Skip to content

Latest commit

 

History

History
310 lines (276 loc) · 15.2 KB

README.md

File metadata and controls

310 lines (276 loc) · 15.2 KB

Google Cloud Artifact Registry Module

This module simplifies the creation of repositories using Google Cloud Artifact Registry.

Simple Docker Repository

module "docker_artifact_registry" {
  source     = "./fabric/modules/artifact-registry"
  project_id = "myproject"
  location   = "europe-west1"
  name       = "myregistry"
  format     = { docker = { standard = {} } }
  iam = {
    "roles/artifactregistry.admin" = ["group:cicd@example.com"]
  }
}
# tftest modules=1 resources=2

Remote and Virtual Repositories

module "registry-local" {
  source     = "./fabric/modules/artifact-registry"
  project_id = var.project_id
  location   = "europe-west1"
  name       = "local"
  format = {
    python = {
      standard = true
    }
  }
}

module "registry-remote" {
  source     = "./fabric/modules/artifact-registry"
  project_id = var.project_id
  location   = "europe-west1"
  name       = "remote"
  format = {
    python = {
      remote = {
        public_repository = "PYPI"
      }
    }
  }
}

module "registry-virtual" {
  source     = "./fabric/modules/artifact-registry"
  project_id = var.project_id
  location   = "europe-west1"
  name       = "virtual"
  format = {
    python = {
      virtual = {
        remote = {
          repository = module.registry-remote.id
          priority   = 1
        }
        local = {
          repository = module.registry-local.id
          priority   = 10
        }
      }
    }
  }
}

# tftest modules=3 resources=3 inventory=remote-virtual.yaml

Additional Docker and Maven Options

module "registry-docker" {
  source     = "./fabric/modules/artifact-registry"
  project_id = var.project_id
  location   = "europe-west1"
  name       = "docker"
  format = {
    docker = {
      standard = {
        immutable_tags = true
      }
    }
  }
}

module "registry-maven" {
  source     = "./fabric/modules/artifact-registry"
  project_id = var.project_id
  location   = "europe-west1"
  name       = "maven"
  format = {
    maven = {
      standard = {
        allow_snapshot_overwrites = true
        version_policy            = "RELEASE"
      }
    }
  }
}

# tftest modules=2 resources=2

Other Formats

module "apt-registry" {
  source     = "./fabric/modules/artifact-registry"
  project_id = var.project_id
  location   = var.region
  name       = "apt-registry"
  format     = { apt = { standard = true } }
}

module "generic-registry" {
  source     = "./fabric/modules/artifact-registry"
  project_id = var.project_id
  location   = var.region
  name       = "generic-registry"
  format     = { generic = { standard = true } }
}

module "go-registry" {
  source     = "./fabric/modules/artifact-registry"
  project_id = var.project_id
  location   = var.region
  name       = "go-registry"
  format     = { go = { standard = true } }
}

module "googet-registry" {
  source     = "./fabric/modules/artifact-registry"
  project_id = var.project_id
  location   = var.region
  name       = "googet-registry"
  format     = { googet = { standard = true } }
}

module "kfp-registry" {
  source     = "./fabric/modules/artifact-registry"
  project_id = var.project_id
  location   = var.region
  name       = "kfp-registry"
  format     = { kfp = { standard = true } }
}

module "npm-registry" {
  source     = "./fabric/modules/artifact-registry"
  project_id = var.project_id
  location   = var.region
  name       = "npm-registry"
  format     = { npm = { standard = true } }
}

module "yum-registry" {
  source     = "./fabric/modules/artifact-registry"
  project_id = var.project_id
  location   = var.region
  name       = "yum-registry"
  format     = { yum = { standard = true } }
}

# tftest modules=7 resources=7 inventory=other-formats.yaml

Cleanup Policies

module "registry-docker" {
  source                 = "./fabric/modules/artifact-registry"
  project_id             = var.project_id
  location               = "europe-west1"
  name                   = "docker-cleanup-policies"
  format                 = { docker = { standard = {} } }
  cleanup_policy_dry_run = false
  cleanup_policies = {
    keep-5-versions = {
      action = "KEEP"
      most_recent_versions = {
        package_name_prefixes = ["test"]
        keep_count            = 5
      }
    }
    keep-tagged-release = {
      action = "KEEP"
      condition = {
        tag_state             = "TAGGED"
        tag_prefixes          = ["release"]
        package_name_prefixes = ["webapp", "mobile"]
      }
    }
  }
}
# tftest modules=1 resources=1 inventory=cleanup-policies.yaml

IAM

This module implements the same IAM interface than the other modules. You can choose one (and only one) of the three options below:

# Authoritative IAM bindings
module "authoritative_iam" {
  source     = "./fabric/modules/artifact-registry"
  project_id = "myproject"
  location   = "europe-west1"
  name       = "myregistry"
  format     = { docker = { standard = {} } }
  iam = {
    "roles/artifactregistry.admin" = ["group:cicd@example.com"]
  }
}

# Authoritative IAM bindings (with conditions)
module "authoritative_iam_conditions" {
  source     = "./fabric/modules/artifact-registry"
  project_id = "myproject"
  location   = "europe-west1"
  name       = "myregistry"
  format     = { docker = { standard = {} } }
  iam_bindings = {
    "ci-admin" = {
      members = ["group:cicd@example.com"]
      role    = "roles/artifactregistry.admin"
      // condition = {
      //   expression  = string
      //   title       = string
      //   description = optional(string)
      // }
    }
  }
}

# Additive IAM bindings
module "additive_iam" {
  source     = "./fabric/modules/artifact-registry"
  project_id = "myproject"
  location   = "europe-west1"
  name       = "myregistry"
  format     = { docker = { standard = {} } }
  iam_bindings_additive = {
    "ci-admin" = {
      member = "group:cicd@example.com"
      role   = "roles/artifactregistry.admin"
      // condition = {
      //   expression  = string
      //   title       = string
      //   description = optional(string)
      // }
    }
    "ci-read" = {
      member = "group:cicd-read@example.com"
      role   = "roles/artifactregistry.reader"
      // condition = {
      //   expression  = string
      //   title       = string
      //   description = optional(string)
      // }
    }
  }
}
# tftest modules=3 resources=7

Variables

name description type required default
cleanup_policies Object containing details about the cleanup policies for an Artifact Registry repository. map(object({…default = null
format Repository format. object({…})
location Registry location. Use `gcloud beta artifacts locations list' to get valid values. string
name Registry name. string
project_id Registry project id. string
cleanup_policy_dry_run If true, the cleanup pipeline is prevented from deleting versions in this repository. bool null
description An optional description for the repository. string "Terraform-managed registry"
encryption_key The KMS key name to use for encryption at rest. string null
iam IAM bindings in {ROLE => [MEMBERS]} format. map(list(string)) {}
iam_bindings Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. map(object({…})) {}
iam_bindings_additive Individual additive IAM bindings. Keys are arbitrary. map(object({…})) {}
iam_by_principals Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the iam variable. map(list(string)) {}
labels Labels to be attached to the registry. map(string) {}

Outputs

name description sensitive
id Fully qualified repository id.
name Repository name.
repository Repository object.
url Repository URL.