terraform-google-modules · renato-rudnicki · Jun 18, 2025 · Jun 18, 2025 · Jun 18, 2025 · Jun 18, 2025
@@ -111,6 +111,7 @@ locals {
     ],
     "proj" = [
       "roles/storage.objectAdmin",
+      "roles/storage.admin",
     ],
   }
 

@@ -57,6 +57,7 @@ locals {
     "cloudtrace.googleapis.com",
     "composer.googleapis.com",
     "compute.googleapis.com",
+    "confidentialcomputing.googleapis.com",
     "connectgateway.googleapis.com",
     "contactcenterinsights.googleapis.com",
     "container.googleapis.com",

@@ -70,6 +70,7 @@ locals {
     "cloudtrace.googleapis.com",
     "composer.googleapis.com",
     "compute.googleapis.com",
+    "confidentialcomputing.googleapis.com",
     "connectgateway.googleapis.com",
     "contactcenterinsights.googleapis.com",
     "container.googleapis.com",

@@ -57,7 +57,7 @@ For an overview of the architecture and the parts, see the
 
 The purpose of this step is to set up the folder structure, projects, and infrastructure pipelines for applications that are connected as service projects to the shared VPC created in the previous stage.
 
-For each business unit, a shared `infra-pipeline` project is created along with Cloud Build triggers, CSRs for application infrastructure code and Google Cloud Storage buckets for state storage.
+For each business unit, a shared `infra-pipeline` project is created along with Cloud Build triggers, CSRs for application infrastructure code, a Google Cloud Storage buckets for state storage, and a new Docker image will be built for the [Confidential Space](https://cloud.google.com/confidential-computing/confidential-space/docs/confidential-space-overview) environment, which will be used in the `5-app-infra` step.
 
 This step follows the same [conventions](https://github.com/terraform-google-modules/terraform-example-foundation#branching-strategy) as the Foundation pipeline deployed in [0-bootstrap](https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/0-bootstrap/README.md).
 A custom [workspace](https://github.com/terraform-google-modules/terraform-google-bootstrap/blob/master/modules/tf_cloudbuild_workspace/README.md) (`bu1-example-app`) is created by this pipeline and necessary roles are granted to the Terraform Service Account of this workspace by enabling variable `sa_roles` as shown in this [example](https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/4-projects/modules/base_env/example_shared_vpc_project.tf).
@@ -201,7 +201,6 @@ grep -rl 10.3.64.0 business_unit_2/ | xargs sed -i 's/10.3.64.0/10.4.64.0/g'
    git checkout -b production
    git push origin production
    ```
-
 1. After production has been applied, apply development.
 1. Merge changes to development. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch),
    pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID

@@ -19,6 +19,9 @@
 |------|-------------|
 | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. |
 | bucket | The created storage bucket. |
+| confidential\_space\_project | Confidential Space project id. |
+| confidential\_space\_project\_number | Confidential Space project number. |
+| confidential\_space\_workload\_sa | Workload Service Account for confidential space from base\_env |
 | default\_region | The default region for the project. |
 | floating\_project | Project sample floating project. |
 | iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |

@@ -38,3 +38,4 @@ module "env" {
   project_deletion_policy      = var.project_deletion_policy
   folder_deletion_protection   = var.folder_deletion_protection
 }
+
@@ -93,3 +93,20 @@ output "default_region" {
   description = "The default region for the project."
   value       = local.default_region
 }
+
+output "confidential_space_project" {
+  description = "Confidential Space project id."
+  value       = module.env.confidential_space_project
+}
+
+
+output "confidential_space_project_number" {
+  description = "Confidential Space project number."
+  value       = module.env.confidential_space_project_number
+}
+
+output "confidential_space_workload_sa" {
+  description = "Workload Service Account for confidential space from base_env"
+  value       = module.env.confidential_space_workload_sa
+}
+
@@ -29,3 +29,4 @@ data "terraform_remote_state" "bootstrap" {
     prefix = "terraform/bootstrap/state"
   }
 }
+
@@ -19,6 +19,9 @@
 |------|-------------|
 | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. |
 | bucket | The created storage bucket. |
+| confidential\_space\_project | Confidential Space project id. |
+| confidential\_space\_project\_number | Confidential Space project number. |
+| confidential\_space\_workload\_sa | Workload Service Account for confidential space from base\_env |
 | default\_region | The default region for the project. |
 | floating\_project | Project sample floating project. |
 | iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |

@@ -38,3 +38,4 @@ module "env" {
   project_deletion_policy      = var.project_deletion_policy
   folder_deletion_protection   = var.folder_deletion_protection
 }
+
@@ -93,3 +93,19 @@ output "default_region" {
   description = "The default region for the project."
   value       = local.default_region
 }
+
+output "confidential_space_project" {
+  description = "Confidential Space project id."
+  value       = module.env.confidential_space_project
+}
+
+
+output "confidential_space_project_number" {
+  description = "Confidential Space project number."
+  value       = module.env.confidential_space_project_number
+}
+
+output "confidential_space_workload_sa" {
+  description = "Workload Service Account for confidential space from base_env"
+  value       = module.env.confidential_space_workload_sa
+}
@@ -29,3 +29,4 @@ data "terraform_remote_state" "bootstrap" {
     prefix = "terraform/bootstrap/state"
   }
 }
+
@@ -19,6 +19,9 @@
 |------|-------------|
 | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. |
 | bucket | The created storage bucket. |
+| confidential\_space\_project | Confidential Space project id. |
+| confidential\_space\_project\_number | Confidential Space project number. |
+| confidential\_space\_workload\_sa | Workload Service Account for confidential space from base\_env |
 | default\_region | The default region for the project. |
 | floating\_project | Project sample floating project. |
 | iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |

@@ -38,3 +38,4 @@ module "env" {
   project_deletion_policy      = var.project_deletion_policy
   folder_deletion_protection   = var.folder_deletion_protection
 }
+
@@ -94,3 +94,18 @@ output "default_region" {
   value       = local.default_region
 }
 
+output "confidential_space_project" {
+  description = "Confidential Space project id."
+  value       = module.env.confidential_space_project
+}
+
+
+output "confidential_space_project_number" {
+  description = "Confidential Space project number."
+  value       = module.env.confidential_space_project_number
+}
+
+output "confidential_space_workload_sa" {
+  description = "Workload Service Account for confidential space from base_env"
+  value       = module.env.confidential_space_workload_sa
+}
@@ -29,3 +29,4 @@ data "terraform_remote_state" "bootstrap" {
     prefix = "terraform/bootstrap/state"
   }
 }
+
@@ -0,0 +1,20 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM alpine:latest
+WORKDIR /confidential
+COPY confidential_data /confidential
+ENTRYPOINT ["/confidential/confidential_data"]
+CMD []
+
@@ -15,9 +15,12 @@
 |------|-------------|
 | apply\_triggers\_id | CB apply triggers |
 | artifact\_buckets | GCS Buckets to store Cloud Build Artifacts |
+| artifact\_registry\_repository\_id | Artifact Registry ID. |
+| bootstrap\_cloudbuild\_project\_id | Cloudbuild project ID. |
 | cloudbuild\_project\_id | n/a |
 | default\_region | Default region to create resources where applicable. |
 | enable\_cloudbuild\_deploy | Enable infra deployment using Cloud Build. |
+| image\_name | Image path used by confidential space instance. |
 | log\_buckets | GCS Buckets to store Cloud Build logs |
 | plan\_triggers\_id | CB plan triggers |
 | repos | CSRs to store source code |

@@ -0,0 +1,20 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+#!/bin/bash
+echo "Confidential space is running!"
+
@@ -15,9 +15,68 @@
  */
 
 locals {
-  repo_names = ["bu1-example-app"]
+  repo_names                       = ["bu1-example-app"]
+  cmd_prompt                       = "gcloud builds submit . --tag ${local.confidential_space_image_tag} --project=${local.cloudbuild_project_id} --service-account=projects/${local.cloudbuild_project_id}/serviceAccounts/tf-cb-builder-sa@${local.cloudbuild_project_id}.iam.gserviceaccount.com --gcs-log-dir=gs://${module.infra_pipelines[0].log_buckets["bu1-example-app"]} --worker-pool=${local.cloud_build_private_worker_pool_id} || ( sleep 46 && gcloud builds submit . --tag ${local.confidential_space_image_tag} --project=${local.cloudbuild_project_id} --service-account=projects/${local.cloudbuild_project_id}/serviceAccounts/tf-cb-builder-sa@${local.cloudbuild_project_id}.iam.gserviceaccount.com --gcs-log-dir=gs://${module.infra_pipelines[0].log_buckets["bu1-example-app"]} --worker-pool=${local.cloud_build_private_worker_pool_id})"
+  confidential_space_image_version = "latest"
+  confidential_space_image_tag     = "${var.default_region}-docker.pkg.dev/${local.cloudbuild_project_id}/tf-runners/confidential_space_image:${local.confidential_space_image_version}"
+
+  iam_roles_build = [
+    "roles/storage.objectAdmin",
+    "roles/cloudbuild.builds.builder",
+  ]
+}
+
+resource "google_project_iam_member" "build_roles" {
+  for_each = toset(local.iam_roles_build)
+  project  = local.cloudbuild_project_id
+  role     = each.key
+  member   = "serviceAccount:tf-cb-builder-sa@${local.cloudbuild_project_id}.iam.gserviceaccount.com"
+}
+
+resource "google_project_iam_member" "bucket_admin_binding" {
+  project = local.cloudbuild_project_id
+  role    = "roles/storage.objectAdmin"
+  member  = "serviceAccount:${local.projects_terraform_sa}"
+}
+
+resource "google_artifact_registry_repository_iam_member" "builder_on_artifact_registry" {
+  project    = local.cloudbuild_project_id
+  location   = var.default_region
+  repository = "tf-runners"
+  role       = "roles/artifactregistry.repoAdmin"
+  member     = "serviceAccount:${module.app_infra_cloudbuild_project[0].sa}"
+}
+
+resource "google_project_iam_member" "cloudbuild_logging" {
+  project = local.cloudbuild_project_id
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${module.app_infra_cloudbuild_project[0].sa}"
+}
+
+resource "google_project_iam_member" "workload_identity_admin" {
+  project = module.app_infra_cloudbuild_project[0].project_id
+  role    = "roles/iam.workloadIdentityPoolAdmin"
+  member  = "serviceAccount:${module.app_infra_cloudbuild_project[0].sa}"
+}
+
+resource "google_storage_bucket_iam_member" "cloudbuild_storage_read" {
+  bucket = module.infra_pipelines[0].log_buckets["bu1-example-app"]
+  role   = "roles/storage.admin"
+  member = "serviceAccount:${module.app_infra_cloudbuild_project[0].sa}"
 }
 
+resource "google_storage_bucket_iam_member" "cloudbuild_sa_storage_admin" {
+  bucket = module.infra_pipelines[0].log_buckets["bu1-example-app"]
+  role   = "roles/storage.admin"
+  member = "serviceAccount:tf-cb-builder-sa@${local.cloudbuild_project_id}.iam.gserviceaccount.com"
+}
+
+#resource "google_storage_bucket_iam_member" "cloudbuild_bucket_admin" {
+#  bucket = "${local.cloudbuild_project_id}_cloudbuild"
+#  role   = "roles/storage.admin"
+#  member = "serviceAccount:${module.app_infra_cloudbuild_project[0].sa}"
+#}
+
 module "app_infra_cloudbuild_project" {
   source = "../../modules/single_project"
   count  = local.enable_cloudbuild_deploy ? 1 : 0
@@ -37,7 +96,8 @@ module "app_infra_cloudbuild_project" {
     "cloudkms.googleapis.com",
     "iam.googleapis.com",
     "artifactregistry.googleapis.com",
-    "cloudresourcemanager.googleapis.com"
+    "cloudresourcemanager.googleapis.com",
+    "confidentialcomputing.googleapis.com"
   ]
   # Metadata
   project_suffix    = "infra-pipeline"
@@ -62,6 +122,36 @@ module "infra_pipelines" {
   private_worker_pool_id      = local.cloud_build_private_worker_pool_id
 }
 
+resource "time_sleep" "wait_iam_propagation" {
+  create_duration = "60s"
+
+  depends_on = [
+    module.infra_pipelines,
+    module.app_infra_cloudbuild_project,
+    google_project_iam_member.bucket_admin_binding,
+    google_storage_bucket_iam_member.cloudbuild_storage_read,
+    google_artifact_registry_repository_iam_member.builder_on_artifact_registry,
+    google_project_iam_member.cloudbuild_logging,
+    google_storage_bucket_iam_member.cloudbuild_sa_storage_admin,
+    #google_storage_bucket_iam_member.cloudbuild_bucket_admin,
+  ]
+}
+
+module "build_confidential_space_image" {
+  source            = "terraform-google-modules/gcloud/google"
+  version           = "~> 3.5"
+  upgrade           = false
+  module_depends_on = [time_sleep.wait_iam_propagation]
+
+  create_cmd_triggers = {
+    "tag_version" = local.confidential_space_image_version
+    "cmd_prompt"  = local.cmd_prompt
+  }
+
+  create_cmd_entrypoint = "bash"
+  create_cmd_body       = "${local.cmd_prompt} || ( sleep 45 && ${local.cmd_prompt})"
+}
+
 /**
  * When Jenkins CI/CD is used for deployment this resource
  * is created to terraform validation works.
@@ -72,3 +162,5 @@ module "infra_pipelines" {
 resource "null_resource" "jenkins_cicd" {
   count = !local.enable_cloudbuild_deploy ? 1 : 0
 }
+
+
@@ -62,3 +62,18 @@ output "enable_cloudbuild_deploy" {
   description = "Enable infra deployment using Cloud Build."
   value       = local.enable_cloudbuild_deploy
 }
+
+output "artifact_registry_repository_id" {
+  description = "Artifact Registry ID."
+  value       = module.infra_pipelines[0].artifact_registry_repository_id
+}
+
+output "bootstrap_cloudbuild_project_id" {
+  description = "Cloudbuild project ID."
+  value       = local.cloudbuild_project_id
+}
+
+output "image_name" {
+  description = "Image path used by confidential space instance."
+  value       = local.confidential_space_image_tag
+}
@@ -27,6 +27,8 @@ locals {
   cloud_build_private_worker_pool_id = try(data.terraform_remote_state.bootstrap.outputs.cloud_build_private_worker_pool_id, "")
   cloud_builder_artifact_repo        = try(data.terraform_remote_state.bootstrap.outputs.cloud_builder_artifact_repo, "")
   enable_cloudbuild_deploy           = local.cloud_builder_artifact_repo != ""
+  cloudbuild_project_id              = data.terraform_remote_state.bootstrap.outputs.cloudbuild_project_id
+  projects_terraform_sa              = data.terraform_remote_state.bootstrap.outputs.projects_step_terraform_service_account_email
 }
 
 data "terraform_remote_state" "bootstrap" {

@@ -53,3 +53,4 @@ variable "project_deletion_policy" {
   type        = string
   default     = "PREVENT"
 }
+
@@ -37,6 +37,9 @@
 |------|-------------|
 | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. |
 | bucket | The created storage bucket. |
+| confidential\_space\_project | Confidential Space project id. |
+| confidential\_space\_project\_number | Confidential Space project number. |
+| confidential\_space\_workload\_sa | Workload Service Account for confidential space |
 | floating\_project | Project sample floating project. |
 | iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |
 | keyring | The name of the keyring. |
-Original file line number
+Diff line change
@@ Expand Up / @@ -111,6 +111,7 @@ locals { @@
         ],
         "proj" = [
           "roles/storage.objectAdmin",
+          "roles/storage.admin",
         ],
       }
@@ Expand Down @@
Original file line number	Diff line number	Diff line change
Expand Up		@@ -38,3 +38,4 @@ module "env" {
		project_deletion_policy = var.project_deletion_policy
		folder_deletion_protection = var.folder_deletion_protection
		}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -29,3 +29,4 @@ data "terraform_remote_state" "bootstrap" {
		prefix = "terraform/bootstrap/state"
		}
		}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -53,3 +53,4 @@ variable "project_deletion_policy" {
		type = string
		default = "PREVENT"
		}