Skip to content

terraform-ibm-modules/terraform-ibm-devsecops-cc-toolchain

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

88 Commits
customizations
customizations
 
 
integrations
integrations
 
 
pipeline-cc
pipeline-cc
 
 
services
services
 
 
solutions
solutions
 
 
.gitignore
.gitignore
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
.secrets.baseline
.secrets.baseline
 
 
.whitesource
.whitesource
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
ibm_catalog.json
ibm_catalog.json
 
 
main.tf
main.tf
 
 
move.tf
move.tf
 
 
outputs.tf
outputs.tf
 
 
properties.json
properties.json
 
 
properties.json.example
properties.json.example
 
 
provider.tf.example
provider.tf.example
 
 
repositories.json.example
repositories.json.example
 
 
variables.tf
variables.tf
 
 
variables.tfvars.example
variables.tfvars.example
 
 
versions.tf
versions.tf
 
 

Repository files navigation

Terraform IBM DevSecOps CC Toolchain

Stable (With quality checks) pre-commit latest release semantic-release

A Terraform module for provisioning the DevSecOps CC toolchains.

Requirements

Name Version
terraform >= 1.0.0
ibm >= 1.70.0, < 2.0.0

Modules

Name Source Version
app_repo ./customizations/repositories n/a
compliance_pipelines_repo ./customizations/repositories n/a
evidence_repo ./customizations/repositories n/a
integrations ./integrations n/a
inventory_repo ./customizations/repositories n/a
issues_repo ./customizations/repositories n/a
pipeline_cc ./pipeline-cc n/a
pipeline_config_repo ./customizations/repositories n/a
pipeline_properties ./customizations/pipeline-property-adder n/a
repository_properties ./customizations/repository-adder n/a
services ./services n/a

Resources

Name Type
ibm_cd_toolchain.toolchain_instance resource
ibm_cd_toolchain_tool_pipeline.cc_pipeline resource
ibm_resource_group.resource_group data source

Inputs

Name Description Type Default Required
add_pipeline_definitions Set to true to add pipeline definitions. string "true" no
app_group Specify Git user/group for app repo. string "" no
app_repo_auth_type Select the method of authentication that will be used to access the git provider. 'oauth' or 'pat'. string "" no
app_repo_blind_connection Setting this value to true means the server is not addressable on the public internet. IBM Cloud will not be able to validate the connection details you provide. Certain functionality that requires API access to the git server will be disabled. Delivery pipeline will only work using a private worker that has network access to the git server. string "" no
app_repo_branch The default branch of the app repo. string "master" no
app_repo_clone_to_git_id Custom server GUID, or other options for 'git_id' field in the browser UI. string "" no
app_repo_clone_to_git_provider By default 'hostedgit', else use 'githubconsolidated' or 'gitlab'. string "" no
app_repo_git_id The Git ID of the repository. string "" no
app_repo_git_provider By default 'hostedgit', else use 'githubconsolidated' or 'gitlab'. string "" no
app_repo_git_token_secret_crn The CRN for the app repository Git Token. string "" no
app_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "" no
app_repo_initialization_type The initialization type for the repo. Can be new, fork, clone, link, new_if_not_exists, clone_if_not_exists, fork_if_not_exists. string "" no
app_repo_integration_owner The name of the integration owner. string "" no
app_repo_is_private_repo Set to true to make repository private. bool true no
app_repo_issues_enabled Set to true to enable issues. bool false no
app_repo_root_url (Optional) The Root URL of the server. e.g. https://git.example.com. string "" no
app_repo_secret_group Secret group prefix for the App repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager. string "" no
app_repo_title (Optional) The title of the server. e.g. My Git Enterprise Server. string "" no
app_repo_traceability_enabled Set to true to enable traceability. bool false no
app_repo_url This Git URL for the application repository. string "" no
artifactory_dashboard_url Type the URL that you want to navigate to when you click the Artifactory integration tile. string "" no
artifactory_integration_name The name of the Artifactory tool integration. string "artifactory-dockerconfigjson" no
artifactory_repo_name Type the name of your Artifactory repository where your docker images are located. string "wcp-compliance-automation-team-docker-local" no
artifactory_repo_url Type the URL for your Artifactory release repository. string "" no
artifactory_token_secret_crn The CRN for the Artifactory secret. string "" no
artifactory_token_secret_group Secret group prefix for the Artifactory token secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager. string "" no
artifactory_token_secret_name Name of the artifactory token secret in the secret provider. string "artifactory-token" no
artifactory_user Type the User ID or email for your Artifactory repository. string "" no
authorization_policy_creation Set to disabled if you do not want this policy auto created. string "" no
compliance_pipeline_existing_repo_url The URL of an existing compliance pipelines repository. string "" no
compliance_pipeline_group Specify Git user/group for compliance pipline repo. string "" no
compliance_pipeline_repo_auth_type Select the method of authentication that will be used to access the git provider. 'oauth' or 'pat'. string "" no
compliance_pipeline_repo_git_provider Choose the default git provider for change management repo string "" no
compliance_pipeline_repo_git_token_secret_crn The CRN for the Compliance Pipeline repository Git Token. string "" no
compliance_pipeline_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "" no
compliance_pipeline_repo_integration_owner The name of the integration owner. string "" no
compliance_pipeline_repo_issues_enabled Set to true to enable issues. bool false no
compliance_pipeline_repo_secret_group Secret group prefix for the Compliance Pipeline repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager. string "" no
compliance_pipeline_repo_url Url of pipeline repo template to be cloned string "" no
compliance_pipeline_source_repo_url The URL of a compliance pipelines repository to clone. string "" no
compliance_pipelines_repo_blind_connection Setting this value to true means the server is not addressable on the public internet. IBM Cloud will not be able to validate the connection details you provide. Certain functionality that requires API access to the git server will be disabled. Delivery pipeline will only work using a private worker that has network access to the git server. string "" no
compliance_pipelines_repo_git_id Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. string "" no
compliance_pipelines_repo_initialization_type The initialization type for the repo. Can be new, fork, clone, link, new_if_not_exists, clone_if_not_exists, fork_if_not_exists. string "" no
compliance_pipelines_repo_is_private_repo Set to true to make repository private. bool true no
compliance_pipelines_repo_name The repository name. string "" no
compliance_pipelines_repo_root_url (Optional) The Root URL of the server. e.g. https://git.example.com. string "" no
compliance_pipelines_repo_title (Optional) The title of the server. e.g. My Git Enterprise Server. string "" no
compliance_pipelines_repo_traceability_enabled Set to true to enable traceability. bool false no
concert_dashboard_url The dashboard URL for the Concert tool string "" no
concert_description The description of the Concert toolcard. string "IBM Concert combines traditional analytics and generative AI to deliver comprehensive insights into your operational health and identify critical risk across your application lifecycle" no
concert_documentation_url The documentation URL that appears on the tool card. string "https://www.ibm.com/docs/en/concert" no
concert_integration_name The name of the Concert integration. string "Concert" no
cos_api_key_secret_crn The CRN for the Cloud Object Storage apikey. string "" no
cos_api_key_secret_group Secret group prefix for the COS API key secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager. string "" no
cos_api_key_secret_name COS API key string "" no
cos_bucket_name COS bucket name. string "" no
cos_dashboard_url The dashboard URL for the COS toolcard. string "https://cloud.ibm.com/objectstorage" no
cos_description The COS description on the tool card. string "Cloud Object Storage to store evidences within DevSecOps Pipelines" no
cos_documentation_url The documentation URL that appears on the tool card. string "https://cloud.ibm.com/objectstorage" no
cos_endpoint COS endpoint name. string "" no
cos_hmac_access_key_id_secret_name The name of the secret in Secrets Manager for the HMAC Access Key ID. string "" no
cos_hmac_access_key_secret_crn The CRN for the HMAC Secret Access Key. The HMAC Secret Access Key which is part of an HMAC (Hash Message Authentication Code) credential set. HMAC is identified by a combination of an Access Key ID and a Secret Access Key. string "" no
cos_hmac_secret_access_id_crn The CRN for the HMAC Access Key ID. The HMAC Access Key ID which is part of an HMAC (Hash Message Authentication Code) credential set. HMAC is identified by a combination of an Access Key ID and a Secret Access Key. string "" no
cos_hmac_secret_access_key_secret_name The name of the secret in Secrets Manager for the HMAC Secrte Access Key. string "" no
cos_instance_crn The CRN of the Cloud Object Storage instance. string "" no
cos_integration_name The name of the COS integration. string "Evidence Store" no
create_triggers Set to true to create the default triggers associated with the compliance repos and sample app. string "true" no
default_git_provider Choose the default git provider for app repo string "" no
default_locked_properties List of default locked properties list(string) 
[
  "app-concurrency",
  "app-deployment-timeout",
  "app-max-scale",
  "app-min-scale",
  "app-port",
  "app-visibility",
  "artifactory-dockerconfigjson",
  "cluster",
  "cluster-name",
  "cluster-namespace",
  "cluster-region",
  "code-engine-binding-resource-group",
  "code-engine-build-size",
  "code-engine-build-strategy",
  "code-engine-build-timeout",
  "code-engine-build-use-native-docker",
  "code-engine-deployment-type",
  "code-engine-project",
  "code-engine-region",
  "code-engine-resource-group",
  "code-engine-wait-timeout",
  "compliance-baseimage",
  "context-dir",
  "cos-api-key",
  "cos-bucket-name",
  "cos-endpoint",
  "cpu",
  "cra-bom-generate",
  "cra-deploy-analysis",
  "cra-generate-cyclonedx-format",
  "cra-vulnerability-scan",
  "custom-image-tag",
  "dev-cluster-namespace",
  "dev-region",
  "dev-resource-group",
  "dockerfile",
  "doi-environment",
  "doi-ibmcloud-api-key",
  "doi-toolchain-id",
  "env-from-configmaps",
  "env-from-secrets",
  "ephemeral-storage",
  "event-notifications",
  "evidence-repo",
  "git-token",
  "gosec-private-repository-host",
  "gosec-private-repository-ssh-key",
  "ibmcloud-api",
  "ibmcloud-api-key",
  "image-name",
  "incident-repo",
  "inventory-repo",
  "job-instances",
  "job-maxexecutiontime",
  "job-retrylimit",
  "memory",
  "opt-in-dynamic-api-scan",
  "opt-in-dynamic-scan",
  "opt-in-dynamic-ui-scan",
  "opt-in-gosec",
  "opt-in-sonar",
  "peer-review-compliance",
  "pipeline-config",
  "pipeline-config-branch",
  "pipeline-config-repo",
  "pipeline-dockerconfigjson",
  "print-code-signing-certificate",
  "registry-domain",
  "registry-namespace",
  "registry-region",
  "remove-unspecified-references-to-configuration-resources",
  "service-bindings",
  "signing-key",
  "slack-notifications",
  "sonarqube",
  "sonarqube-config",
  "source",
  "version"
]
 no
doi_toolchain_id DevOps Insights Toolchain ID to link to. string "" no
enable_artifactory Set true to enable artifacory for devsecops. bool false no
enable_concert Set to true to enable the Concert tool integration. bool false no
enable_cos Set to true to enable the new COS integration. bool false no
enable_insights Set to true to enable the DevOps Insights integration. bool true no
enable_key_protect Set to enable Key Protect Integration. bool false no
enable_pipeline_git_token Enable to add git-token to the pipeline properties. bool false no
enable_pipeline_notifications When enabled, pipeline run events will be sent to the Event Notifications and Slack integrations in the enclosing toolchain. bool false no
enable_privateworker Set to true to enable private worker for for the Devsecops CC pipeline. bool false no
enable_secrets_manager Set to enable Secrets Manager Integration. bool true no
enable_slack Set to true to create the integration. bool false no
environment_tag Tag name that represents the target environment in the inventory. Example: prod_latest. string "prod_latest" no
event_notifications_crn The CRN for the Event Notifications instance. string "" no
event_notifications_tool_name The name of the Event Notifications integration. string "Event Notifications" no
evidence_group Specify Git user/group for evidence repo. string "" no
evidence_repo_auth_type Select the method of authentication that will be used to access the git provider. 'oauth' or 'pat'. string "" no
evidence_repo_blind_connection Setting this value to true means the server is not addressable on the public internet. IBM Cloud will not be able to validate the connection details you provide. Certain functionality that requires API access to the git server will be disabled. Delivery pipeline will only work using a private worker that has network access to the git server. string "" no
evidence_repo_git_id Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. string "" no
evidence_repo_git_provider Git provider for evidence repo string "" no
evidence_repo_git_token_secret_crn The CRN for the Evidence repository Git Token. string "" no
evidence_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "" no
evidence_repo_initialization_type The initialization type for the repo. Can be new, fork, clone, link, new_if_not_exists, clone_if_not_exists, fork_if_not_exists. string "" no
evidence_repo_integration_owner The name of the integration owner. string "" no
evidence_repo_is_private_repo Set to true to make repository private. bool true no
evidence_repo_issues_enabled Set to true to enable issues. bool false no
evidence_repo_name The repository name. string "" no
evidence_repo_root_url (Optional) The Root URL of the server. e.g. https://git.example.com. string "" no
evidence_repo_secret_group Secret group prefix for the Evidence repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager. string "" no
evidence_repo_title (Optional) The title of the server. e.g. My Git Enterprise Server. string "" no
evidence_repo_traceability_enabled Set to true to enable traceability. bool false no
evidence_repo_url This is a template repository to clone compliance-evidence-locker for reference DevSecOps toolchain templates. string "" no
ibmcloud_api_key API key used to create the toolchain. string n/a yes
inventory_group Specify Git user/group for inventory repo. string "" no
inventory_repo_auth_type Select the method of authentication that will be used to access the git provider. 'oauth' or 'pat'. string "" no
inventory_repo_blind_connection Setting this value to true means the server is not addressable on the public internet. IBM Cloud will not be able to validate the connection details you provide. Certain functionality that requires API access to the git server will be disabled. Delivery pipeline will only work using a private worker that has network access to the git server. string "" no
inventory_repo_git_id Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. string "" no
inventory_repo_git_provider Git provider for inventory repo string "" no
inventory_repo_git_token_secret_crn The CRN for the Inventory repository Git Token. string "" no
inventory_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "" no
inventory_repo_initialization_type The initialization type for the repo. Can be new, fork, clone, link, new_if_not_exists, clone_if_not_exists, fork_if_not_exists. string "" no
inventory_repo_integration_owner The name of the integration owner. string "" no
inventory_repo_is_private_repo Set to true to make repository private. bool true no
inventory_repo_issues_enabled Set to true to enable issues. bool false no
inventory_repo_name The repository name. string "" no
inventory_repo_root_url (Optional) The Root URL of the server. e.g. https://git.example.com. string "" no
inventory_repo_secret_group Secret group prefix for the Inventory repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager. string "" no
inventory_repo_title (Optional) The title of the server. e.g. My Git Enterprise Server. string "" no
inventory_repo_traceability_enabled Set to true to enable traceability. bool false no
inventory_repo_url This is a template repository to clone compliance-inventory for reference DevSecOps toolchain templates. string "" no
issues_group Specify Git user/group for issues repo. string "" no
issues_repo_auth_type Select the method of authentication that will be used to access the git provider. 'oauth' or 'pat'. string "" no
issues_repo_blind_connection Setting this value to true means the server is not addressable on the public internet. IBM Cloud will not be able to validate the connection details you provide. Certain functionality that requires API access to the git server will be disabled. Delivery pipeline will only work using a private worker that has network access to the git server. string "" no
issues_repo_git_id Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. string "" no
issues_repo_git_provider Git provider for issue repo string "" no
issues_repo_git_token_secret_crn The CRN for the Issues repository Git Token. string "" no
issues_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "" no
issues_repo_initialization_type The initialization type for the repo. Can be new, fork, clone, link, new_if_not_exists, clone_if_not_exists, fork_if_not_exists. string "" no
issues_repo_integration_owner The name of the integration owner. string "" no
issues_repo_is_private_repo Set to true to make repository private. bool true no
issues_repo_issues_enabled Set to true to enable issues. bool true no
issues_repo_name The repository name. string "" no
issues_repo_root_url (Optional) The Root URL of the server. e.g. https://git.example.com. string "" no
issues_repo_secret_group Secret group prefix for the Issues repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager. string "" no
issues_repo_title (Optional) The title of the server. e.g. My Git Enterprise Server. string "" no
issues_repo_traceability_enabled Set to true to enable traceability. bool false no
issues_repo_url This is a template repository to clone compliance-issues for reference DevSecOps toolchain templates. string "" no
kp_integration_name The name of the Key Protect integration. string "kp-compliance-secrets" no
kp_location IBM Cloud location/region containing the Key Protect instance. string "us-south" no
kp_name Name of the Key Protect instance where the secrets are stored. string "kp-compliance-secrets" no
kp_resource_group The resource group containing the Key Protect instance for your secrets. string "Default" no
link_to_doi_toolchain Enable a link to a DevOps Insights instance in another toolchain, true or false. bool false no
pipeline_branch The branch within pipeline definitions repository for Compliance CC Toolchain. string "open-v10" no
pipeline_config_group Specify Git user/group for pipeline config repo. string "" no
pipeline_config_repo_auth_type Select the method of authentication that will be used to access the git provider. 'oauth' or 'pat'. string "" no
pipeline_config_repo_blind_connection Setting this value to true means the server is not addressable on the public internet. IBM Cloud will not be able to validate the connection details you provide. Certain functionality that requires API access to the git server will be disabled. Delivery pipeline will only work using a private worker that has network access to the git server. string "" no
pipeline_config_repo_branch Specify a branch of a repository to clone that contains a custom pipeline-config.yaml file. string "" no
pipeline_config_repo_clone_from_url Specify a repository to clone that contains a custom pipeline-config.yaml file. string "" no
pipeline_config_repo_existing_url Specify a repository containing a custom pipeline-config.yaml file. string "" no
pipeline_config_repo_git_id Set this value to github for github.com, or to the GUID of a custom GitHub Enterprise server. string "" no
pipeline_config_repo_git_provider Git provider for pipeline repo config string "" no
pipeline_config_repo_git_token_secret_crn The CRN for the Pipeline Config repository Git Token. string "" no
pipeline_config_repo_git_token_secret_name Name of the Git token secret in the secret provider. string "" no
pipeline_config_repo_initialization_type The initialization type for the repo. Can be new, fork, clone, link, new_if_not_exists, clone_if_not_exists, fork_if_not_exists. string "" no
pipeline_config_repo_integration_owner The name of the integration owner. string "" no
pipeline_config_repo_is_private_repo Set to true to make repository private. bool true no
pipeline_config_repo_issues_enabled Set to true to enable issues. bool false no
pipeline_config_repo_name The repository name. string "" no
pipeline_config_repo_root_url (Optional) The Root URL of the server. e.g. https://git.example.com. string "" no
pipeline_config_repo_secret_group Secret group prefix for the Pipeline Config repo secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager. string "" no
pipeline_config_repo_title (Optional) The title of the server. e.g. My Git Enterprise Server. string "" no
pipeline_config_repo_traceability_enabled Set to true to enable traceability. bool false no
pipeline_doi_api_key_secret_crn The CRN for the pipeline DOI apikey. string "" no
pipeline_doi_api_key_secret_group Secret group prefix for the pipeline DOI api key. Defaults to sm_secret_group if not set. Only used with Secrets Manager. string "" no
pipeline_doi_api_key_secret_name Name of the Cloud API key secret in the secret provider to access the toolchain containing the Devops Insights instance. string "" no
pipeline_git_tag The GIT tag within the CC pipeline definitions repository for Compliance CC Toolchain. string "" no
pipeline_ibmcloud_api_key_secret_crn The CRN for the IBMCloud apikey. string "" no
pipeline_ibmcloud_api_key_secret_group Secret group prefix for the pipeline ibmcloud API key secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager. string "" no
pipeline_ibmcloud_api_key_secret_name Name of the Cloud API key secret in the secret provider. string "ibmcloud-api-key" no
pipeline_properties Stringified JSON containing the properties. This takes precedence over the properties JSON. string "" no
pipeline_properties_filepath The path to the file containing the property JSON. If this is not set, it will by default read the properties.json file at the root of the module. string "" no
privateworker_credentials_secret_crn The CRN for the Private Worker secret secret. string "" no
privateworker_credentials_secret_group Secret group prefix for the Private Worker secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager. string "" no
privateworker_credentials_secret_name Name of the privateworker secret in the secret provider. string "private-worker-service-api" no
privateworker_name The name of the private worker integration. string "private-worker-tool-01" no
repo_auth_type The auth type for the repo oauth or 'pat (personal access token). Applies to all the default compliance repositories but can be overriden by the repository specific variable. string "" no
repo_blind_connection Setting this value to true means the server is not addressable on the public internet. IBM Cloud will not be able to validate the connection details you provide. Certain functionality that requires API access to the git server will be disabled. Delivery pipeline will only work using a private worker that has network access to the git server. string "" no
repo_git_id The Git ID for the compliance repositories. string "" no
repo_git_provider The Git provider type. string "" no
repo_git_token_crn The CRN of the Git token secret in the secret provider. Specifying a CRN for the Git Token automatically sets the authentication type to pat. string "" no
repo_git_token_secret_name Name of the Git token secret in the secret provider. Specifying a secret name for the Git Token automatically sets the authentication type to pat. string "" no
repo_group Specify the Git user or group for your application. This must be set if the repository authentication type is pat (personal access token). string "" no
repo_integration_owner The integration owner of the repository. Applies to all the default compliance repositories but can be overriden by the repository specific variable. string "" no
repo_root_url (Optional) The Root URL of the server. e.g. https://git.example.com. string "" no
repo_title (Optional) The title of the server. e.g. My Git Enterprise Server. string "" no
repositories_prefix Prefix name for the cloned compliance repos. string "compliance" no
repository_properties Stringified JSON containing the repositories and triggers. This takes precedence over the repositories JSON. string "" no
repository_properties_filepath The path to the file containing the repository and triggers JSON. If this is not set, it will by default read the repositories.json file at the root of the module. string "" no
scc_attachment_id An attachment ID. An attachment is configured under a profile to define how a scan will be run. To find the attachment ID, in the browser, in the attachments list, click on the attachment link, and a panel appears with a button to copy the attachment ID. This parameter is only relevant when the scc_use_profile_attachment parameter is enabled. string "" no
scc_enable_scc Enable the SCC integration. bool true no
scc_evidence_locker_type Allowable values are evidence-repo and evidence-bucket. If left unset, the SCC tool will behave as if evidence-repo has been set and will use the evidence repository configured in the toolchain. If the COS tool has been enabled, then the bucket name in cos_bucket_name will be provided to the SCC tool and evidence-bucket will be set. To override this behavior, explicitly set scc_evidence_locker_type. string "" no
scc_instance_crn The Security and Compliance Center service instance CRN (Cloud Resource Name). This parameter is only relevant when the scc_use_profile_attachment parameter is enabled. The value must match the regular expression. string "" no
scc_integration_name The name of the SCC integration name. string "Security and Compliance" no
scc_profile_name The name of a Security and Compliance Center profile. Use the IBM Cloud Framework for Financial Services profile, which contains the DevSecOps Toolchain rules. Or use a user-authored customized profile that has been configured to contain those rules. This parameter is only relevant when the scc_use_profile_attachment parameter is enabled. string "" no
scc_profile_version The version of a Security and Compliance Center profile, in SemVer format, like 0.0.0. This parameter is only relevant when the scc_use_profile_attachment parameter is enabled. string "" no
scc_scc_api_key_secret_crn The CRN for SCC apikey. string "" no
scc_scc_api_key_secret_group Secret group prefix for the Security and Compliance tool secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager. string "" no
scc_scc_api_key_secret_name The Security and Compliance Center api-key secret in the secret provider. string "scc-api-key" no
scc_use_profile_attachment Set to enabled to enable use profile with attachment, so that the scripts in the pipeline can interact with the Security and Compliance Center service. When enabled, other parameters become relevant; scc_scc_scc_api_key_secret_name, scc_instance_crn, scc_profile_name, scc_profile_version, scc_attachment_id. string "disabled" no
slack_channel_name The Slack channel that notifications will be posted to. string "my-channel" no
slack_integration_name The name of the Slack integration. string "slack-compliance" no
slack_pipeline_fail Generate pipeline failed notifications. bool true no
slack_pipeline_start Generate pipeline start notifications. bool true no
slack_pipeline_success Generate pipeline succeeded notifications. bool true no
slack_team_name The Slack team name, which is the word or phrase before .slack.com in the team URL. string "my-team" no
slack_toolchain_bind Generate tool added to toolchain notifications. bool true no
slack_toolchain_unbind Generate tool removed from toolchain notifications. bool true no
slack_webhook_secret_crn The CRN for Slack Webhook secret. string "" no
slack_webhook_secret_group Secret group prefix for the Slack webhook secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager. string "" no
slack_webhook_secret_name Name of the webhook secret in the secret provider. string "slack-webhook" no
sm_instance_crn The CRN of the Secrets Manager instance. string "" no
sm_integration_name The name of the Secrets Manager integration. string "sm-compliance-secrets" no
sm_location IBM Cloud location/region containing the Secrets Manager instance. Not required if using a Secrets Manager CRN instance. string "us-south" no
sm_name Name of the Secrets Manager instance where the secrets are stored. Not required if using a Secrets Manager CRN instance. string "sm-compliance-secrets" no
sm_resource_group The resource group containing the Secrets Manager instance for your secrets. Not required if using a Secrets Manager CRN instance. string "Default" no
sm_secret_group Group in Secrets Manager for organizing/grouping secrets. string "Default" no
sonarqube_integration_name The name of the SonarQube integration. string "SonarQube" no
sonarqube_is_blind_connection When set to true, instructs IBM Cloud Continuous Delivery to not validate the configuration of this integration. Set this to true if the SonarQube server is not addressable on the public internet. string true no
sonarqube_secret_crn The CRN for the SonarQube secret. string "" no
sonarqube_secret_group Secret group prefix for the SonarQube secret. Defaults to sm_secret_group if not set. Only used with Secrets Manager. string "" no
sonarqube_secret_name The name of the SonarQube secret. string "sonarqube-secret" no
sonarqube_server_url The URL to the SonarQube server. string "" no
sonarqube_user The name of the SonarQube user. string "" no
toolchain_description Description for the CC Toolchain. string "Toolchain created with terraform template for DevSecOps CC Best Practices" no
toolchain_name Name of the CC Toolchain. string "DevSecOps CC Toolchain - Terraform" no
toolchain_region IBM Cloud region where the toolchain is created string "us-south" no
toolchain_resource_group Resource group within which the toolchain is created string "Default" no
toolchain_resource_region_override IBM Cloud region for the created resources. If not set resources will be created in the region set in toolchain_region. string "Default" no
trigger_manual_enable Set to true to enable the CC pipeline Manual trigger. bool true no
trigger_manual_name The name of the CC pipeline Manual trigger. string "CC Manual Trigger" no
trigger_timed_cron_schedule Only needed for timer triggers. Cron expression that indicates when this trigger will activate. Maximum frequency is every 5 minutes. The string is based on UNIX crontab syntax: minute, hour, day of month, month, day of week. Example: 0 *_/2 * * * - every 2 hours. string "0 4 * * *" no
trigger_timed_enable Set to true to enable the CC pipeline Timed trigger. bool false no
trigger_timed_name The name of the CC pipeline Timed trigger. string "CC Timed Trigger" no
use_legacy_cos_tool The custom tool integration is being replaced with the new COS tool integration. To continue using the legacy tool. Set the value to true. See enable_cos bool false no
use_legacy_ref Set to true to use the legacy secret reference format for Secrets Manager secrets. bool false no
worker_id The identifier for the Managed Pipeline worker. string "public" no

Outputs

Name Description
app_repo The Application repo.
app_repo_git_id The app repo Git ID.
app_repo_git_provider The app repo provider 'hostedgit', 'githubconsolidated' etc.
app_repo_url The app repository instance URL containing an application that can be built and deployed with the reference DevSecOps toolchain templates.
cc_pipeline_id The CC pipeline ID.
evidence_repo The Evidence repo.
evidence_repo_enabled Set to true to enable the evidence repository tool integration.
evidence_repo_git_id The evidence repository Git ID
evidence_repo_git_provider The evidence repository provider type. Can be 'hostedgit', 'githubconsolidated' etc.
evidence_repo_url The evidence repository instance URL, where evidence of the builds and scans are stored, ready for any compliance audit.
inventory_repo The Inventory repo.
inventory_repo_git_id The inventory repository Git ID
inventory_repo_git_provider The inventory repository provider type. Can be 'hostedgit', 'githubconsolidated' etc.
inventory_repo_url The inventory repository instance URL, with details of which artifact has been built and will be deployed.
issues_repo The Issues repo.
issues_repo_git_id The issues repository Git ID
issues_repo_git_provider The issues repository provider type. Can be 'hostedgit', 'githubconsolidated' etc.
issues_repo_url The incident issues repository instance URL, where issues are created when vulnerabilities and CVEs are detected.
key_protect_instance_id The Key Protect instance ID.
pipeline_config_repo_git_id The compliance pipeline repository Git ID
pipeline_config_repo_git_provider The compliance pipeline repository provider type. Can be 'hostedgit', 'githubconsolidated' etc.
pipeline_config_repo_url This repository URL contains the tekton definitions for compliance pipelines.
pipeline_repo_git_id The compliance pipeline repository Git ID
pipeline_repo_url This repository URL contains the tekton definitions for compliance pipelines.
secrets_manager_instance_id The Secrets Manager instance ID.
toolchain_id The CC toolchain ID.
toolchain_url The CC toolchain URL.

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.

About

Toolchain created with Terraform template for DevSecOps CC Best Practices

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Contributing

Contributing
Activity
Custom properties

Stars

1 star

Watchers

16 watching

Forks

2 forks
Report repository

Releases 54

v2.7.0 Latest
Oct 16, 2025
+ 53 releases

Packages

No packages published

Contributors 7

Languages