Enable worker pool support in the CICD recipe (#1023)

* Enable worker pool support in the CICD recipe. Allows CICD to access private resources such as GKE clusters with private endpoints. #996

Author: pasha-gh

docs/tfengine/schemas/cicd.md

@@ -26,6 +26,10 @@
 | envs.triggers.validate | Config block for the presubmit validation Cloud Build trigger. If specified, create the trigger and grant the Cloud Build Service Account necessary permissions to perform the build. | object | false | - | - |
 | envs.triggers.validate.run_on_push | Whether or not to be automatically triggered from a PR/push to branch. Default to true. | boolean | false | - | - |
 | envs.triggers.validate.run_on_schedule | Whether or not to be automatically triggered according a specified schedule. The schedule is specified using [unix-cron format](https://cloud.google.com/scheduler/docs/configuring/cron-job-schedules#defining_the_job_schedule) at Eastern Standard Time (EST). Default to none. | string | false | - | - |
+| envs.worker_pool | Optional Cloud Build private worker pool configuration. Required for CICD to access resources in a private network, e.g. GKE clusters with a private endpoint. | object | false | - | - |
+| envs.worker_pool.location | GCP region of the worker pool. Example: us-central1. | string | true | - | - |
+| envs.worker_pool.name | Name of the worker pool. | string | true | - | - |
+| envs.worker_pool.project | The project worker pool belongs. | string | true | - | - |
 | github | Config for GitHub Cloud Build triggers. | object | false | - | - |
 | github.name | GitHub repo name. | string | false | - | - |
 | github.owner | GitHub repo owner. | string | false | - | - |

examples/tfengine/generated/devops/cicd/configs/tf-apply.yaml

@@ -19,6 +19,7 @@ timeout: 21600s
 substitutions:
     _TERRAFORM_ROOT: "."
     _MANAGED_DIRS: ""
+    _WORKER_POOL: ""
 
 steps:
   - name: "gcr.io/cloud-foundation-cicd/cft/developer-tools-light@sha256:d881ce4ff2a73fa0877dd357af798a431a601b2ccfe5a140837bcb883cd3f011"
@@ -37,3 +38,7 @@ steps:
     args: ["./cicd/configs/run.sh", "-d", "${_MANAGED_DIRS}", "-a", "init", "-a", "plan", "-a", "apply -auto-approve"]
     dir: "${_TERRAFORM_ROOT}"
     id: Apply
+
+options:
+  pool:
+    name: "${_WORKER_POOL}"

examples/tfengine/generated/devops/cicd/configs/tf-plan.yaml

@@ -19,6 +19,7 @@ timeout: 1200s
 substitutions:
     _TERRAFORM_ROOT: "."
     _MANAGED_DIRS: ""
+    _WORKER_POOL: ""
 
 steps:
   - name: "gcr.io/cloud-foundation-cicd/cft/developer-tools-light@sha256:d881ce4ff2a73fa0877dd357af798a431a601b2ccfe5a140837bcb883cd3f011"
@@ -38,3 +39,7 @@ steps:
     args: ["./cicd/configs/tf-deletion-check.sh", "./cicd/configs/tf-deletion-allowlist.txt"]
     dir: "${_TERRAFORM_ROOT}"
     id: Resource deletion check
+
+options:
+  pool:
+    name: "${_WORKER_POOL}"

examples/tfengine/generated/devops/cicd/configs/tf-validate.yaml

@@ -19,6 +19,7 @@ timeout: 600s
 substitutions:
     _TERRAFORM_ROOT: "."
     _MANAGED_DIRS: ""
+    _WORKER_POOL: ""
 
 steps:
   - name: "gcr.io/cloud-foundation-cicd/cft/developer-tools-light@sha256:d881ce4ff2a73fa0877dd357af798a431a601b2ccfe5a140837bcb883cd3f011"
@@ -37,3 +38,7 @@ steps:
     args: ["./cicd/configs/run.sh", "-d", "${_MANAGED_DIRS}", "-a", "init -backend=false", "-a", "validate"]
     dir: "${_TERRAFORM_ROOT}"
     id: Validate
+
+options:
+  pool:
+    name: "${_WORKER_POOL}"

examples/tfengine/generated/devops/cicd/triggers.tf

@@ -36,6 +36,7 @@ resource "google_cloudbuild_trigger" "validate_prod" {
   substitutions = {
     _TERRAFORM_ROOT = "terraform"
     _MANAGED_DIRS   = "groups audit example-prod-networks monitor org_policies folders"
+    _WORKER_POOL    = ""
   }
 
   depends_on = [
@@ -65,6 +66,7 @@ resource "google_cloudbuild_trigger" "plan_prod" {
   substitutions = {
     _TERRAFORM_ROOT = "terraform"
     _MANAGED_DIRS   = "groups audit example-prod-networks monitor org_policies folders"
+    _WORKER_POOL    = ""
   }
 
   depends_on = [
@@ -95,6 +97,7 @@ resource "google_cloudbuild_trigger" "apply_prod" {
   substitutions = {
     _TERRAFORM_ROOT = "terraform"
     _MANAGED_DIRS   = "groups audit example-prod-networks monitor org_policies folders"
+    _WORKER_POOL    = ""
   }
 
   depends_on = [

examples/tfengine/generated/folder_foundation/cicd/configs/tf-apply.yaml

@@ -19,6 +19,7 @@ timeout: 21600s
 substitutions:
     _TERRAFORM_ROOT: "."
     _MANAGED_DIRS: ""
+    _WORKER_POOL: ""
 
 steps:
   - name: "gcr.io/cloud-foundation-cicd/cft/developer-tools-light@sha256:d881ce4ff2a73fa0877dd357af798a431a601b2ccfe5a140837bcb883cd3f011"
@@ -37,3 +38,7 @@ steps:
     args: ["./cicd/configs/run.sh", "-d", "${_MANAGED_DIRS}", "-a", "init", "-a", "plan", "-a", "apply -auto-approve"]
     dir: "${_TERRAFORM_ROOT}"
     id: Apply
+
+options:
+  pool:
+    name: "${_WORKER_POOL}"

examples/tfengine/generated/folder_foundation/cicd/configs/tf-plan.yaml

@@ -19,6 +19,7 @@ timeout: 1200s
 substitutions:
     _TERRAFORM_ROOT: "."
     _MANAGED_DIRS: ""
+    _WORKER_POOL: ""
 
 steps:
   - name: "gcr.io/cloud-foundation-cicd/cft/developer-tools-light@sha256:d881ce4ff2a73fa0877dd357af798a431a601b2ccfe5a140837bcb883cd3f011"
@@ -38,3 +39,7 @@ steps:
     args: ["./cicd/configs/tf-deletion-check.sh", "./cicd/configs/tf-deletion-allowlist.txt"]
     dir: "${_TERRAFORM_ROOT}"
     id: Resource deletion check
+
+options:
+  pool:
+    name: "${_WORKER_POOL}"