name | The Slack team name, which is the word or phrase before .slack.com in the team URL. This applies to the CI, CD, and CC toolchains. To set separately, see ci_slack_team_name , cd_slack_team_name , and cc_slack_team_name . |
string |
"" |
no |
slack_webhook_secret_crn | The CRN for the Slack webhook secret. | string |
"" |
no |
slack_webhook_secret_name | Name of the webhook secret for Slack in the secret provider. This applies to the CI, CD, and CC toolchains. To set separately, see ci_slack_webhook_secret_name , cd_slack_webhook_secret_name , and cc_slack_webhook_secret_name |
string |
"slack-webhook" |
no |
sm_instance_crn | The CRN of the Secrets Manager instance. Will apply to CI, CD and CC toolchains unless set individually. | string |
"" |
no |
sm_integration_name | The name of the Secrets Manager integration. | string |
"sm-compliance-secrets" |
no |
sm_location | The region location of the Secrets Manager instance. This applies to the CI, CD and CC Secret Manager integrations. See ci_sm_location , cd_sm_location , and cc_sm_location to set separately. |
string |
"us-south" |
no |
sm_name | The name of the Secret Managers instance. This applies to the CI, CD and CC Secret Manager integrations. See ci_sm_name , cd_sm_name , and cc_sm_name to set separately. |
string |
"sm-instance" |
no |
sm_resource_group | The resource group containing the Secrets Manager instance. This applies to the CI, CD and CC Secret Manager integrations. See ci_sm_resource_group , cd_sm_resource_group , and cc_sm_resource_group to set separately. |
string |
"Default" |
no |
sm_secret_group | Group in Secrets Manager for organizing/grouping secrets. This applies to the CI, CD and CC Secret Manager integrations. See ci_sm_secret_group , cd_sm_secret_group , and cc_sm_secret_group to set separately. |
string |
"Default" |
no |
sonarqube_secret_crn | The CRN for the SonarQube secret. | string |
"" |
no |
toolchain_name | Common element of the toolchain name. The toolchain names will be appended with CI Toolchain or CD Toolchain or CC Toolchain followed by a timestamp. Can explicitly be set using ci_toolchain_name , cd_toolchain_name , and cc_toolchain_name . |
string |
"DevSecOps" |
no |
toolchain_region | The region identifier that will be used, by default, for all resource creation and service instance lookup. This can be overridden on a per resource/service basis. See ci_toolchain_region ,cd_toolchain_region ,cc_toolchain_region , ci_cluster_region , cd_cluster_region , ci_registry_region . |
string |
"us-south" |
no |
toolchain_resource_group | The resource group that will be used, by default, for all resource creation and service instance lookups. This can be overridden on a per resource/service basis. See ci_toolchain_resource_group ,cd_toolchain_resource_group ,cc_toolchain_resource_group , ci_cluster_resource_group . |
string |
"Default" |
no |
Name | Description |
---|---|
app_repo_url | The App Repo URL |
cc_pipeline_id | The CC pipeline Id |
cd_pipeline_id | The CD pipeline Id |
ci_pipeline_id | The CI pipeline Id |
compliance_cc_toolchain_id | The ID of the Compliance CC Toolchain |
compliance_cc_toolchain_url | The Compliance CC Toolchain URL |
compliance_cd_toolchain_id | The ID of the Compliance CD Toolchain |
compliance_cd_toolchain_url | The Compliance CD Toolchain URL |
compliance_ci_toolchain_id | The ID of the Compliance CI Toolchain |
compliance_ci_toolchain_url | The Compliance CI Toolchain URL |
evidence_repo_url | The Evidence Repo URL |
inventory_repo_url | The Inventory Repo URL |
issues_repo_url | The Issues Repo URL |
key_protect_instance_id | The Key Protect Instance ID |
pr_pipeline_id | The PR pipeline Id |
secrets_manager_instance_id | The Secrets Manage Instance ID |
You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.
To set up your local development environment, see Local development setup in the project documentation.