@ibm-cloud/cd-tools 1.3.4 → 1.4.0

package/cmd/copy-toolchain.js

@@ -8,7 +8,7 @@
  */
 
 import { exit } from 'node:process';
-import { resolve } from 'node:path'
+import { resolve } from 'node:path';
 import fs from 'node:fs';
 
 import { Command, Option } from 'commander';
@@ -16,7 +16,7 @@ import { Command, Option } from 'commander';
 import { parseEnvVar } from './utils/utils.js';
 import { logger, LOG_STAGES } from './utils/logger.js';
 import { setTerraformEnv, initProviderFile, setupTerraformFiles, runTerraformInit, getNumResourcesPlanned, runTerraformApply, getNumResourcesCreated, getNewToolchainId } from './utils/terraform.js';
-import { getAccountId, getBearerToken, getCdInstanceByRegion, getIamAuthPolicies, getResourceGroupIdAndName, getToolchain } from './utils/requests.js';
+import { getAccountId, getBearerToken, getCdInstanceByRegion, getResourceGroupIdAndName, getToolchain } from './utils/requests.js';
 import { validatePrereqsVersions, validateTag, validateToolchainId, validateToolchainName, validateTools, validateOAuth, warnDuplicateName, validateGritUrl } from './utils/validate.js';
 import { importTerraform } from './utils/import-terraform.js';
 
@@ -54,7 +54,7 @@ const command = new Command('copy-toolchain')
 	.option('-d, --terraform-dir <path>', '(Optional) The target local directory to store the generated Terraform (.tf) files')
 	.option('-D, --dry-run', '(Optional) Skip running terraform apply; only generate the Terraform (.tf) files')
 	.option('-f, --force', '(Optional) Force the copy toolchain command to run without user confirmation')
-	.option('-S, --skip-s2s', '(Optional) Skip importing toolchain-generated service-to-service authorizations')
+	.option('-S, --skip-s2s', '(Optional) Skip creating toolchain-generated service-to-service authorizations')
 	.option('-T, --skip-disable-triggers', '(Optional) Skip disabling Tekton pipeline Git or timed triggers. Note: This may result in duplicate pipeline runs')
 	.option('-C, --compact', '(Optional) Generate all resources in a single resources.tf file')
 	.option('-v, --verbose', '(Optional) Increase log output')
@@ -92,7 +92,6 @@ async function main(options) {
 	let targetRgId;
 	let targetRgName;
 	let apiKey = options.apikey;
-	let policyIds; // used to include s2s auth policies
 	let moreTfResources = {};
 	let gritMapping = {};
 
@@ -195,26 +194,6 @@ async function main(options) {
 
 		collectGHE();
 
-		const collectPolicyIds = async () => {
-			moreTfResources['iam_authorization_policy'] = [];
-
-			const res = await getIamAuthPolicies(bearer, accountId);
-
-			policyIds = res['policies'].filter((p) => p.subjects[0].attributes.find(
-				(a) => a.name === 'serviceInstance' && a.value === sourceToolchainId)
-			);
-			policyIds = policyIds.map((p) => p.id);
-		};
-
-		if (includeS2S) {
-			try {
-				collectPolicyIds();
-			} catch (e) {
-				logger.error('Something went wrong while fetching service-to-service auth policies', LOG_STAGES.setup);
-				throw e;
-			}
-		}
-
 		logger.info('Arguments and required packages verified, proceeding with copying toolchain...', LOG_STAGES.setup);
 
 		// Set up temp folder
@@ -231,6 +210,9 @@ async function main(options) {
 		exit(1);
 	}
 
+	let toolchainTfName; // to target creating toolchain first
+	let s2sAuthTools; // to create s2s auth with script
+
 	try {
 		let nonSecretRefs;
 
@@ -242,7 +224,7 @@ async function main(options) {
 			await initProviderFile(sourceRegion, TEMP_DIR);
 			await runTerraformInit(TEMP_DIR, verbosity);
 
-			nonSecretRefs = await importTerraform(bearer, apiKey, sourceRegion, sourceToolchainId, targetToolchainName, policyIds, TEMP_DIR, isCompact, verbosity);
+			[toolchainTfName, nonSecretRefs, s2sAuthTools] = await importTerraform(bearer, apiKey, sourceRegion, sourceToolchainId, targetToolchainName, TEMP_DIR, isCompact, verbosity);
 		};
 
 		await logger.withSpinner(
@@ -286,7 +268,8 @@ async function main(options) {
 			tempDir: TEMP_DIR,
 			moreTfResources: moreTfResources,
 			gritMapping: gritMapping,
-			skipUserConfirmation: skipUserConfirmation
+			skipUserConfirmation: skipUserConfirmation,
+			includeS2S: includeS2S
 		});
 	} catch (err) {
 		if (err.message && err.stack) {
@@ -317,6 +300,27 @@ async function main(options) {
 
 			let applyErrors = false;
 
+			if (includeS2S) {
+				const s2sRequests = s2sAuthTools.map((item) => {
+					return {
+						parameters: item['parameters'],
+						serviceId: item.tool_type_id,
+						env_id: `ibm:yp:${targetRegion}`
+					};
+				});
+				fs.writeFileSync(resolve(`${outputDir}/create-s2s.json`), JSON.stringify(s2sRequests));
+
+				// copy script
+				fs.copyFileSync(resolve('create-s2s-script.js'), resolve(`${outputDir}/create-s2s-script.js`), fs.constants.COPYFILE_EXCL);
+			}
+
+			// create toolchain, which invokes script to create s2s if applicable
+			await runTerraformApply(true, outputDir, verbosity, `ibm_cd_toolchain.${toolchainTfName}`).catch((err) => {
+				logger.error(err, LOG_STAGES.tf);
+				applyErrors = true;
+			});
+
+			// create the rest
 			await runTerraformApply(skipUserConfirmation, outputDir, verbosity).catch((err) => {
 				logger.error(err, LOG_STAGES.tf);
 				applyErrors = true;

package/cmd/utils/import-terraform.js

@@ -18,7 +18,7 @@ import { getRandChars, isSecretReference, normalizeName } from './utils.js';
 
 import { SECRET_KEYS_MAP, SUPPORTED_TOOLS_MAP } from '../../config.js';
 
-export async function importTerraform(token, apiKey, region, toolchainId, toolchainName, policyIds, dir, isCompact, verbosity) {
+export async function importTerraform(token, apiKey, region, toolchainId, toolchainName, dir, isCompact, verbosity) {
     // STEP 1/2: set up terraform file with import blocks
     const importBlocks = []; // an array of objects representing import blocks, used in importBlocksToTf
     const additionalProps = {}; // maps resource name to array of { property/param, value }, used to override terraform import
@@ -41,6 +41,14 @@ export async function importTerraform(token, apiKey, region, toolchainId, toolch
     const toolchainResName = block.name;
     let pipelineResName;
 
+    const requiresS2S = [
+        'ibm_cd_toolchain_tool_appconfig',
+        'ibm_cd_toolchain_tool_eventnotifications',
+        'ibm_cd_toolchain_tool_keyprotect',
+        'ibm_cd_toolchain_tool_secretsmanager'
+    ];
+    let s2sAuthTools = [];
+
     // get list of tools
     const allTools = await getToolchainTools(token, toolchainId, region);
     for (const tool of allTools.tools) {
@@ -55,6 +63,10 @@ export async function importTerraform(token, apiKey, region, toolchainId, toolch
 
             toolIdMap[tool.id] = { type: SUPPORTED_TOOLS_MAP[tool.tool_type_id], name: toolResName };
 
+            if (requiresS2S.includes(SUPPORTED_TOOLS_MAP[tool.tool_type_id])) {
+                s2sAuthTools.push(tool);
+            }
+
             // overwrite hard-coded id with reference
             additionalProps[block.name] = [
                 { property: 'toolchain_id', value: `\${ibm_cd_toolchain.${toolchainResName}.id}` },
@@ -139,19 +151,6 @@ export async function importTerraform(token, apiKey, region, toolchainId, toolch
         }
     }
 
-    // include s2s
-    if (policyIds) {
-        for (const policyId of policyIds) {
-            block = importBlock(policyId, 'iam_authorization_policy', 'ibm_iam_authorization_policy');
-            importBlocks.push(block);
-
-            // overwrite hard-coded id with reference
-            additionalProps[block.name] = [
-                { property: 'source_resource_instance_id', value: `\${ibm_cd_toolchain.${toolchainResName}.id}` },
-            ];
-        }
-    }
-
     importBlocksToTf(importBlocks, dir);
 
     if (!fs.existsSync(`${dir}/generated`)) fs.mkdirSync(`${dir}/generated`);
@@ -313,7 +312,7 @@ export async function importTerraform(token, apiKey, region, toolchainId, toolch
     // remove draft
     if (fs.existsSync(`${dir}/generated/draft.tf`)) fs.rmSync(`${dir}/generated/draft.tf`, { recursive: true });
 
-    return nonSecretRefs;
+    return [toolchainResName, nonSecretRefs, s2sAuthTools];
 }
 
 // objects have two keys, "id" and "to"

package/cmd/utils/requests.js

@@ -373,27 +373,6 @@ async function getGritGroupProject(privToken, region, groupId, projectName) {
     }
 }
 
-async function getIamAuthPolicies(bearer, accountId) {
-    const apiBaseUrl = 'https://iam.cloud.ibm.com/v1';
-    const options = {
-        url: apiBaseUrl + '/policies',
-        method: 'GET',
-        headers: {
-            'Authorization': `Bearer ${bearer}`,
-            'Content-Type': 'application/json',
-        },
-        params: { account_id: accountId, type: 'authorization' },
-        validateStatus: () => true
-    };
-    const response = await axios(options);
-    switch (response.status) {
-        case 200:
-            return response.data;
-        default:
-            throw Error('Get auth policies failed');
-    }
-}
-
 async function deleteToolchain(bearer, toolchainId, region) {
     const apiBaseUrl = `https://api.${region}.devops.cloud.ibm.com/toolchain/v2`;
     const options = {
@@ -430,6 +409,5 @@ export {
     getGritUserProject,
     getGritGroup,
     getGritGroupProject,
-    getIamAuthPolicies,
     deleteToolchain
 }

package/cmd/utils/terraform.js

@@ -50,7 +50,7 @@ async function initProviderFile(targetRegion, dir) {
     return writeFilePromise(`${dir}/provider.tf`, jsonToTf(newProviderTfStr));
 }
 
-async function setupTerraformFiles({ token, srcRegion, targetRegion, targetTag, targetToolchainName, targetRgId, disableTriggers, isCompact, outputDir, tempDir, moreTfResources, gritMapping, skipUserConfirmation }) {
+async function setupTerraformFiles({ token, srcRegion, targetRegion, targetTag, targetToolchainName, targetRgId, disableTriggers, isCompact, outputDir, tempDir, moreTfResources, gritMapping, skipUserConfirmation, includeS2S }) {
     const promises = [];
 
     const writeProviderPromise = await initProviderFile(targetRegion, outputDir);
@@ -206,8 +206,9 @@ async function setupTerraformFiles({ token, srcRegion, targetRegion, targetTag,
 
         if (isCompact || resourceName === 'ibm_cd_toolchain') {
             if (targetTag) newTfFileObj['resource']['ibm_cd_toolchain'][newTcId]['tags'] = [
-                ...newTfFileObj['resource']['ibm_cd_toolchain'][newTcId]['tags'] ?? [],
-                targetTag
+                Array.from(new Set( // uniqueness
+                    (newTfFileObj['resource']['ibm_cd_toolchain'][newTcId]['tags'] ?? []).concat([targetTag])
+                ))
             ];
             if (targetToolchainName) newTfFileObj['resource']['ibm_cd_toolchain'][newTcId]['name'] = targetToolchainName;
             if (targetRgId) newTfFileObj['resource']['ibm_cd_toolchain'][newTcId]['resource_group_id'] = targetRgId;
@@ -339,7 +340,8 @@ async function setupTerraformFiles({ token, srcRegion, targetRegion, targetTag,
         }
 
         const newTfFileObjStr = JSON.stringify(newTfFileObj);
-        const newTfFile = replaceDependsOn(jsonToTf(newTfFileObjStr));
+        let newTfFile = replaceDependsOn(jsonToTf(newTfFileObjStr));
+        if (includeS2S && (isCompact || resourceName === 'ibm_cd_toolchain')) newTfFile = addS2sScriptToToolchainTf(newTfFile);
         const copyResourcesPromise = writeFilePromise(`${outputDir}/${fileName}`, newTfFile);
         promises.push(copyResourcesPromise);
     }
@@ -382,11 +384,14 @@ async function getNumResourcesPlanned(dir) {
     };
 }
 
-async function runTerraformApply(skipTfConfirmation, outputDir, verbosity) {
+async function runTerraformApply(skipTfConfirmation, outputDir, verbosity, target) {
     let command = 'terraform apply';
     if (skipTfConfirmation || verbosity === 0) {
         command = 'terraform apply -auto-approve';
     }
+    if (target) {
+        command += ` -target="${target}"`
+    }
 
     const child = child_process.spawn(command, {
         cwd: `${outputDir}`,
@@ -466,6 +471,25 @@ function replaceDependsOn(str) {
     }
 }
 
+function addS2sScriptToToolchainTf(str) {
+    const provisionerStr = (tfName) => `\n\n  provisioner "local-exec" {
+    command = "node create-s2s-script.js"
+    environment = {
+      IBMCLOUD_API_KEY = var.ibmcloud_api_key
+      TARGET_TOOLCHAIN_ID = ibm_cd_toolchain.${tfName}.id
+    }\n  }`
+    try {
+        if (typeof str === 'string') {
+            const pattern = /^resource "ibm_cd_toolchain" "([a-z0-9_-]*)" \{$\n((.|\n)*)\n^\}$/gm;
+
+            // get rid of the quotes
+            return str.replace(pattern, (match, s1, s2) => `resource "ibm_cd_toolchain" "${s1}" {\n${s2}${provisionerStr(s1)}\n}`);
+        }
+    } catch {
+        return str;
+    }
+}
+
 export {
     setTerraformEnv,
     initProviderFile,

package/config.js

@@ -167,9 +167,9 @@ const SECRET_KEYS_MAP = {
 	'nexus': [
 		{ key: 'token', tfKey: 'token' },
 	],
-	'pagerduty': [
-		{ key: 'service_key', tfKey: 'service_key', required: true },
-	],
+	// 'pagerduty': [
+	// 	{ key: 'service_key', tfKey: 'service_key', required: true },
+	// ],
 	'private_worker': [
 		{ key: 'workerQueueCredentials', tfKey: 'worker_queue_credentials', required: true },
 	],
@@ -205,7 +205,7 @@ const SUPPORTED_TOOLS_MAP = {
 	'keyprotect': 'ibm_cd_toolchain_tool_keyprotect',
 	'nexus': 'ibm_cd_toolchain_tool_nexus',
 	'customtool': 'ibm_cd_toolchain_tool_custom',
-	'pagerduty': 'ibm_cd_toolchain_tool_pagerduty',
+	// 'pagerduty': 'ibm_cd_toolchain_tool_pagerduty',
 	'saucelabs': 'ibm_cd_toolchain_tool_saucelabs',
 	'secretsmanager': 'ibm_cd_toolchain_tool_secretsmanager',
 	'security_compliance': 'ibm_cd_toolchain_tool_securitycompliance',

package/create-s2s-script.js

@@ -0,0 +1,119 @@
+/**
+ * Licensed Materials - Property of IBM
+ * (c) Copyright IBM Corporation 2025. All Rights Reserved.
+ *
+ * Note to U.S. Government Users Restricted Rights:
+ * Use, duplication or disclosure restricted by GSA ADP Schedule
+ * Contract with IBM Corp.
+ */
+
+import fs from 'node:fs';
+import { resolve } from 'node:path';
+
+const API_KEY = process.env['IBMCLOUD_API_KEY'];
+if (!API_KEY) throw Error(`Missing 'IBMCLOUD_API_KEY'`);
+
+const TC_ID = process.env['TARGET_TOOLCHAIN_ID'];
+if (!TC_ID) throw Error(`Missing 'TARGET_TOOLCHAIN_ID'`);
+
+const INPUT_PATH = 'create-s2s.json';
+const CLOUD_PLATFORM = 'https://cloud.ibm.com';
+const IAM_BASE_URL = 'https://iam.cloud.ibm.com';
+
+async function getBearer() {
+    const url = `${IAM_BASE_URL}/identity/token`;
+
+    const params = new URLSearchParams();
+    params.append('grant_type', 'urn:ibm:params:oauth:grant-type:apikey');
+    params.append('apikey', API_KEY);
+    params.append('response_type', 'cloud_iam');
+
+    try {
+        const response = await fetch(url, {
+            method: "POST",
+            headers: {
+                'Accept': 'application/json',
+                'Content-Type': 'application/x-www-form-urlencoded'
+            },
+            body: params
+        });
+
+        if (!response.ok) {
+            throw new Error(`Response status: ${response.status}, ${response.statusText}`);
+        }
+
+        console.log(`GETTING BEARER TOKEN... ${response.status}, ${response.statusText}`);
+
+        return (await response.json()).access_token;
+    } catch (error) {
+        console.error(error.message);
+    }
+}
+
+/* expecting item as an object with the format of:
+{
+    "parameters": {
+        "name": "",
+        "integration-status": "",
+        "instance-id-type": "",
+        "region": "",
+        "resource-group": "",
+        "instance-name": "",
+        "instance-crn": "",
+        "setup-authorization-type": ""
+    },
+    "toolchainId": "",
+    "serviceId": "",
+    "env_id": ""
+}
+*/
+
+async function createS2sAuthPolicy(item) {
+    const url = `${CLOUD_PLATFORM}/devops/setup/api/v2/s2s_authorization?${new URLSearchParams({
+        toolchainId: TC_ID,
+        serviceId: item['serviceId'],
+        env_id: item['env_id']
+    }).toString()}`;
+
+    const data = JSON.stringify({
+        'parameters': {
+            'name': item['parameters']['name'],
+            'integration-status': '',
+            'instance-id-type': item['parameters']['instance-id-type'],
+            'region': item['parameters']['region'],
+            'resource-group': item['parameters']['resource-group'],
+            'instance-name': item['parameters']['instance-name'],
+            'instance-crn': item['parameters']['instance-crn'],
+            'setup-authorization-type': 'select'
+        }
+    });
+
+    try {
+        const response = await fetch(url, {
+            method: "POST",
+            headers: {
+                'Authorization': `Bearer ${bearer}`,
+                'Content-Type': 'application/json',
+            },
+            body: data,
+        });
+
+        if (!response.ok) {
+            throw new Error(`Response status: ${response.status}, ${response.statusText}`);
+        }
+
+        console.log(`CREATING AUTH POLICY... ${response.status}, ${response.statusText}`);
+    } catch (error) {
+        console.error(error.message);
+    }
+}
+
+// main
+
+const bearer = await getBearer();
+
+const inputArr = JSON.parse(fs.readFileSync(resolve(INPUT_PATH)));
+
+inputArr.forEach(async (item) => {
+    await createS2sAuthPolicy(item);
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ibm-cloud/cd-tools",
-  "version": "1.3.4",
+  "version": "1.4.0",
   "description": "Tools and utilities for the IBM Cloud Continuous Delivery service and resources",
   "repository": {
     "type": "git",