From e0369b45c199ae9192c6515cc6c90793c278ce50 Mon Sep 17 00:00:00 2001 From: jumpeiMano Date: Fri, 9 Dec 2022 12:49:19 +0900 Subject: [PATCH] feat: add support for `approval_config` only for the "xxx-apply" trigger --- modules/tf_cloudbuild_workspace/README.md | 1 + modules/tf_cloudbuild_workspace/cb.tf | 8 ++++++++ modules/tf_cloudbuild_workspace/variables.tf | 6 ++++++ 3 files changed, 15 insertions(+) diff --git a/modules/tf_cloudbuild_workspace/README.md b/modules/tf_cloudbuild_workspace/README.md index ecee8265..07bd6166 100644 --- a/modules/tf_cloudbuild_workspace/README.md +++ b/modules/tf_cloudbuild_workspace/README.md @@ -40,6 +40,7 @@ This module creates: | artifacts\_bucket\_name | Custom bucket name for Cloud Build artifacts. | `string` | `""` | no | | buckets\_force\_destroy | When deleting the bucket for storing CloudBuild logs/TF state, this boolean option will delete all contained objects. If false, Terraform will fail to delete buckets which contain objects. | `bool` | `false` | no | | cloudbuild\_apply\_filename | Optional Cloud Build YAML definition used for terraform apply. Defaults to using inline definition. | `string` | `null` | no | +| cloudbuild\_apply\_manual\_approval | This is only for the 'xxx-apply' trigger. If this is set on a build, it will become pending when it is run, and will need to be explicitly approved to start. | `bool` | `false` | no | | cloudbuild\_env\_vars | Optional list of environment variables to be used in builds. List of strings of form KEY=VALUE expected. | `list(string)` | `[]` | no | | cloudbuild\_ignored\_files | Optional list. Changes only affecting ignored files will not invoke a build. | `list(string)` | `[]` | no | | cloudbuild\_included\_files | Optional list. Changes affecting at least one of these files will invoke a build. | `list(string)` | `[]` | no | diff --git a/modules/tf_cloudbuild_workspace/cb.tf b/modules/tf_cloudbuild_workspace/cb.tf index 9aed57c0..12618ea1 100644 --- a/modules/tf_cloudbuild_workspace/cb.tf +++ b/modules/tf_cloudbuild_workspace/cb.tf @@ -131,6 +131,14 @@ resource "google_cloudbuild_trigger" "triggers" { } } + # approval_config + dynamic "approval_config" { + for_each = each.key == "apply" && var.cloudbuild_apply_manual_approval ? [1] : [] + content { + approval_required = var.cloudbuild_apply_manual_approval + } + } + substitutions = merge(local.default_subst, var.substitutions) service_account = local.cloudbuild_sa filename = local.default_triggers_explicit[each.key] diff --git a/modules/tf_cloudbuild_workspace/variables.tf b/modules/tf_cloudbuild_workspace/variables.tf index bd933744..969aacfc 100644 --- a/modules/tf_cloudbuild_workspace/variables.tf +++ b/modules/tf_cloudbuild_workspace/variables.tf @@ -124,6 +124,12 @@ variable "cloudbuild_ignored_files" { default = [] } +variable "cloudbuild_apply_manual_approval" { + description = "This is only for the 'xxx-apply' trigger. If this is set on a build, it will become pending when it is run, and will need to be explicitly approved to start." + type = bool + default = false +} + variable "buckets_force_destroy" { description = "When deleting the bucket for storing CloudBuild logs/TF state, this boolean option will delete all contained objects. If false, Terraform will fail to delete buckets which contain objects." type = bool