A connection to a SCM like GitHub, GitHub Enterprise, Bitbucket Data Center or GitLab.
To get more information about Connection, see:
resource "google_cloudbuildv2_connection" "my-connection" {
location = "us-central1"
name = "tf-test-connection"
github_config {
app_installation_id = 0
authorizer_credential {
oauth_token_secret_version = "projects/gcb-terraform-creds/secrets/github-pat/versions/1"
}
}
}
resource "google_secret_manager_secret" "private-key-secret" {
secret_id = "ghe-pk-secret"
replication {
auto {}
}
}
resource "google_secret_manager_secret_version" "private-key-secret-version" {
secret = google_secret_manager_secret.private-key-secret.id
secret_data = file("private-key.pem")
}
resource "google_secret_manager_secret" "webhook-secret-secret" {
secret_id = "github-token-secret"
replication {
auto {}
}
}
resource "google_secret_manager_secret_version" "webhook-secret-secret-version" {
secret = google_secret_manager_secret.webhook-secret-secret.id
secret_data = "<webhook-secret-data>"
}
data "google_iam_policy" "p4sa-secretAccessor" {
binding {
role = "roles/secretmanager.secretAccessor"
// Here, 123456789 is the Google Cloud project number for the project that contains the connection.
members = ["serviceAccount:service-123456789@gcp-sa-cloudbuild.iam.gserviceaccount.com"]
}
}
resource "google_secret_manager_secret_iam_policy" "policy-pk" {
secret_id = google_secret_manager_secret.private-key-secret.secret_id
policy_data = data.google_iam_policy.p4sa-secretAccessor.policy_data
}
resource "google_secret_manager_secret_iam_policy" "policy-whs" {
secret_id = google_secret_manager_secret.webhook-secret-secret.secret_id
policy_data = data.google_iam_policy.p4sa-secretAccessor.policy_data
}
resource "google_cloudbuildv2_connection" "my-connection" {
location = "us-central1"
name = "my-terraform-ghe-connection"
github_enterprise_config {
host_uri = "https://ghe.com"
private_key_secret_version = google_secret_manager_secret_version.private-key-secret-version.id
webhook_secret_secret_version = google_secret_manager_secret_version.webhook-secret-secret-version.id
app_id = 200
app_slug = "gcb-app"
app_installation_id = 300
}
depends_on = [
google_secret_manager_secret_iam_policy.policy-pk,
google_secret_manager_secret_iam_policy.policy-whs
]
}
resource "google_secret_manager_secret" "github-token-secret" {
secret_id = "github-token-secret"
replication {
auto {}
}
}
resource "google_secret_manager_secret_version" "github-token-secret-version" {
secret = google_secret_manager_secret.github-token-secret.id
secret_data = file("my-github-token.txt")
}
data "google_iam_policy" "p4sa-secretAccessor" {
binding {
role = "roles/secretmanager.secretAccessor"
// Here, 123456789 is the Google Cloud project number for the project that contains the connection.
members = ["serviceAccount:service-123456789@gcp-sa-cloudbuild.iam.gserviceaccount.com"]
}
}
resource "google_secret_manager_secret_iam_policy" "policy" {
secret_id = google_secret_manager_secret.github-token-secret.secret_id
policy_data = data.google_iam_policy.p4sa-secretAccessor.policy_data
}
resource "google_cloudbuildv2_connection" "my-connection" {
location = "us-central1"
name = "my-connection"
github_config {
app_installation_id = 123123
authorizer_credential {
oauth_token_secret_version = google_secret_manager_secret_version.github-token-secret-version.id
}
}
}
The following arguments are supported:
name
-
(Required)
Immutable. The resource name of the connection.
location
-
(Required)
The location for the resource
github_config
-
(Optional)
Configuration for connections to github.com.
Structure is documented below.
github_enterprise_config
-
(Optional)
Configuration for connections to an instance of GitHub Enterprise.
Structure is documented below.
gitlab_config
-
(Optional)
Configuration for connections to gitlab.com or an instance of GitLab Enterprise.
Structure is documented below.
disabled
-
(Optional)
If disabled is set to true, functionality is disabled for this connection. Repository based API methods and webhooks processing for repositories in this connection will be disabled.
annotations
-
(Optional)
Allows clients to store small amounts of arbitrary data.
Note: This field is non-authoritative, and will only manage the annotations present in your configuration.
Please refer to the field effective_annotations
for all of the annotations present on the resource.
project
- (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
The github_config
block supports:
authorizer_credential
-
(Optional)
OAuth credential of the account that authorized the Cloud Build GitHub App. It is recommended to use a robot account instead of a human user account. The OAuth token must be tied to the Cloud Build GitHub App.
Structure is documented below.
app_installation_id
-
(Optional)
GitHub App installation id.
The authorizer_credential
block supports:
oauth_token_secret_version
-
(Optional)
A SecretManager resource containing the OAuth token that authorizes the Cloud Build connection. Format: projects/*/secrets/*/versions/*
.
username
-
(Output)
Output only. The username associated to this token.
The github_enterprise_config
block supports:
host_uri
-
(Required)
Required. The URI of the GitHub Enterprise host this connection is for.
app_id
-
(Optional)
Id of the GitHub App created from the manifest.
app_slug
-
(Optional)
The URL-friendly name of the GitHub App.
private_key_secret_version
-
(Optional)
SecretManager resource containing the private key of the GitHub App, formatted as projects/*/secrets/*/versions/*
.
webhook_secret_secret_version
-
(Optional)
SecretManager resource containing the webhook secret of the GitHub App, formatted as projects/*/secrets/*/versions/*
.
app_installation_id
-
(Optional)
ID of the installation of the GitHub App.
service_directory_config
-
(Optional)
Configuration for using Service Directory to privately connect to a GitHub Enterprise server. This should only be set if the GitHub Enterprise server is hosted on-premises and not reachable by public internet. If this field is left empty, calls to the GitHub Enterprise server will be made over the public internet.
Structure is documented below.
ssl_ca
-
(Optional)
SSL certificate to use for requests to GitHub Enterprise.
The service_directory_config
block supports:
service
-
(Required)
Required. The Service Directory service name. Format: projects/{project}/locations/{location}/namespaces/{namespace}/services/{service}.The gitlab_config
block supports:
host_uri
-
(Optional)
The URI of the GitLab Enterprise host this connection is for. If not specified, the default value is https://gitlab.com.
webhook_secret_secret_version
-
(Required)
Required. Immutable. SecretManager resource containing the webhook secret of a GitLab Enterprise project, formatted as projects/*/secrets/*/versions/*
.
read_authorizer_credential
-
(Required)
Required. A GitLab personal access token with the minimum read_api
scope access.
Structure is documented below.
authorizer_credential
-
(Required)
Required. A GitLab personal access token with the api
scope access.
Structure is documented below.
service_directory_config
-
(Optional)
Configuration for using Service Directory to privately connect to a GitLab Enterprise server. This should only be set if the GitLab Enterprise server is hosted on-premises and not reachable by public internet. If this field is left empty, calls to the GitLab Enterprise server will be made over the public internet.
Structure is documented below.
ssl_ca
-
(Optional)
SSL certificate to use for requests to GitLab Enterprise.
server_version
-
(Output)
Output only. Version of the GitLab Enterprise server running on the host_uri
.
The read_authorizer_credential
block supports:
user_token_secret_version
-
(Required)
Required. A SecretManager resource containing the user token that authorizes the Cloud Build connection. Format: projects/*/secrets/*/versions/*
.
username
-
(Output)
Output only. The username associated to this token.
The authorizer_credential
block supports:
user_token_secret_version
-
(Required)
Required. A SecretManager resource containing the user token that authorizes the Cloud Build connection. Format: projects/*/secrets/*/versions/*
.
username
-
(Output)
Output only. The username associated to this token.
The service_directory_config
block supports:
service
-
(Required)
Required. The Service Directory service name. Format: projects/{project}/locations/{location}/namespaces/{namespace}/services/{service}.In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format projects/{{project}}/locations/{{location}}/connections/{{name}}
create_time
-
Output only. Server assigned timestamp for when the connection was created.
update_time
-
Output only. Server assigned timestamp for when the connection was updated.
installation_state
-
Output only. Installation state of the Connection.
Structure is documented below.
reconciling
-
Output only. Set to true when the connection is being set up or updated in the background.
etag
-
This checksum is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
effective_annotations
-
All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.
The installation_state
block contains:
stage
-
(Output)
Output only. Current step of the installation process.
message
-
(Output)
Output only. Message of what the user should do next to continue the installation. Empty string if the installation is already complete.
action_uri
-
(Output)
Output only. Link to follow for next action. Empty string if the installation is already complete.
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.Connection can be imported using any of these accepted formats:
projects/{{project}}/locations/{{location}}/connections/{{name}}
{{project}}/{{location}}/{{name}}
{{location}}/{{name}}
{{name}}
In Terraform v1.5.0 and later, use an import
block to import Connection using one of the formats above. For example:
import {
id = "projects/{{project}}/locations/{{location}}/connections/{{name}}"
to = google_cloudbuildv2_connection.default
}
When using the terraform import
command, Connection can be imported using one of the formats above. For example:
$ terraform import google_cloudbuildv2_connection.default projects/{{project}}/locations/{{location}}/connections/{{name}}
$ terraform import google_cloudbuildv2_connection.default {{project}}/{{location}}/{{name}}
$ terraform import google_cloudbuildv2_connection.default {{location}}/{{name}}
$ terraform import google_cloudbuildv2_connection.default {{name}}
This resource supports User Project Overrides.