kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add vulnerability scanning to artifact registry module (#3040)

Browse Source 
* Add vulnerability scanning to artifact registry module

* make variable nullable = false

* tfdoc

---------

Co-authored-by: Luca Prete <lucaprete@google.com>
This commit is contained in:
Luca Prete
2025-04-14 18:33:35 +02:00
committed by GitHub
parent ff7e7d299c
commit ea807a36a5
3 changed files with 28 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
modules/artifact-registry/README.md
View File

@@ -300,18 +300,19 @@ module "additive_iam" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [cleanup_policies](variables.tf#L17) | Object containing details about the cleanup policies for an Artifact Registry repository. | <code title="map&#40;object&#40;&#123;&#10; action &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; tag_state &#61; optional&#40;string&#41;&#10; tag_prefixes &#61; optional&#40;list&#40;string&#41;&#41;&#10; older_than &#61; optional&#40;string&#41;&#10; newer_than &#61; optional&#40;string&#41;&#10; package_name_prefixes &#61; optional&#40;list&#40;string&#41;&#41;&#10; version_name_prefixes &#61; optional&#40;list&#40;string&#41;&#41;&#10; &#125;&#41;&#41;&#10; most_recent_versions &#61; optional&#40;object&#40;&#123;&#10; package_name_prefixes &#61; optional&#40;list&#40;string&#41;&#41;&#10; keep_count &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;&#41;&#10;&#10;&#10;default &#61; null">map&#40;object&#40;&#123;&#8230;default &#61; null</code> | ✓ | |
| [format](variables.tf#L56) | Repository format. | <code title="object&#40;&#123;&#10; apt &#61; optional&#40;object&#40;&#123;&#10; remote &#61; optional&#40;object&#40;&#123;&#10; public_repository &#61; string &#35; &#34;BASE path&#34;&#10;&#10;&#10; disable_upstream_validation &#61; optional&#40;bool&#41;&#10; upstream_credentials &#61; optional&#40;object&#40;&#123;&#10; username &#61; string&#10; password_secret_version &#61; string&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; standard &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#41;&#10; docker &#61; optional&#40;object&#40;&#123;&#10; remote &#61; optional&#40;object&#40;&#123;&#10; public_repository &#61; optional&#40;string&#41;&#10; common_repository &#61; optional&#40;string&#41;&#10; custom_repository &#61; optional&#40;string&#41;&#10;&#10;&#10; disable_upstream_validation &#61; optional&#40;bool&#41;&#10; upstream_credentials &#61; optional&#40;object&#40;&#123;&#10; username &#61; string&#10; password_secret_version &#61; string&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; standard &#61; optional&#40;object&#40;&#123;&#10; immutable_tags &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#41;&#10; virtual &#61; optional&#40;map&#40;object&#40;&#123;&#10; repository &#61; string&#10; priority &#61; number&#10; &#125;&#41;&#41;&#41;&#10; &#125;&#41;&#41;&#10; kfp &#61; optional&#40;object&#40;&#123;&#10; standard &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#41;&#10; generic &#61; optional&#40;object&#40;&#123;&#10; standard &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#41;&#10; go &#61; optional&#40;object&#40;&#123;&#10; standard &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#41;&#10; googet &#61; optional&#40;object&#40;&#123;&#10; standard &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#41;&#10; maven &#61; optional&#40;object&#40;&#123;&#10; remote &#61; optional&#40;object&#40;&#123;&#10; public_repository &#61; optional&#40;string&#41;&#10; custom_repository &#61; optional&#40;string&#41;&#10;&#10;&#10; disable_upstream_validation &#61; optional&#40;bool&#41;&#10; upstream_credentials &#61; optional&#40;object&#40;&#123;&#10; username &#61; string&#10; password_secret_version &#61; string&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; standard &#61; optional&#40;object&#40;&#123;&#10; allow_snapshot_overwrites &#61; optional&#40;bool&#41;&#10; version_policy &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; virtual &#61; optional&#40;map&#40;object&#40;&#123;&#10; repository &#61; string&#10; priority &#61; number&#10; &#125;&#41;&#41;&#41;&#10; &#125;&#41;&#41;&#10; npm &#61; optional&#40;object&#40;&#123;&#10; remote &#61; optional&#40;object&#40;&#123;&#10; public_repository &#61; optional&#40;string&#41;&#10; custom_repository &#61; optional&#40;string&#41;&#10;&#10;&#10; disable_upstream_validation &#61; optional&#40;bool&#41;&#10; upstream_credentials &#61; optional&#40;object&#40;&#123;&#10; username &#61; string&#10; password_secret_version &#61; string&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; standard &#61; optional&#40;bool&#41;&#10; virtual &#61; optional&#40;map&#40;object&#40;&#123;&#10; repository &#61; string&#10; priority &#61; number&#10; &#125;&#41;&#41;&#41;&#10; &#125;&#41;&#41;&#10; python &#61; optional&#40;object&#40;&#123;&#10; remote &#61; optional&#40;object&#40;&#123;&#10; public_repository &#61; optional&#40;string&#41;&#10; custom_repository &#61; optional&#40;string&#41;&#10;&#10;&#10; disable_upstream_validation &#61; optional&#40;bool&#41;&#10; upstream_credentials &#61; optional&#40;object&#40;&#123;&#10; username &#61; string&#10; password_secret_version &#61; string&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; standard &#61; optional&#40;bool&#41;&#10; virtual &#61; optional&#40;map&#40;object&#40;&#123;&#10; repository &#61; string&#10; priority &#61; number&#10; &#125;&#41;&#41;&#41;&#10; &#125;&#41;&#41;&#10; yum &#61; optional&#40;object&#40;&#123;&#10; remote &#61; optional&#40;object&#40;&#123;&#10; public_repository &#61; string &#35; &#34;BASE path&#34;&#10;&#10;&#10; disable_upstream_validation &#61; optional&#40;bool&#41;&#10; upstream_credentials &#61; optional&#40;object&#40;&#123;&#10; username &#61; string&#10; password_secret_version &#61; string&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; standard &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| [location](variables.tf#L206) | Registry location. Use `gcloud beta artifacts locations list' to get valid values. | <code>string</code> | ✓ | |
| [name](variables.tf#L211) | Registry name. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L216) | Registry project id. | <code>string</code> | ✓ | |
| [format](variables.tf#L63) | Repository format. | <code title="object&#40;&#123;&#10; apt &#61; optional&#40;object&#40;&#123;&#10; remote &#61; optional&#40;object&#40;&#123;&#10; public_repository &#61; string &#35; &#34;BASE path&#34;&#10;&#10;&#10; disable_upstream_validation &#61; optional&#40;bool&#41;&#10; upstream_credentials &#61; optional&#40;object&#40;&#123;&#10; username &#61; string&#10; password_secret_version &#61; string&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; standard &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#41;&#10; docker &#61; optional&#40;object&#40;&#123;&#10; remote &#61; optional&#40;object&#40;&#123;&#10; public_repository &#61; optional&#40;string&#41;&#10; common_repository &#61; optional&#40;string&#41;&#10; custom_repository &#61; optional&#40;string&#41;&#10;&#10;&#10; disable_upstream_validation &#61; optional&#40;bool&#41;&#10; upstream_credentials &#61; optional&#40;object&#40;&#123;&#10; username &#61; string&#10; password_secret_version &#61; string&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; standard &#61; optional&#40;object&#40;&#123;&#10; immutable_tags &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#41;&#10; virtual &#61; optional&#40;map&#40;object&#40;&#123;&#10; repository &#61; string&#10; priority &#61; number&#10; &#125;&#41;&#41;&#41;&#10; &#125;&#41;&#41;&#10; kfp &#61; optional&#40;object&#40;&#123;&#10; standard &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#41;&#10; generic &#61; optional&#40;object&#40;&#123;&#10; standard &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#41;&#10; go &#61; optional&#40;object&#40;&#123;&#10; standard &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#41;&#10; googet &#61; optional&#40;object&#40;&#123;&#10; standard &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#41;&#10; maven &#61; optional&#40;object&#40;&#123;&#10; remote &#61; optional&#40;object&#40;&#123;&#10; public_repository &#61; optional&#40;string&#41;&#10; custom_repository &#61; optional&#40;string&#41;&#10;&#10;&#10; disable_upstream_validation &#61; optional&#40;bool&#41;&#10; upstream_credentials &#61; optional&#40;object&#40;&#123;&#10; username &#61; string&#10; password_secret_version &#61; string&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; standard &#61; optional&#40;object&#40;&#123;&#10; allow_snapshot_overwrites &#61; optional&#40;bool&#41;&#10; version_policy &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; virtual &#61; optional&#40;map&#40;object&#40;&#123;&#10; repository &#61; string&#10; priority &#61; number&#10; &#125;&#41;&#41;&#41;&#10; &#125;&#41;&#41;&#10; npm &#61; optional&#40;object&#40;&#123;&#10; remote &#61; optional&#40;object&#40;&#123;&#10; public_repository &#61; optional&#40;string&#41;&#10; custom_repository &#61; optional&#40;string&#41;&#10;&#10;&#10; disable_upstream_validation &#61; optional&#40;bool&#41;&#10; upstream_credentials &#61; optional&#40;object&#40;&#123;&#10; username &#61; string&#10; password_secret_version &#61; string&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; standard &#61; optional&#40;bool&#41;&#10; virtual &#61; optional&#40;map&#40;object&#40;&#123;&#10; repository &#61; string&#10; priority &#61; number&#10; &#125;&#41;&#41;&#41;&#10; &#125;&#41;&#41;&#10; python &#61; optional&#40;object&#40;&#123;&#10; remote &#61; optional&#40;object&#40;&#123;&#10; public_repository &#61; optional&#40;string&#41;&#10; custom_repository &#61; optional&#40;string&#41;&#10;&#10;&#10; disable_upstream_validation &#61; optional&#40;bool&#41;&#10; upstream_credentials &#61; optional&#40;object&#40;&#123;&#10; username &#61; string&#10; password_secret_version &#61; string&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; standard &#61; optional&#40;bool&#41;&#10; virtual &#61; optional&#40;map&#40;object&#40;&#123;&#10; repository &#61; string&#10; priority &#61; number&#10; &#125;&#41;&#41;&#41;&#10; &#125;&#41;&#41;&#10; yum &#61; optional&#40;object&#40;&#123;&#10; remote &#61; optional&#40;object&#40;&#123;&#10; public_repository &#61; string &#35; &#34;BASE path&#34;&#10;&#10;&#10; disable_upstream_validation &#61; optional&#40;bool&#41;&#10; upstream_credentials &#61; optional&#40;object&#40;&#123;&#10; username &#61; string&#10; password_secret_version &#61; string&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; standard &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| [location](variables.tf#L213) | Registry location. Use `gcloud beta artifacts locations list' to get valid values. | <code>string</code> | ✓ | |
| [name](variables.tf#L218) | Registry name. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L223) | Registry project id. | <code>string</code> | ✓ | |
| [cleanup_policy_dry_run](variables.tf#L38) | If true, the cleanup pipeline is prevented from deleting versions in this repository. | <code>bool</code> | | <code>null</code> |
| [description](variables.tf#L44) | An optional description for the repository. | <code>string</code> | | <code>&#34;Terraform-managed registry&#34;</code> |
| [encryption_key](variables.tf#L50) | The KMS key name to use for encryption at rest. | <code>string</code> | | <code>null</code> |
| [enable_vulnerability_scanning](variables.tf#L50) | Whether vulnerability scanning should be enabled in the repository. | <code>bool</code> | | <code>true</code> |
| [encryption_key](variables.tf#L57) | The KMS key name to use for encryption at rest. | <code>string</code> | | <code>null</code> |
| [iam](variables-iam.tf#L36) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [iam_bindings](variables-iam.tf#L43) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10; members &#61; list&#40;string&#41;&#10; role &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [iam_bindings_additive](variables-iam.tf#L58) | Individual additive IAM bindings. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10; member &#61; string&#10; role &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [iam_by_principals](variables-iam.tf#L73) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [labels](variables.tf#L200) | Labels to be attached to the registry. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> |
| [labels](variables.tf#L207) | Labels to be attached to the registry. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> |
## Outputs

24
modules/artifact-registry/main.tf
View File

@@ -21,17 +21,21 @@ locals {
}
resource "google_artifact_registry_repository" "registry" {
provider = google-beta
project = var.project_id
location = var.location
description = var.description
format = upper(local.format_string)
labels = var.labels
repository_id = var.name
mode = "${upper(local.mode_string)}_REPOSITORY"
kms_key_name = var.encryption_key
provider = google-beta
project = var.project_id
location = var.location
description = var.description
format = upper(local.format_string)
labels = var.labels
repository_id = var.name
mode = "${upper(local.mode_string)}_REPOSITORY"
kms_key_name = var.encryption_key
cleanup_policy_dry_run = var.cleanup_policy_dry_run
vulnerability_scanning_config {
enablement_config = var.enable_vulnerability_scanning ? "INHERITED" : "DISABLED"
}
dynamic "cleanup_policies" {
for_each = var.cleanup_policies == null ? {} : var.cleanup_policies
content {

7
modules/artifact-registry/variables.tf
View File

@@ -47,6 +47,13 @@ variable "description" {
default = "Terraform-managed registry"
}
variable "enable_vulnerability_scanning" {
description = "Whether vulnerability scanning should be enabled in the repository."
type = bool
default = true
nullable = false
}
variable "encryption_key" {
description = "The KMS key name to use for encryption at rest."
type = string