diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..6fd0892 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,9 @@ +root = true + +[*] +end_of_line = lf +charset = utf-8 +trim_trailing_whitespace = true +insert_final_newline = true +indent_style = space +indent_size = 2 \ No newline at end of file diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..a275524 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,29 @@ +--- +name: Bug report +about: Create a bug report to help us improve. +title: '' +labels: bug +assignees: '' + +--- + +**Describe the bug** +A clear and concise description of what the bug is. + +**To Reproduce** +Steps to reproduce the behavior including the relevant Terraform version number and any code snippets and module inputs you used. + +```hcl +// paste code snippets here +``` + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Nice to have** +- [ ] Terminal output +- [ ] Screenshots +- [ ] OS and Terraform versions + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000..7eb34b9 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,25 @@ +--- +name: Feature request +about: Submit a feature request for this repo. +title: '' +labels: enhancement +assignees: '' + +--- + +## Describe the solution you'd like + + + +## Describe alternatives you've considered + + + +## Additional context + + + +## Checklist +- [ ] I have checked if a similar feature request already exists. +- [ ] I believe this feature would be beneficial to a wider audience and aligns with the project's goals. +- [ ] I have considered potential downsides or challenges of implementing this feature. diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..f72cbb5 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,22 @@ +## Description + + + +## Related Issues + + + +## Changes + + + +## Screenshots (if applicable) + + + +## Checklist + +- [ ] I have tested these changes thoroughly. +- [ ] My code follows the project's coding style. +- [ ] I have added appropriate comments to my code, especially in complex areas. +- [ ] All new and existing tests passed locally. diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..ee73dbd --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,58 @@ +name: Continuous Integration + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +jobs: + analyze: + name: Analyze the Terraform scripts + runs-on: ubuntu-22.04 + timeout-minutes: 5 + permissions: + actions: read + contents: read + security-events: write + steps: + - id: clone_repository + name: Clone repository + # actions/checkout@v4.1.1 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + + - id: setup_terraform + name: Setup Terraform CLI + # hashicorp/setup-terraform@v3.0.0 + uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 + + - id: run_terraform_init + name: Run Terraform init + run: terraform init + + - id: run_terraform_fmt + name: Run Terraform format check + run: terraform fmt -check -recursive + + - id: run_terraform_validate + name: Run Terraform validate check + run: terraform validate + + - id: run_trivy_config + name: Run Trivy vulnerability scanner + # aquasecurity/trivy-action@v0.16.0 + uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601 + with: + scan-type: config + trivy-config: trivy.yaml + hide-progress: false + format: sarif + output: trivy.sarif + + - id: run_sarif_upload + name: Upload Trivy SARIF results + # github/codeql-action/upload-sarif@v2.22.9 + uses: github/codeql-action/upload-sarif@382a50a0284c0de445104889a9d6003acb4b3c1d + timeout-minutes: 1 + with: + sarif_file: trivy.sarif diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml new file mode 100644 index 0000000..14f8c6c --- /dev/null +++ b/.github/workflows/docs.yml @@ -0,0 +1,29 @@ +name: "Continuous Integration: Terraform Docs" + +on: + pull_request: + +jobs: + docs: + name: Generate Terraform documentation + runs-on: ubuntu-22.04 + timeout-minutes: 1 + steps: + - id: clone_repository + name: Clone repository + # actions/checkout@v4.1.1 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + with: + ref: ${{ github.event.pull_request.head.ref }} + + - id: run_terraform_docs + name: Render terraform docs and push changes back to PR + # terraform-docs/gh-actions@1.0.0 + uses: terraform-docs/gh-actions@f6d59f89a280fa0a3febf55ef68f146784b20ba0 + with: + working-dir: . + output-file: README.md + config-file: terraform-docs.yml + output-method: inject + git-push: "true" + git-commit-message: "terraform-docs: updated markdown table" diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..9ba2670 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,3 @@ +AVD-GCP-0027 +AVD-GCP-0031 + diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..787a715 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,3 @@ +## 0.1.0 + +* Initial version for GraphDB GCP module diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000..44517ec --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1 @@ +@Ontotext-AD/tes diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..e8356c4 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,48 @@ +# Contributing to GraphDB GCP Terraform Module + +Here are a few guidelines to help you get started. + +## Getting Started + +1. Fork this repository. +2. Clone your forked repository to your local machine. +3. Create a new branch for your changes: `git checkout -b feature/my-new-feature`. +4. Make your changes and test them thoroughly. +5. Commit your changes: `git commit -m "Add some feature"`. +6. Push your changes to your fork: `git push origin feature/my-new-feature`. +7. Create a pull request from your branch to the main repository's `main` branch. + +## Code Style + +Make sure your code follows our and Terraform coding styles. + +## Tests + +If applicable, add or update tests to ensure your changes work as intended. + +## Documentation + +If your changes introduce new features, update the documentation to reflect those changes. + +## Commit Message Guidelines + +Please use meaningful commit messages. Follow the format: + +``` +[Type] Short description + +Longer description of the changes, especially whys. +``` + +Types: `[Feature]`, `[Fix]`, `[Docs]`, `[Refactor]`, `[Chore]`, `[Style]` + +## Pull Request Checklist + +- [ ] I have tested these changes thoroughly. +- [ ] My code follows the project's coding style. +- [ ] I have added appropriate comments to my code, especially in complex areas. +- [ ] All new and existing tests passed locally. + +## Feedback + +Feedback and suggestions are welcome! Feel free to open an issue if you have any questions or ideas. diff --git a/README.md b/README.md index 06e85d6..a0aa29d 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,89 @@ # GraphDB deployment package on GCP +This terraform module allows you to deploy GraphDB instance in Google Compute Engine. + +## Table of contents + +- [About GraphDB](#about-graphdb) +- [Features](#features) +- [Versioning](#versioning) +- [Prerequisites](#prerequisites) +- [Inputs](#inputs) +- [Quick Start](#quickstart) +- [Metadata](#metadata) +- [Resources](#resources) +- [Local Development](#local-development) +- [Release History](#release-history) +- [Contributing](#contributing) +- [License](#license) + +## About GraphDB + +

+ + + GraphDB logo + + +

+ +Ontotext GraphDB is a highly efficient, scalable and robust graph database with RDF and SPARQL support. With excellent +enterprise features, +integration with external search applications, compatibility with industry standards, and both community and commercial +support, GraphDB is the +preferred database choice of both small independent developers and big enterprises. + +## Features + +The module provides the building blocks of configuring, deploying and provisioning a single VM of GraphDB +using Google Compute Engine. Key features of the module include: + +- Google Cloud Compute Engine Instance + +## Versioning + +The Terraform module follows the Semantic Versioning 2.0.0 rules and has a release lifecycle separate from the GraphDB +versions. The next table shows the version compatability between GraphDB, and the Terraform module. + +| GraphDB Terraform | GraphDB | +|--------------------------------------------------------------------------------|--------------------------------------------------------------------------------------| +| [Version 0.0.1](https://github.com/Ontotext-AD/terraform-gcp-graphdb/releases) | [Version 10.7.x](https://graphdb.ontotext.com/documentation/10.7/release-notes.html) | + +You can track the particular version updates of GraphDB in the [changelog](CHANGELOG.md). + +## Prerequisites + +Before you begin using this Terraform module, ensure you meet the following prerequisites: + +- **Google Cloud CLI**: + [Google Cloud CLI](https://cloud.google.com/sdk/docs/install) + +- **Terraform Installed**: You should have Terraform installed on your local machine. You can download Terraform from + the [https://developer.hashicorp.com/terraform/install?product_intent=terraform](Terraform website). + +- **Google Cloud Credentials**: Ensure that you have Google Cloud credentials configured on your machine. You can configure Google Cloud access + keys and secret keys using the [Google Cloud CLI](https://cloud.google.com/docs/authentication/gcloud). + +- **Terraform Google Cloud Provider Configuration**: Configure the Google Cloud provider in your Terraform project. You can add your Google Cloud + access and secret keys as environment variables or use other methods for provider configuration. + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| source\_image | Defines the VM image passed from the GCP Marketplace | `string` | `"projects/graphdb-public/global/images/ontotext-graphdb-10-7-3-202409031355"` | no | +| goog\_cm\_deployment\_name | Deployment name | `string` | `"graphdb"` | no | +| project\_id | Project in which the VM will be created | `string` | n/a | yes | +| zone | The zone where the VM will be created | `string` | `"us-central1-a"` | no | +| machine\_type | Type of the VM that will be created | `string` | `"n2-highmem-8"` | no | +| boot\_disk\_size | Boot disk size in GBs | `number` | `500` | no | +| boot\_disk\_type | Type of the boot disk | `string` | `"pd-ssd"` | no | +| network\_interface | The network interface to attach the VM to | `string` | `"default"` | no | +| allowed\_ingress\_cidrs | CIDR blocks that are allowed to access the GraphDB port | `list(string)` | ```[ "0.0.0.0/0" ]``` | no | + + ## Quickstart ```shell @@ -33,3 +117,37 @@ cft blueprint metadata -v -p . - https://github.com/GoogleCloudPlatform/marketplace-tools/blob/master/examples/terraform/wordpress/metadata.display.yaml - https://github.com/g-awmalik/terraform-google-canonical-mp/blob/main/metadata.display.yaml - Blueprint reference https://pkg.go.dev/github.com/GoogleCloudPlatform/cloud-foundation-toolkit/cli/bpmetadata + +## Local Development + +Instead of using the module dependency, you can create a local variables file named `terraform.tfvars` and provide +configuration overrides there. +Here's an example of a `terraform.tfvars` file: + +```hcl + +project_id = "example-project-id" + +zone = "us-central1-a" + +machine_type = "n2-highmem-8" + +boot_disk_size = "500" + +boot_disk_type = "pd-ssd" + +allowed_ingress_cidrs = ["0.0.0.0/0"] + +``` + +## Release History + +All notable changes between version are tracked and documented at [CHANGELOG.md](CHANGELOG.md). + +## Contributing + +Check out the contributors guide [CONTRIBUTING.md](CONTRIBUTING.md). + +## License + +This code is released under the Apache 2.0 License. See [LICENSE](LICENSE) for more details. diff --git a/main.tf b/main.tf index 9a3a121..4adbd26 100644 --- a/main.tf +++ b/main.tf @@ -12,7 +12,7 @@ resource "google_compute_instance" "graphdb" { # The boot disk must be set to the variable declared in Producer Portal image = var.source_image size = var.boot_disk_size - type = var.boot_disk_type + type = var.boot_disk_type } } @@ -24,6 +24,18 @@ resource "google_compute_instance" "graphdb" { } } + # Block the usage of project-level SSH keys + metadata = { + block-project-ssh-keys = true + } + + # Enable VTPM module + shielded_instance_config { + enable_secure_boot = true + enable_vtpm = true + enable_integrity_monitoring = true + } + tags = [var.goog_cm_deployment_name] } diff --git a/outputs.tf b/outputs.tf index 5c5badd..03e0b91 100644 --- a/outputs.tf +++ b/outputs.tf @@ -5,7 +5,7 @@ locals { output "instance_ip" { description = "External IP address for the GraphDB VM instance" - value = local.instance_nat_ip + value = local.instance_nat_ip } output "graphdb_address" { diff --git a/terraform-docs.yml b/terraform-docs.yml new file mode 100644 index 0000000..d196648 --- /dev/null +++ b/terraform-docs.yml @@ -0,0 +1,31 @@ +formatter: markdown table + +sections: + show: + - inputs + +output: + file: README.md + mode: inject + template: |- + + {{ .Content }} + + +sort: + enabled: false + +settings: + anchor: false + color: true + default: true + description: false + escape: true + hide-empty: false + html: false + indent: 2 + lockfile: true + read-comments: true + required: true + sensitive: true + type: true diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 0000000..49804a8 --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,7 @@ +timeout: 5m +exit-code: 1 +severity: + - HIGH + - CRITICAL + - MEDIUM +format: table