https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-alm

This is the DevSecOps Application Lifecycle Management Deployable Architecture
https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-alm
deployable-architecture ibm-cloud terraform
Last synced: 5 months ago
JSON representation
This is the DevSecOps Application Lifecycle Management Deployable Architecture
Host: GitHub
URL: https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-alm
Owner: terraform-ibm-modules
License: apache-2.0
Created: 2023-02-21T08:53:13.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2025-04-19T08:40:07.000Z (about 1 year ago)
Last Synced: 2025-04-19T09:11:24.860Z (about 1 year ago)
Topics: deployable-architecture, ibm-cloud, terraform
Language: HCL
Size: 1.76 MB
Stars: 3
Watchers: 16
Forks: 5
Open Issues: 15
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
Awesome Lists containing this project

README

          

## DevSecOps Application Lifecycle Management

![Stable (With quality checks)](https://img.shields.io/badge/Status-Stable%20(With%20quality%20checks)-green)

[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)

[![latest release](https://img.shields.io/github/v/release/terraform-ibm-modules/terraform-ibm-devsecops-alm?logo=GitHub&sort=semver)](https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-alm/releases/latest)

[![Renovate enabled](https://img.shields.io/badge/renovate-enabled-brightgreen.svg)](https://renovatebot.com/)

[![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)

A Terraform module for provisioning the DevSecOps CI, CD, and CC toolchains.

## Reference architectures

![Architecture diagram for 'DevSecOps CI, CD, CC toolchains'.](/reference-architectures/diagram-deploy-arch-ibm-devsecops-alm-diagram.svg "Architecture diagram")

## Usage

```hcl

module "terraform_devsecops_alm" {

  source                   = "git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-alm?ref=v1.0.4"

  toolchain_region         = var.toolchain_region

  toolchain_resource_group = var.toolchain_resource_group

  registry_namespace       = var.registry_namespace

  cluster_name             = var.cluster_name

  sm_resource_group        = var.sm_resource_group

  sm_name                  = var.sm_name

  sm_location              = var.sm_location

  sm_secret_group          = var.sm_secret_group

}

```

## Required IAM access policies

## Examples

- [ Default example](examples/default)

- [ Bring your own app example](examples/devsecops-ci-toolchain-bring-your-own-app)

- [ Key Protect and CI only example](examples/devsecops-ci-toolchain-with-key-protect)

### Requirements

| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | >= 1.0.0 |

|  [ibm](#requirement\_ibm) | >= 1.79.2, < 2.0.0 |

|  [null](#requirement\_null) | = 3.2.2 |

|  [random](#requirement\_random) | = 3.6.2 |

### Modules

| Name | Source | Version |

|------|--------|---------|

|  [devsecops\_cc\_toolchain](#module\_devsecops\_cc\_toolchain) | git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-cc-toolchain | v2.7.0 |

|  [devsecops\_cd\_toolchain](#module\_devsecops\_cd\_toolchain) | git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-cd-toolchain | v2.7.0 |

|  [devsecops\_ci\_toolchain](#module\_devsecops\_ci\_toolchain) | git::https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-ci-toolchain | v2.8.1 |

|  [prereqs](#module\_prereqs) | ./prereqs | n/a |

### Resources

| Name | Type |

|------|------|

| [ibm_cd_tekton_pipeline_property.cc_pipeline_ibmcloud_api](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cd_tekton_pipeline_property) | resource |

| [ibm_cd_tekton_pipeline_property.cd_pipeline_ibmcloud_api](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cd_tekton_pipeline_property) | resource |

| [ibm_cd_tekton_pipeline_property.ci_pipeline_ibmcloud_api](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cd_tekton_pipeline_property) | resource |

| [ibm_cd_tekton_pipeline_property.pr_pipeline_ibmcloud_api](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cd_tekton_pipeline_property) | resource |

| [ibm_cd_tekton_pipeline_trigger.ci_pipeline_webhook](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cd_tekton_pipeline_trigger) | resource |

| [ibm_cd_tekton_pipeline_trigger_property.ci_pipeline_webhook_branch_property](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cd_tekton_pipeline_trigger_property) | resource |

| [ibm_cd_tekton_pipeline_trigger_property.ci_pipeline_webhook_name_property](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cd_tekton_pipeline_trigger_property) | resource |

| [ibm_cd_tekton_pipeline_trigger_property.ci_pipeline_webhook_repo_url_property](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cd_tekton_pipeline_trigger_property) | resource |

| [ibm_cr_namespace.cr_namespace](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cr_namespace) | resource |

| [ibm_resource_instance.cd_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource |

| [null_resource.ci_pipeline_run](https://registry.terraform.io/providers/hashicorp/null/3.2.2/docs/resources/resource) | resource |

| [random_string.resource_suffix](https://registry.terraform.io/providers/hashicorp/random/3.6.2/docs/resources/string) | resource |

| [random_string.webhook_secret](https://registry.terraform.io/providers/hashicorp/random/3.6.2/docs/resources/string) | resource |

| [ibm_resource_group.resource_group](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/resource_group) | data source |

### Inputs

| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [add\_code\_engine\_prefix](#input\_add\_code\_engine\_prefix) | Set to `true` to use `prefix` to add a prefix to the code engine project names. | `bool` | `true` | no |

|  [add\_container\_name\_suffix](#input\_add\_container\_name\_suffix) | Set to `true` to add a random suffix to the specified ICR name. | `bool` | `false` | no |

|  [add\_pipeline\_definitions](#input\_add\_pipeline\_definitions) | Set to `true` to add pipeline definitions. | `string` | `"true"` | no |

|  [app\_group](#input\_app\_group) | Specify the Git user or group for the application repository. | `string` | `""` | no |

|  [app\_repo\_auth\_type](#input\_app\_repo\_auth\_type) | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to `oauth` when unset. `pat` is a git `personal access token`. | `string` | `""` | no |

|  [app\_repo\_branch](#input\_app\_repo\_branch) | This is the repository branch used by the default sample application. Alternatively if `app_repo_existing_url` is provided, then the branch must reflect the default branch for that repository. Typically these branches are `main` or `master`. | `string` | `"master"` | no |

|  [app\_repo\_clone\_from\_url](#input\_app\_repo\_clone\_from\_url) | Override the default sample app by providing your own sample app URL, which is cloned into the app repository. Note, uses `clone_if_not_exists` mode, so if the app repository already exists the repository contents are unchanged. | `string` | `""` | no |

|  [app\_repo\_clone\_to\_git\_id](#input\_app\_repo\_clone\_to\_git\_id) | Set this value to `github` for github.com, or to the GUID of a custom GitHub Enterprise server. | `string` | `""` | no |

|  [app\_repo\_clone\_to\_git\_provider](#input\_app\_repo\_clone\_to\_git\_provider) | By default this gets set as 'hostedgit', else set to 'githubconsolidated' for GitHub repositories. | `string` | `""` | no |

|  [app\_repo\_existing\_git\_id](#input\_app\_repo\_existing\_git\_id) | Set this value to `github` for github.com, or to the GUID of a custom GitHub Enterprise server. | `string` | `""` | no |

|  [app\_repo\_existing\_git\_provider](#input\_app\_repo\_existing\_git\_provider) | Git provider for application repo. If not set will default to `hostedgit`. | `string` | `""` | no |

|  [app\_repo\_existing\_url](#input\_app\_repo\_existing\_url) | Bring your own existing application repository by providing the URL. This will create an integration for your application repository instead of cloning the default sample. Repositories existing in a different org will require the use of Git token. See `app_repo_git_token_secret_name` under optional variables. | `string` | `"__NOTSET__"` | no |

|  [app\_repo\_git\_token\_secret\_crn](#input\_app\_repo\_git\_token\_secret\_crn) | The CRN of the Git token used for accessing the sample application repository. | `string` | `""` | no |

|  [app\_repo\_git\_token\_secret\_name](#input\_app\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider used for accessing the sample (or bring your own) application repository. | `string` | `""` | no |

|  [app\_repo\_name](#input\_app\_repo\_name) | The repository name. | `string` | `""` | no |

|  [app\_repo\_secret\_group](#input\_app\_repo\_secret\_group) | Secret group for the App repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [artifactory\_dashboard\_url](#input\_artifactory\_dashboard\_url) | Type the URL that you want to navigate to when you click the Artifactory integration tile. | `string` | `""` | no |

|  [artifactory\_integration\_name](#input\_artifactory\_integration\_name) | The name of the Artifactory tool integration | `string` | `"artifactory-dockerconfigjson"` | no |

|  [artifactory\_repo\_name](#input\_artifactory\_repo\_name) | Type the name of your Artifactory repository where your docker images are located. | `string` | `""` | no |

|  [artifactory\_repo\_url](#input\_artifactory\_repo\_url) | Type the URL for your Artifactory release repository. | `string` | `""` | no |

|  [artifactory\_token\_secret\_group](#input\_artifactory\_token\_secret\_group) | Secret group prefix for the Artifactory token secret. Defaults to `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [artifactory\_token\_secret\_name](#input\_artifactory\_token\_secret\_name) | Name of the artifactory token secret in the secret provider. | `string` | `"artifactory-token"` | no |

|  [artifactory\_user](#input\_artifactory\_user) | Type the User ID or email for your Artifactory repository. | `string` | `""` | no |

|  [authorization\_policy\_creation](#input\_authorization\_policy\_creation) | Disable Toolchain Service to Secrets Manager/Key Protect/Notifications Service authorization policy creation. To disable set the value to `disabled`. This applies to the CI, CD, and CC toolchains. To set independently, see `ci_authorization_policy_creation`, `cd_authorization_policy_creation`, and `cc_authorization_policy_creation`. | `string` | `""` | no |

|  [autostart](#input\_autostart) | Set to `true` to auto run the CI pipeline in the CI toolchain after creation. | `bool` | `false` | no |

|  [cc\_app\_group](#input\_cc\_app\_group) | Specify user or group for app repository. | `string` | `""` | no |

|  [cc\_app\_repo\_auth\_type](#input\_cc\_app\_repo\_auth\_type) | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to `oauth` when unset. `pat` is a git `personal access token`. | `string` | `""` | no |

|  [cc\_app\_repo\_branch](#input\_cc\_app\_repo\_branch) | The default branch of the app repository. | `string` | `""` | no |

|  [cc\_app\_repo\_git\_id](#input\_cc\_app\_repo\_git\_id) | The Git Id of the repository. | `string` | `""` | no |

|  [cc\_app\_repo\_git\_provider](#input\_cc\_app\_repo\_git\_provider) | Git provider for the application repo. If not set will default to `hostedgit`. | `string` | `""` | no |

|  [cc\_app\_repo\_git\_token\_secret\_crn](#input\_cc\_app\_repo\_git\_token\_secret\_crn) | The CRN of the Git token used for accessing the application repository. | `string` | `""` | no |

|  [cc\_app\_repo\_git\_token\_secret\_name](#input\_cc\_app\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider used for accessing the sample (or bring your own) application repository. | `string` | `""` | no |

|  [cc\_app\_repo\_secret\_group](#input\_cc\_app\_repo\_secret\_group) | Secret group for the App repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [cc\_app\_repo\_url](#input\_cc\_app\_repo\_url) | This Git URL for the application repository. | `string` | `""` | no |

|  [cc\_artifactory\_token\_secret\_crn](#input\_cc\_artifactory\_token\_secret\_crn) | The CRN for the Artifactory access secret. | `string` | `""` | no |

|  [cc\_authorization\_policy\_creation](#input\_cc\_authorization\_policy\_creation) | Disable Toolchain Service to Secrets Manager/Key Protect/Notifications Service authorization policy creation. To disable set the value to `disabled`. | `string` | `""` | no |

|  [cc\_compliance\_pipeline\_branch](#input\_cc\_compliance\_pipeline\_branch) | The CC Pipeline Compliance Pipeline branch. | `string` | `""` | no |

|  [cc\_compliance\_pipeline\_group](#input\_cc\_compliance\_pipeline\_group) | Specify user or group for compliance pipeline repository. | `string` | `""` | no |

|  [cc\_compliance\_pipeline\_repo\_auth\_type](#input\_cc\_compliance\_pipeline\_repo\_auth\_type) | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to `oauth` when unset. `pat` is a git `personal access token`. | `string` | `""` | no |

|  [cc\_compliance\_pipeline\_repo\_git\_token\_secret\_crn](#input\_cc\_compliance\_pipeline\_repo\_git\_token\_secret\_crn) | The CRN of the Git token used for accessing the Compliance Pipelines repository. | `string` | `""` | no |

|  [cc\_compliance\_pipeline\_repo\_git\_token\_secret\_name](#input\_cc\_compliance\_pipeline\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider used for accessing the compliance pipelines repository. | `string` | `""` | no |

|  [cc\_compliance\_pipeline\_repo\_secret\_group](#input\_cc\_compliance\_pipeline\_repo\_secret\_group) | Secret group for the Compliance Pipeline repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [cc\_cos\_api\_key\_secret\_crn](#input\_cc\_cos\_api\_key\_secret\_crn) | The CRN of the Cloud Object Storage apikey. | `string` | `""` | no |

|  [cc\_cos\_api\_key\_secret\_group](#input\_cc\_cos\_api\_key\_secret\_group) | Secret group for the COS API key secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [cc\_cos\_api\_key\_secret\_name](#input\_cc\_cos\_api\_key\_secret\_name) | Name of the Cloud Object Storage API key secret in the secret provider used for accessing the evidence COS bucket. | `string` | `""` | no |

|  [cc\_cos\_bucket\_name](#input\_cc\_cos\_bucket\_name) | The name of the Cloud Object Storage bucket used for storing the evidence. | `string` | `""` | no |

|  [cc\_cos\_endpoint](#input\_cc\_cos\_endpoint) | The endpoint for the Cloud Object Storage instance containing the evidence bucket. | `string` | `""` | no |

|  [cc\_doi\_toolchain\_id](#input\_cc\_doi\_toolchain\_id) | The ID of the toolchain containing the DevOps Insights integration. This variable is used to link the DevOps Insights toolcard to a specific instance. | `string` | `""` | no |

|  [cc\_enable\_key\_protect](#input\_cc\_enable\_key\_protect) | Set to `true` to the enable Key Protect integrations. | `string` | `""` | no |

|  [cc\_enable\_pipeline\_notifications](#input\_cc\_enable\_pipeline\_notifications) | When enabled, pipeline run events will be sent to the Event Notifications and Slack integrations in the enclosing toolchain. | `string` | `""` | no |

|  [cc\_enable\_secrets\_manager](#input\_cc\_enable\_secrets\_manager) | Set to `true` to enable the Secrets Manager integrations. | `string` | `""` | no |

|  [cc\_enable\_slack](#input\_cc\_enable\_slack) | Set to `true` to create the Slack toolchain integration. | `string` | `""` | no |

|  [cc\_event\_notifications\_crn](#input\_cc\_event\_notifications\_crn) | Set the Event Notifications CRN to create an Events Notification integration. | `string` | `""` | no |

|  [cc\_evidence\_group](#input\_cc\_evidence\_group) | Specify the Git user or group for the evidence repository. | `string` | `""` | no |

|  [cc\_evidence\_repo\_auth\_type](#input\_cc\_evidence\_repo\_auth\_type) | Select the method of authentication that is used to access the Git provider. 'oauth' or 'pat' | `string` | `""` | no |

|  [cc\_evidence\_repo\_git\_token\_secret\_crn](#input\_cc\_evidence\_repo\_git\_token\_secret\_crn) | The CRN of the Git token used for accessing the Evidence repository. | `string` | `""` | no |

|  [cc\_evidence\_repo\_git\_token\_secret\_name](#input\_cc\_evidence\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider used for accessing the evidence repository. | `string` | `""` | no |

|  [cc\_evidence\_repo\_secret\_group](#input\_cc\_evidence\_repo\_secret\_group) | Secret group for the Evidence repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [cc\_inventory\_group](#input\_cc\_inventory\_group) | Specify the Git user or group for the inventory repository. | `string` | `""` | no |

|  [cc\_inventory\_repo\_auth\_type](#input\_cc\_inventory\_repo\_auth\_type) | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to `oauth` when unset. `pat` is a git `personal access token`. | `string` | `""` | no |

|  [cc\_inventory\_repo\_git\_token\_secret\_crn](#input\_cc\_inventory\_repo\_git\_token\_secret\_crn) | The CRN of the Git token used for accessing the Inventory repository. | `string` | `""` | no |

|  [cc\_inventory\_repo\_git\_token\_secret\_name](#input\_cc\_inventory\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider used for accessing the inventory repository. | `string` | `""` | no |

|  [cc\_inventory\_repo\_secret\_group](#input\_cc\_inventory\_repo\_secret\_group) | Secret group for the Inventory repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [cc\_issues\_group](#input\_cc\_issues\_group) | Specify the Git user or group for the issues repository. | `string` | `""` | no |

|  [cc\_issues\_repo\_auth\_type](#input\_cc\_issues\_repo\_auth\_type) | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to `oauth` when unset. `pat` is a git `personal access token`. | `string` | `""` | no |

|  [cc\_issues\_repo\_git\_token\_secret\_crn](#input\_cc\_issues\_repo\_git\_token\_secret\_crn) | The CRN of the Git token used for accessing the Issues repository. | `string` | `""` | no |

|  [cc\_issues\_repo\_git\_token\_secret\_name](#input\_cc\_issues\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider used for accessing the issues repository. | `string` | `""` | no |

|  [cc\_issues\_repo\_secret\_group](#input\_cc\_issues\_repo\_secret\_group) | Secret group for the Issues repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [cc\_kp\_location](#input\_cc\_kp\_location) | The region hosting the Key Protect instance. | `string` | `""` | no |

|  [cc\_kp\_name](#input\_cc\_kp\_name) | Name of the Key Protect instance where the secrets are stored. | `string` | `""` | no |

|  [cc\_kp\_resource\_group](#input\_cc\_kp\_resource\_group) | The resource group containing the Key Protect instance. | `string` | `""` | no |

|  [cc\_link\_to\_doi\_toolchain](#input\_cc\_link\_to\_doi\_toolchain) | Enable a link to a DevOps Insights instance in another toolchain, true or false. | `bool` | `true` | no |

|  [cc\_locked\_properties](#input\_cc\_locked\_properties) | List of default locked properties | `list(string)` | 
[
  "app-concurrency",
  "app-deployment-timeout",
  "app-max-scale",
  "app-min-scale",
  "app-port",
  "app-visibility",
  "artifactory-dockerconfigjson",
  "cluster",
  "cluster-name",
  "cluster-namespace",
  "cluster-region",
  "code-engine-binding-resource-group",
  "code-engine-build-size",
  "code-engine-build-strategy",
  "code-engine-build-timeout",
  "code-engine-build-use-native-docker",
  "code-engine-deployment-type",
  "code-engine-project",
  "code-engine-region",
  "code-engine-resource-group",
  "code-engine-wait-timeout",
  "compliance-baseimage",
  "context-dir",
  "cos-api-key",
  "cos-bucket-name",
  "cos-endpoint",
  "cpu",
  "cra-bom-generate",
  "cra-deploy-analysis",
  "cra-generate-cyclonedx-format",
  "cra-vulnerability-scan",
  "custom-image-tag",
  "dev-cluster-namespace",
  "dev-region",
  "dev-resource-group",
  "dockerfile",
  "doi-environment",
  "doi-ibmcloud-api-key",
  "doi-toolchain-id",
  "env-from-configmaps",
  "env-from-secrets",
  "ephemeral-storage",
  "event-notifications",
  "evidence-repo",
  "git-token",
  "gosec-private-repository-host",
  "gosec-private-repository-ssh-key",
  "ibmcloud-api",
  "ibmcloud-api-key",
  "image-name",
  "incident-repo",
  "inventory-repo",
  "job-instances",
  "job-maxexecutiontime",
  "job-retrylimit",
  "memory",
  "opt-in-dynamic-api-scan",
  "opt-in-dynamic-scan",
  "opt-in-dynamic-ui-scan",
  "opt-in-gosec",
  "opt-in-sonar",
  "peer-review-compliance",
  "pipeline-config",
  "pipeline-config-branch",
  "pipeline-config-repo",
  "pipeline-dockerconfigjson",
  "print-code-signing-certificate",
  "registry-domain",
  "registry-namespace",
  "registry-region",
  "remove-unspecified-references-to-configuration-resources",
  "service-bindings",
  "signing-key",
  "slack-notifications",
  "sonarqube",
  "sonarqube-config",
  "source",
  "version"
] | no |

|  [cc\_pipeline\_config\_group](#input\_cc\_pipeline\_config\_group) | Specify the Git user or group for the compliance pipeline repository. | `string` | `""` | no |

|  [cc\_pipeline\_config\_repo\_auth\_type](#input\_cc\_pipeline\_config\_repo\_auth\_type) | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to `oauth` when unset. `pat` is a git `personal access token`. | `string` | `""` | no |

|  [cc\_pipeline\_config\_repo\_branch](#input\_cc\_pipeline\_config\_repo\_branch) | Specify the branch containing the custom pipeline-config.yaml file. | `string` | `""` | no |

|  [cc\_pipeline\_config\_repo\_clone\_from\_url](#input\_cc\_pipeline\_config\_repo\_clone\_from\_url) | Specify a repository containing a custom pipeline-config.yaml file. | `string` | `""` | no |

|  [cc\_pipeline\_config\_repo\_existing\_url](#input\_cc\_pipeline\_config\_repo\_existing\_url) | Specify a repository containing a custom pipeline-config.yaml file. | `string` | `""` | no |

|  [cc\_pipeline\_config\_repo\_git\_token\_secret\_crn](#input\_cc\_pipeline\_config\_repo\_git\_token\_secret\_crn) | The CRN of the Git token for accessing the pipeline config repository. | `string` | `""` | no |

|  [cc\_pipeline\_config\_repo\_git\_token\_secret\_name](#input\_cc\_pipeline\_config\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider used for accessing the pipeline config repository. | `string` | `""` | no |

|  [cc\_pipeline\_config\_repo\_secret\_group](#input\_cc\_pipeline\_config\_repo\_secret\_group) | Secret group for the Pipeline Config repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [cc\_pipeline\_doi\_api\_key\_secret\_crn](#input\_cc\_pipeline\_doi\_api\_key\_secret\_crn) | The CRN of the DOI (DevOps Insights) apikey used for accessing a specific toolchain Insights instance. | `string` | `""` | no |

|  [cc\_pipeline\_doi\_api\_key\_secret\_group](#input\_cc\_pipeline\_doi\_api\_key\_secret\_group) | Secret group for the pipeline DOI api key. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [cc\_pipeline\_doi\_api\_key\_secret\_name](#input\_cc\_pipeline\_doi\_api\_key\_secret\_name) | Name of the Cloud API key secret in the secret provider to access the toolchain containing the Devops Insights instance. | `string` | `""` | no |

|  [cc\_pipeline\_git\_tag](#input\_cc\_pipeline\_git\_tag) | The GIT tag selector for the Compliance Pipelines definitions. | `string` | `""` | no |

|  [cc\_pipeline\_ibmcloud\_api\_key\_secret\_crn](#input\_cc\_pipeline\_ibmcloud\_api\_key\_secret\_crn) | The CRN of the IBMCloud apikey used for running the pipelines. | `string` | `""` | no |

|  [cc\_pipeline\_ibmcloud\_api\_key\_secret\_group](#input\_cc\_pipeline\_ibmcloud\_api\_key\_secret\_group) | Secret group for the pipeline ibmcloud API key secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [cc\_pipeline\_ibmcloud\_api\_key\_secret\_name](#input\_cc\_pipeline\_ibmcloud\_api\_key\_secret\_name) | Name of the Cloud API key secret in the secret provider for running the pipelines. | `string` | `""` | no |

|  [cc\_pipeline\_properties](#input\_cc\_pipeline\_properties) | This JSON represents the pipeline properties belonging to the CC pipeline in the CC toolchain. Each element in the JSON represents a separate pipeline property. Three attributes are required to create a property. These are the `name` field (how the name appears in the pipeline properties), the `type` (text, secure and enum) and then the `value`. Do not put secrets directly into JSON for the `secure` type, instead the value for a `secret` type should be a CRN to a secret in the configured secrets provider or a secret reference to a secret in the configured secrets provider. | `string` | `""` | no |

|  [cc\_pipeline\_properties\_filepath](#input\_cc\_pipeline\_properties\_filepath) | The path to the file containing the property JSON. If this is not set and `cc_pipeline_properties` is not set, it will by default read the `properties.json` file at the root of the CC module. | `string` | `""` | no |

|  [cc\_repositories\_prefix](#input\_cc\_repositories\_prefix) | The prefix for the compliance repositories. For the repositories\_prefix value only a-z, A-Z and 0-9 and the special characters `-_` are allowed. In addition the string must not end with a special character or have two consecutive special characters. | `string` | `""` | no |

|  [cc\_repository\_properties](#input\_cc\_repository\_properties) | Stringified JSON containing the repositories and triggers that get created in the CI toolchain pipelines. | `string` | `""` | no |

|  [cc\_repository\_properties\_filepath](#input\_cc\_repository\_properties\_filepath) | The path to the file containing the repository and triggers JSON. If this is not set, it will by default read the `repositories.json` file at the root of the module. | `string` | `""` | no |

|  [cc\_scc\_integration\_name](#input\_cc\_scc\_integration\_name) | The name of the SCC integration. | `string` | `"Security and Compliance"` | no |

|  [cc\_scc\_use\_profile\_attachment](#input\_cc\_scc\_use\_profile\_attachment) | Set to `enabled` to enable use profile with attachment, so that the scripts in the pipeline can interact with the Security and Compliance Center service. When enabled, other parameters become relevant; `scc_scc_api_key_secret_name`, `scc_instance_crn`, `scc_profile_name`, `scc_profile_version`, `scc_attachment_id`. | `string` | `""` | no |

|  [cc\_slack\_channel\_name](#input\_cc\_slack\_channel\_name) | The name of the Slack channel where notifications are posted. | `string` | `""` | no |

|  [cc\_slack\_pipeline\_fail](#input\_cc\_slack\_pipeline\_fail) | Set to `true` to generate pipeline failed notifications. | `bool` | `true` | no |

|  [cc\_slack\_pipeline\_start](#input\_cc\_slack\_pipeline\_start) | Set to `true` to generate pipeline start notifications. | `bool` | `true` | no |

|  [cc\_slack\_pipeline\_success](#input\_cc\_slack\_pipeline\_success) | Set to `true` to generate pipeline succeeded notifications. | `bool` | `true` | no |

|  [cc\_slack\_team\_name](#input\_cc\_slack\_team\_name) | The Slack team name, which is the word or phrase before .slack.com in the team URL. | `string` | `""` | no |

|  [cc\_slack\_toolchain\_bind](#input\_cc\_slack\_toolchain\_bind) | Generate tool added to toolchain notifications. | `bool` | `true` | no |

|  [cc\_slack\_toolchain\_unbind](#input\_cc\_slack\_toolchain\_unbind) | Set to `true` to generate tool removed from toolchain notifications. | `bool` | `true` | no |

|  [cc\_slack\_webhook\_secret\_crn](#input\_cc\_slack\_webhook\_secret\_crn) | The CRN of the Slack webhook secret used for accessing the specified Slack channel. | `string` | `""` | no |

|  [cc\_slack\_webhook\_secret\_group](#input\_cc\_slack\_webhook\_secret\_group) | Secret group for the Slack webhook secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [cc\_slack\_webhook\_secret\_name](#input\_cc\_slack\_webhook\_secret\_name) | Name of the webhook secret in the secret provider used for accessing the configured Slack channel. | `string` | `""` | no |

|  [cc\_sm\_instance\_crn](#input\_cc\_sm\_instance\_crn) | The CRN of the Secrets Manager instance. | `string` | `""` | no |

|  [cc\_sm\_location](#input\_cc\_sm\_location) | The region hosting the Secrets Manager instance. | `string` | `""` | no |

|  [cc\_sm\_name](#input\_cc\_sm\_name) | The name of an existing Secrets Manager instance where the secrets are stored. | `string` | `""` | no |

|  [cc\_sm\_resource\_group](#input\_cc\_sm\_resource\_group) | The name of the existing resource group containing the Secrets Manager instance for your secrets. | `string` | `""` | no |

|  [cc\_sm\_secret\_group](#input\_cc\_sm\_secret\_group) | The Secrets Manager secret group containing the secrets for the DevSecOps pipelines. | `string` | `""` | no |

|  [cc\_sonarqube\_integration\_name](#input\_cc\_sonarqube\_integration\_name) | The name of the SonarQube integration. | `string` | `""` | no |

|  [cc\_sonarqube\_is\_blind\_connection](#input\_cc\_sonarqube\_is\_blind\_connection) | When set to `true`, instructs IBM Cloud Continuous Delivery to not validate the configuration of this integration. Set this to `true` if the SonarQube server is not addressable on the public internet. | `string` | `""` | no |

|  [cc\_sonarqube\_secret\_crn](#input\_cc\_sonarqube\_secret\_crn) | The CRN of the secret used to access SonarQube. | `string` | `""` | no |

|  [cc\_sonarqube\_secret\_group](#input\_cc\_sonarqube\_secret\_group) | Secret group for the SonarQube secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [cc\_sonarqube\_secret\_name](#input\_cc\_sonarqube\_secret\_name) | The name of the SonarQube secret in the secrets provider. | `string` | `""` | no |

|  [cc\_sonarqube\_server\_url](#input\_cc\_sonarqube\_server\_url) | The URL to the SonarQube server. | `string` | `""` | no |

|  [cc\_sonarqube\_user](#input\_cc\_sonarqube\_user) | The name of the SonarQube user. | `string` | `""` | no |

|  [cc\_toolchain\_description](#input\_cc\_toolchain\_description) | Description for the CC Toolchain. | `string` | `"Toolchain created with terraform template for DevSecOps CC Best Practices."` | no |

|  [cc\_toolchain\_name](#input\_cc\_toolchain\_name) | The name of the CC Toolchain. | `string` | `""` | no |

|  [cc\_toolchain\_region](#input\_cc\_toolchain\_region) | The region containing the CI toolchain. Use the short form of the regions. For example `us-south`. | `string` | `""` | no |

|  [cc\_toolchain\_resource\_group](#input\_cc\_toolchain\_resource\_group) | Resource group within which the toolchain is created. | `string` | `""` | no |

|  [cc\_trigger\_manual\_enable](#input\_cc\_trigger\_manual\_enable) | Set to `true` to enable the CC pipeline Manual trigger. | `bool` | `true` | no |

|  [cc\_trigger\_manual\_name](#input\_cc\_trigger\_manual\_name) | The name of the CC pipeline Manual trigger. | `string` | `"CC Manual Trigger"` | no |

|  [cc\_trigger\_timed\_cron\_schedule](#input\_cc\_trigger\_timed\_cron\_schedule) | Only needed for timer triggers. Cron expression that indicates when this trigger will activate. Maximum frequency is every 5 minutes. The string is based on UNIX crontab syntax: minute, hour, day of month, month, day of week. Example: 0 *\_/2 * * * - every 2 hours. | `string` | `"0 4 * * *"` | no |

|  [cc\_trigger\_timed\_enable](#input\_cc\_trigger\_timed\_enable) | Set to `true` to enable the CI pipeline Timed trigger. | `bool` | `false` | no |

|  [cc\_trigger\_timed\_name](#input\_cc\_trigger\_timed\_name) | The name of the CC pipeline Timed trigger. | `string` | `"CC Timed Trigger"` | no |

|  [cd\_artifactory\_token\_secret\_crn](#input\_cd\_artifactory\_token\_secret\_crn) | The CRN for the Artifactory access secret. | `string` | `""` | no |

|  [cd\_authorization\_policy\_creation](#input\_cd\_authorization\_policy\_creation) | Disable Toolchain Service to Secrets Manager/Key Protect/Notifications Service authorization policy creation. To disable set the value to `disabled`. | `string` | `""` | no |

|  [cd\_change\_management\_group](#input\_cd\_change\_management\_group) | Specify group for change management repository | `string` | `""` | no |

|  [cd\_change\_management\_repo\_auth\_type](#input\_cd\_change\_management\_repo\_auth\_type) | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to `oauth` when unset. `pat` is a git `personal access token`. | `string` | `""` | no |

|  [cd\_change\_management\_repo\_git\_provider](#input\_cd\_change\_management\_repo\_git\_provider) | Git provider for the change management repo. If not set will default to `hostedgit`. | `string` | `""` | no |

|  [cd\_change\_management\_repo\_git\_token\_secret\_crn](#input\_cd\_change\_management\_repo\_git\_token\_secret\_crn) | The CRN for the Change Management repository Git Token. | `string` | `""` | no |

|  [cd\_change\_management\_repo\_git\_token\_secret\_name](#input\_cd\_change\_management\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider. | `string` | `""` | no |

|  [cd\_change\_management\_repo\_name](#input\_cd\_change\_management\_repo\_name) | The repository name. | `string` | `""` | no |

|  [cd\_change\_management\_repo\_secret\_group](#input\_cd\_change\_management\_repo\_secret\_group) | Secret group for the Change Management repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [cd\_change\_repo\_clone\_from\_url](#input\_cd\_change\_repo\_clone\_from\_url) | Override the default management repository, which is cloned into the application repository. Note, using clone\_if\_not\_exists mode, so if the application repository already exists the repository contents are unchanged. | `string` | `""` | no |

|  [cd\_cluster\_name](#input\_cd\_cluster\_name) | Name of the cluster where the application is deployed. | `string` | `""` | no |

|  [cd\_cluster\_namespace](#input\_cd\_cluster\_namespace) | Name of the cluster namespace where the application is deployed. | `string` | `"prod"` | no |

|  [cd\_cluster\_region](#input\_cd\_cluster\_region) | Region hosting the cluster where the application is deployed. Use the short form of the regions. For example `us-south`. | `string` | `""` | no |

|  [cd\_code\_engine\_project](#input\_cd\_code\_engine\_project) | The name of the Code Engine project to use for the CD pipeline promoted code. The project is created if it does not already exist. | `string` | `"Sample_CD_Project"` | no |

|  [cd\_code\_engine\_region](#input\_cd\_code\_engine\_region) | The region to create/lookup for the Code Engine project. | `string` | `""` | no |

|  [cd\_code\_engine\_resource\_group](#input\_cd\_code\_engine\_resource\_group) | The resource group of the Code Engine project. | `string` | `""` | no |

|  [cd\_code\_signing\_cert\_secret\_name](#input\_cd\_code\_signing\_cert\_secret\_name) | This is the name of the secret in the secrets provider for storing the code signing certificate. | `string` | `"signing-certificate"` | no |

|  [cd\_compliance\_pipeline\_branch](#input\_cd\_compliance\_pipeline\_branch) | The CD Pipeline Compliance Pipeline branch. | `string` | `""` | no |

|  [cd\_compliance\_pipeline\_group](#input\_cd\_compliance\_pipeline\_group) | Specify user or group for compliance pipeline repository. | `string` | `""` | no |

|  [cd\_compliance\_pipeline\_repo\_auth\_type](#input\_cd\_compliance\_pipeline\_repo\_auth\_type) | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to `oauth` when unset. `pat` is a git `personal access token`. | `string` | `""` | no |

|  [cd\_compliance\_pipeline\_repo\_git\_token\_secret\_crn](#input\_cd\_compliance\_pipeline\_repo\_git\_token\_secret\_crn) | The CRN of the Git token used for accessing the Compliance Pipelines repository. | `string` | `""` | no |

|  [cd\_compliance\_pipeline\_repo\_git\_token\_secret\_name](#input\_cd\_compliance\_pipeline\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider used for accessing the compliance pipelines repository. | `string` | `""` | no |

|  [cd\_compliance\_pipeline\_repo\_secret\_group](#input\_cd\_compliance\_pipeline\_repo\_secret\_group) | Secret group for the Compliance Pipeline repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [cd\_cos\_api\_key\_secret\_crn](#input\_cd\_cos\_api\_key\_secret\_crn) | The CRN of the Cloud Object Storage apikey. | `string` | `""` | no |

|  [cd\_cos\_api\_key\_secret\_group](#input\_cd\_cos\_api\_key\_secret\_group) | Secret group for the COS API key secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [cd\_cos\_api\_key\_secret\_name](#input\_cd\_cos\_api\_key\_secret\_name) | Name of the Cloud Object Storage API key secret in the secret provider used for accessing the evidence COS bucket. | `string` | `""` | no |

|  [cd\_cos\_bucket\_name](#input\_cd\_cos\_bucket\_name) | The name of the Cloud Object Storage bucket used for storing the evidence. | `string` | `""` | no |

|  [cd\_cos\_endpoint](#input\_cd\_cos\_endpoint) | The endpoint for the Cloud Object Storage instance containing the evidence bucket. | `string` | `""` | no |

|  [cd\_deployment\_group](#input\_cd\_deployment\_group) | Specify group for deployment. | `string` | `""` | no |

|  [cd\_deployment\_repo\_auth\_type](#input\_cd\_deployment\_repo\_auth\_type) | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to `oauth` when unset. `pat` is a git `personal access token`. | `string` | `""` | no |

|  [cd\_deployment\_repo\_clone\_from\_branch](#input\_cd\_deployment\_repo\_clone\_from\_branch) | Used when deployment\_repo\_clone\_from\_url is provided, the default branch that is used by the CD build, usually either main or master. | `string` | `""` | no |

|  [cd\_deployment\_repo\_clone\_from\_url](#input\_cd\_deployment\_repo\_clone\_from\_url) | Override the default sample app by providing your own sample deployment URL, which is cloned into the app repository. Note, using clone\_if\_not\_exists mode, so if the app repository already exists the repository contents are unchanged. | `string` | `""` | no |

|  [cd\_deployment\_repo\_clone\_to\_git\_id](#input\_cd\_deployment\_repo\_clone\_to\_git\_id) | By default absent, else custom server GUID, or other options for 'git\_id' field in the browser UI. | `string` | `""` | no |

|  [cd\_deployment\_repo\_clone\_to\_git\_provider](#input\_cd\_deployment\_repo\_clone\_to\_git\_provider) | By default 'hostedgit', else use 'githubconsolidated' or 'gitlab'. | `string` | `""` | no |

|  [cd\_deployment\_repo\_existing\_branch](#input\_cd\_deployment\_repo\_existing\_branch) | Used when deployment\_repo\_existing\_url is provided, the default branch that is by the CD build, usually either main or master. | `string` | `""` | no |

|  [cd\_deployment\_repo\_existing\_git\_id](#input\_cd\_deployment\_repo\_existing\_git\_id) | Set this value to `github` for github.com, or to the GUID of a custom GitHub Enterprise server. | `string` | `""` | no |

|  [cd\_deployment\_repo\_existing\_git\_provider](#input\_cd\_deployment\_repo\_existing\_git\_provider) | Git provider for the deployment repo. If not set will default to `hostedgit`. | `string` | `""` | no |

|  [cd\_deployment\_repo\_existing\_url](#input\_cd\_deployment\_repo\_existing\_url) | Override to bring your own existing deployment repository URL, which is used directly instead of cloning the default deployment sample. | `string` | `""` | no |

|  [cd\_deployment\_repo\_git\_token\_secret\_crn](#input\_cd\_deployment\_repo\_git\_token\_secret\_crn) | The CRN for the Deployment repository Git Token. | `string` | `""` | no |

|  [cd\_deployment\_repo\_git\_token\_secret\_name](#input\_cd\_deployment\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider. | `string` | `""` | no |

|  [cd\_deployment\_repo\_name](#input\_cd\_deployment\_repo\_name) | The repository name. | `string` | `""` | no |

|  [cd\_deployment\_repo\_secret\_group](#input\_cd\_deployment\_repo\_secret\_group) | Secret group for the Deployment repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [cd\_doi\_toolchain\_id](#input\_cd\_doi\_toolchain\_id) | The ID of the toolchain containing the DevOps Insights integration. This variable is used to link the DevOps Insights toolcard to a specific instance. | `string` | `""` | no |

|  [cd\_enable\_change\_management\_repo](#input\_cd\_enable\_change\_management\_repo) | Set to `true` to enable the Change Management Repo integration. | `string` | `true` | no |

|  [cd\_enable\_key\_protect](#input\_cd\_enable\_key\_protect) | Set to `true` to the enable Key Protect integrations. | `string` | `""` | no |

|  [cd\_enable\_pipeline\_notifications](#input\_cd\_enable\_pipeline\_notifications) | When enabled, pipeline run events will be sent to the Event Notifications and Slack integrations in the enclosing toolchain. | `string` | `""` | no |

|  [cd\_enable\_secrets\_manager](#input\_cd\_enable\_secrets\_manager) | Set to `true` to enable the Secrets Manager integrations. | `string` | `""` | no |

|  [cd\_enable\_slack](#input\_cd\_enable\_slack) | Set to `true` to create the Slack toolchain integration. | `string` | `""` | no |

|  [cd\_event\_notifications\_crn](#input\_cd\_event\_notifications\_crn) | Set the Event Notifications CRN to create an Events Notification integration. | `string` | `""` | no |

|  [cd\_evidence\_group](#input\_cd\_evidence\_group) | Specify the Git user or group for the evidence repository. | `string` | `""` | no |

|  [cd\_evidence\_repo\_auth\_type](#input\_cd\_evidence\_repo\_auth\_type) | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to `oauth` when unset. `pat` is a git `personal access token`. | `string` | `""` | no |

|  [cd\_evidence\_repo\_git\_token\_secret\_crn](#input\_cd\_evidence\_repo\_git\_token\_secret\_crn) | The CRN of the Git token used for accessing the Evidence repository. | `string` | `""` | no |

|  [cd\_evidence\_repo\_git\_token\_secret\_name](#input\_cd\_evidence\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider used for accessing the evidence repository. | `string` | `""` | no |

|  [cd\_evidence\_repo\_secret\_group](#input\_cd\_evidence\_repo\_secret\_group) | Secret group for the Evidence repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [cd\_inventory\_group](#input\_cd\_inventory\_group) | Specify the Git user or group for the inventory repository. | `string` | `""` | no |

|  [cd\_inventory\_repo\_auth\_type](#input\_cd\_inventory\_repo\_auth\_type) | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to `oauth` when unset. `pat` is a git `personal access token`. | `string` | `""` | no |

|  [cd\_inventory\_repo\_git\_token\_secret\_crn](#input\_cd\_inventory\_repo\_git\_token\_secret\_crn) | The CRN of the Git token used for accessing the Inventory repository. | `string` | `""` | no |

|  [cd\_inventory\_repo\_git\_token\_secret\_name](#input\_cd\_inventory\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider used for accessing the inventory repository. | `string` | `""` | no |

|  [cd\_inventory\_repo\_secret\_group](#input\_cd\_inventory\_repo\_secret\_group) | Secret group for the Inventory repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [cd\_issues\_group](#input\_cd\_issues\_group) | Specify the Git user or group for the issues repository. | `string` | `""` | no |

|  [cd\_issues\_repo\_auth\_type](#input\_cd\_issues\_repo\_auth\_type) | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to `oauth` when unset. `pat` is a git `personal access token`. | `string` | `""` | no |

|  [cd\_issues\_repo\_git\_token\_secret\_crn](#input\_cd\_issues\_repo\_git\_token\_secret\_crn) | The CRN of the Git token used for accessing the Issues repository. | `string` | `""` | no |

|  [cd\_issues\_repo\_git\_token\_secret\_name](#input\_cd\_issues\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider used for accessing the issues repository. | `string` | `""` | no |

|  [cd\_issues\_repo\_secret\_group](#input\_cd\_issues\_repo\_secret\_group) | Secret group for the Issues repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [cd\_kp\_location](#input\_cd\_kp\_location) | The region hosting the Key Protect instance. | `string` | `""` | no |

|  [cd\_kp\_name](#input\_cd\_kp\_name) | Name of the Key Protect instance where the secrets are stored. | `string` | `""` | no |

|  [cd\_kp\_resource\_group](#input\_cd\_kp\_resource\_group) | The resource group containing the Key Protect instance. | `string` | `""` | no |

|  [cd\_link\_to\_doi\_toolchain](#input\_cd\_link\_to\_doi\_toolchain) | Enable a link to a DevOps Insights instance in another toolchain, true or false. | `bool` | `true` | no |

|  [cd\_locked\_properties](#input\_cd\_locked\_properties) | List of default locked properties | `list(string)` | [
  "allow_test_servicenow",
  "app-concurrency",
  "app-deployment-timeout",
  "app-max-scale",
  "app-min-scale",
  "app-port",
  "app-visibility",
  "artifact-signature-verification",
  "change-management-repo",
  "cluster",
  "cluster-namespace",
  "cluster-region",
  "code-engine-binding-resource-group",
  "code-engine-deployment-type",
  "code-engine-project",
  "code-engine-region",
  "code-engine-resource-group",
  "code-signing-certificate",
  "compliance-baseimage",
  "cos-api-key",
  "cos-bucket-name",
  "cos-endpoint",
  "cpu",
  "cra-bom-generate",
  "cra-deploy-analysis",
  "cra-vulnerability-scan",
  "doi-environment",
  "doi-ibmcloud-api-key",
  "doi-toolchain-id",
  "emergency-label",
  "env-from-configmaps",
  "env-from-secrets",
  "ephemeral-storage",
  "event-notifications",
  "evidence-repo",
  "git-token",
  "ibmcloud-api",
  "ibmcloud-api-key",
  "incident-repo",
  "inventory-repo",
  "job-instances",
  "job-maxexecutiontime",
  "job-retrylimit",
  "memory",
  "pipeline-config",
  "pipeline-config-branch",
  "pipeline-config-repo",
  "pnp-ibmcloud-api",
  "pnp-ibmcloud-api-key",
  "pre-prod-evidence-collection",
  "remove-unspecified-references-to-configuration-resources",
  "service-bindings",
  "servicenow-api-base-url",
  "servicenow-crn-mask",
  "slack-notifications",
  "version"
] | no |

|  [cd\_pipeline\_config\_group](#input\_cd\_pipeline\_config\_group) | Specify the Git user or group for the compliance pipeline repository. | `string` | `""` | no |

|  [cd\_pipeline\_config\_repo\_auth\_type](#input\_cd\_pipeline\_config\_repo\_auth\_type) | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to `oauth` when unset. `pat` is a git `personal access token`. | `string` | `""` | no |

|  [cd\_pipeline\_config\_repo\_branch](#input\_cd\_pipeline\_config\_repo\_branch) | Specify the branch containing the custom pipeline-config.yaml file. | `string` | `""` | no |

|  [cd\_pipeline\_config\_repo\_clone\_from\_url](#input\_cd\_pipeline\_config\_repo\_clone\_from\_url) | Specify a repository containing a custom pipeline-config.yaml file. | `string` | `""` | no |

|  [cd\_pipeline\_config\_repo\_existing\_url](#input\_cd\_pipeline\_config\_repo\_existing\_url) | Specify a repository containing a custom pipeline-config.yaml file. | `string` | `""` | no |

|  [cd\_pipeline\_config\_repo\_git\_token\_secret\_crn](#input\_cd\_pipeline\_config\_repo\_git\_token\_secret\_crn) | The CRN of the Git token for accessing the pipeline config repository. | `string` | `""` | no |

|  [cd\_pipeline\_config\_repo\_git\_token\_secret\_name](#input\_cd\_pipeline\_config\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider used for accessing the pipeline config repository. | `string` | `""` | no |

|  [cd\_pipeline\_config\_repo\_secret\_group](#input\_cd\_pipeline\_config\_repo\_secret\_group) | Secret group for the Pipeline Config repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [cd\_pipeline\_doi\_api\_key\_secret\_crn](#input\_cd\_pipeline\_doi\_api\_key\_secret\_crn) | The CRN of the DOI (DevOps Insights) apikey used for accessing a specific toolchain Insights instance. | `string` | `""` | no |

|  [cd\_pipeline\_doi\_api\_key\_secret\_group](#input\_cd\_pipeline\_doi\_api\_key\_secret\_group) | Secret group for the pipeline DOI api key. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [cd\_pipeline\_doi\_api\_key\_secret\_name](#input\_cd\_pipeline\_doi\_api\_key\_secret\_name) | Name of the Cloud API key secret in the secret provider to access the toolchain containing the Devops Insights instance. | `string` | `""` | no |

|  [cd\_pipeline\_git\_tag](#input\_cd\_pipeline\_git\_tag) | The GIT tag selector for the Compliance Pipelines definitions. | `string` | `""` | no |

|  [cd\_pipeline\_ibmcloud\_api\_key\_secret\_crn](#input\_cd\_pipeline\_ibmcloud\_api\_key\_secret\_crn) | The CRN of the IBMCloud apikey used for running the pipelines. | `string` | `""` | no |

|  [cd\_pipeline\_ibmcloud\_api\_key\_secret\_group](#input\_cd\_pipeline\_ibmcloud\_api\_key\_secret\_group) | Secret group for the pipeline ibmcloud API key secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [cd\_pipeline\_ibmcloud\_api\_key\_secret\_name](#input\_cd\_pipeline\_ibmcloud\_api\_key\_secret\_name) | Name of the Cloud API key secret in the secret provider for running the pipelines. | `string` | `""` | no |

|  [cd\_pipeline\_properties](#input\_cd\_pipeline\_properties) | This JSON represents the pipeline properties belonging to the CD pipeline in the CD toolchain. Each element in the JSON represents a separate pipeline property. Three attributes are required to create a property. These are the `name` field (how the name appears in the pipeline properties), the `type` (text, secure and enum) and then the `value`. Do not put secrets directly into JSON for the `secure` type, instead the value for a `secret` type should be a CRN to a secret in the configured secrets provider or a secret reference to a secret in the configured secrets provider. | `string` | `""` | no |

|  [cd\_pipeline\_properties\_filepath](#input\_cd\_pipeline\_properties\_filepath) | The path to the file containing the property JSON. If this is not set and `cd_pipeline_properties` is not set, it will by default read the `properties.json` file at the root of the CD module. | `string` | `""` | no |

|  [cd\_privateworker\_credentials\_secret\_crn](#input\_cd\_privateworker\_credentials\_secret\_crn) | The CRN of the private worker service apikey that runs the pipeline tasks. | `string` | `""` | no |

|  [cd\_region](#input\_cd\_region) | IBM Cloud region used to prefix the `prod_latest` inventory repository branch. | `string` | `""` | no |

|  [cd\_repositories\_prefix](#input\_cd\_repositories\_prefix) | Prefix name for the cloned compliance repos. For the repositories\_prefix value only a-z, A-Z and 0-9 and the special characters `-_` are allowed. In addition the string must not end with a special character or have two consecutive special characters. | `string` | `""` | no |

|  [cd\_repository\_properties](#input\_cd\_repository\_properties) | Stringified JSON containing the repositories and triggers that get created in the CI toolchain pipelines. | `string` | `""` | no |

|  [cd\_repository\_properties\_filepath](#input\_cd\_repository\_properties\_filepath) | The path to the file containing the repository and triggers JSON. If this is not set, it will by default read the `repositories.json` file at the root of the module. | `string` | `""` | no |

|  [cd\_scc\_integration\_name](#input\_cd\_scc\_integration\_name) | The name of the SCC integration. | `string` | `"Security and Compliance"` | no |

|  [cd\_scc\_use\_profile\_attachment](#input\_cd\_scc\_use\_profile\_attachment) | Set to `enabled` to enable use profile with attachment, so that the scripts in the pipeline can interact with the Security and Compliance Center service. When enabled, other parameters become relevant; `scc_scc_api_key_secret_name`, `scc_instance_crn`, `scc_profile_name`, `scc_profile_version`, `scc_attachment_id`. | `string` | `""` | no |

|  [cd\_service\_plan](#input\_cd\_service\_plan) | The Continuous Delivery service plan. Can be `lite` or `professional`. | `string` | `"professional"` | no |

|  [cd\_slack\_channel\_name](#input\_cd\_slack\_channel\_name) | The name of the Slack channel where notifications are posted. | `string` | `""` | no |

|  [cd\_slack\_pipeline\_fail](#input\_cd\_slack\_pipeline\_fail) | Set to `true` to generate pipeline failed notifications. | `bool` | `true` | no |

|  [cd\_slack\_pipeline\_start](#input\_cd\_slack\_pipeline\_start) | Set to `true` to generate pipeline start notifications. | `bool` | `true` | no |

|  [cd\_slack\_pipeline\_success](#input\_cd\_slack\_pipeline\_success) | Set to `true` to generate pipeline succeeded notifications. | `bool` | `true` | no |

|  [cd\_slack\_team\_name](#input\_cd\_slack\_team\_name) | The Slack team name, which is the word or phrase before .slack.com in the team URL. | `string` | `""` | no |

|  [cd\_slack\_toolchain\_bind](#input\_cd\_slack\_toolchain\_bind) | Set to `true` to Generate tool added to toolchain notifications. | `bool` | `true` | no |

|  [cd\_slack\_toolchain\_unbind](#input\_cd\_slack\_toolchain\_unbind) | Set to `true` to generate tool removed from toolchain notifications. | `bool` | `true` | no |

|  [cd\_slack\_webhook\_secret\_crn](#input\_cd\_slack\_webhook\_secret\_crn) | The CRN of the Slack webhook secret used for accessing the specified Slack channel. | `string` | `""` | no |

|  [cd\_slack\_webhook\_secret\_group](#input\_cd\_slack\_webhook\_secret\_group) | Secret group for the Slack webhook secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [cd\_slack\_webhook\_secret\_name](#input\_cd\_slack\_webhook\_secret\_name) | Name of the webhook secret in the secret provider used for accessing the configured Slack channel. | `string` | `""` | no |

|  [cd\_sm\_instance\_crn](#input\_cd\_sm\_instance\_crn) | The CRN of the Secrets Manager instance. | `string` | `""` | no |

|  [cd\_sm\_location](#input\_cd\_sm\_location) | The region hosting the Secrets Manager instance. | `string` | `""` | no |

|  [cd\_sm\_name](#input\_cd\_sm\_name) | The name of an existing Secrets Manager instance where the secrets are stored. | `string` | `""` | no |

|  [cd\_sm\_resource\_group](#input\_cd\_sm\_resource\_group) | The name of the existing resource group containing the Secrets Manager instance for your secrets. | `string` | `""` | no |

|  [cd\_sm\_secret\_group](#input\_cd\_sm\_secret\_group) | The Secrets Manager secret group containing the secrets for the DevSecOps pipelines. | `string` | `""` | no |

|  [cd\_toolchain\_description](#input\_cd\_toolchain\_description) | Description for the CD toolchain. | `string` | `"Toolchain created with terraform template for DevSecOps CD Best Practices."` | no |

|  [cd\_toolchain\_name](#input\_cd\_toolchain\_name) | The name of the CD Toolchain. | `string` | `""` | no |

|  [cd\_toolchain\_region](#input\_cd\_toolchain\_region) | The region containing the CD toolchain. Use the short form of the regions. For example `us-south`. | `string` | `""` | no |

|  [cd\_toolchain\_resource\_group](#input\_cd\_toolchain\_resource\_group) | Resource group within which the toolchain is created. | `string` | `""` | no |

|  [cd\_trigger\_git\_enable](#input\_cd\_trigger\_git\_enable) | Set to `true` to enable the CD pipeline Git trigger. | `bool` | `false` | no |

|  [cd\_trigger\_git\_name](#input\_cd\_trigger\_git\_name) | The name of the CD pipeline GIT trigger. | `string` | `"Git CD Trigger"` | no |

|  [cd\_trigger\_git\_promotion\_validation\_branch](#input\_cd\_trigger\_git\_promotion\_validation\_branch) | Branch for Git promotion validation listener. | `string` | `"prod"` | no |

|  [cd\_trigger\_git\_promotion\_validation\_enable](#input\_cd\_trigger\_git\_promotion\_validation\_enable) | Enable Git promotion validation for Git promotion listener. | `bool` | `false` | no |

|  [cd\_trigger\_git\_promotion\_validation\_listener](#input\_cd\_trigger\_git\_promotion\_validation\_listener) | Select a Tekton EventListener to use when Git promotion validation listener trigger is fired. | `string` | `"promotion-validation-listener-gitlab"` | no |

|  [cd\_trigger\_git\_promotion\_validation\_name](#input\_cd\_trigger\_git\_promotion\_validation\_name) | Name of Git Promotion Validation Trigger | `string` | `"Git Promotion Validation Trigger"` | no |

|  [cd\_trigger\_manual\_enable](#input\_cd\_trigger\_manual\_enable) | Set to `true` to enable the CD pipeline Manual trigger. | `bool` | `true` | no |

|  [cd\_trigger\_manual\_name](#input\_cd\_trigger\_manual\_name) | The name of the CI pipeline Manual trigger. | `string` | `"Manual CD Trigger"` | no |

|  [cd\_trigger\_manual\_promotion\_enable](#input\_cd\_trigger\_manual\_promotion\_enable) | Set to `true` to enable the CD pipeline Manual Promotion trigger. | `bool` | `true` | no |

|  [cd\_trigger\_manual\_promotion\_name](#input\_cd\_trigger\_manual\_promotion\_name) | The name of the CD pipeline Manual Promotion trigger. | `string` | `"Manual Promotion Trigger"` | no |

|  [cd\_trigger\_timed\_cron\_schedule](#input\_cd\_trigger\_timed\_cron\_schedule) | Only needed for timer triggers. Cron expression that indicates when this trigger will activate. Maximum frequency is every 5 minutes. The string is based on UNIX crontab syntax: minute, hour, day of month, month, day of week. Example: 0 *\_/2 * * * - every 2 hours. | `string` | `"0 4 * * *"` | no |

|  [cd\_trigger\_timed\_enable](#input\_cd\_trigger\_timed\_enable) | Set to `true` to enable the CD pipeline Timed trigger. | `bool` | `false` | no |

|  [cd\_trigger\_timed\_name](#input\_cd\_trigger\_timed\_name) | The name of the CD pipeline Timed trigger. | `string` | `"Git CD Timed Trigger"` | no |

|  [change\_management\_existing\_url](#input\_change\_management\_existing\_url) | The URL for an existing Change Management repository. | `string` | `""` | no |

|  [change\_management\_repo\_git\_id](#input\_change\_management\_repo\_git\_id) | Set this value to `github` for github.com, or to the ID of a custom GitHub Enterprise server. | `string` | `""` | no |

|  [ci\_app\_group](#input\_ci\_app\_group) | Specify the Git user or group for the application repository. | `string` | `""` | no |

|  [ci\_app\_name](#input\_ci\_app\_name) | Name of the application image and inventory entry. | `string` | `"hello-compliance-app"` | no |

|  [ci\_app\_repo\_auth\_type](#input\_ci\_app\_repo\_auth\_type) | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to `oauth` when unset. `pat` is a git `personal access token`. | `string` | `""` | no |

|  [ci\_app\_repo\_branch](#input\_ci\_app\_repo\_branch) | This is the repository branch used by the default sample application. Alternatively if `app_repo_existing_url` is provided, then the branch must reflect the default branch for that repository. Typically these branches are `main` or `master`. | `string` | `""` | no |

|  [ci\_app\_repo\_clone\_from\_url](#input\_ci\_app\_repo\_clone\_from\_url) | Override the default sample app by providing your own sample app URL, which is cloned into the app repository. Note, uses `clone_if_not_exists` mode, so if the app repository already exists the repository contents are unchanged. | `string` | `""` | no |

|  [ci\_app\_repo\_clone\_to\_git\_id](#input\_ci\_app\_repo\_clone\_to\_git\_id) | Set this value to `github` for github.com, or to the GUID of a custom GitHub Enterprise server. | `string` | `""` | no |

|  [ci\_app\_repo\_clone\_to\_git\_provider](#input\_ci\_app\_repo\_clone\_to\_git\_provider) | By default this gets set as 'hostedgit', else set to 'githubconsolidated' for GitHub repositories. | `string` | `""` | no |

|  [ci\_app\_repo\_existing\_git\_id](#input\_ci\_app\_repo\_existing\_git\_id) | Set this value to `github` for github.com, or to the GUID of a custom GitHub Enterprise server. | `string` | `""` | no |

|  [ci\_app\_repo\_existing\_git\_provider](#input\_ci\_app\_repo\_existing\_git\_provider) | Git provider for application repo. If not set will default to `hostedgit`. | `string` | `""` | no |

|  [ci\_app\_repo\_existing\_url](#input\_ci\_app\_repo\_existing\_url) | Bring your own existing application repository by providing the URL. This will create an integration for your application repository instead of cloning the default sample. Repositories existing in a different org will require the use of Git token. See `app_repo_git_token_secret_name` under optional variables. | `string` | `""` | no |

|  [ci\_app\_repo\_git\_token\_secret\_crn](#input\_ci\_app\_repo\_git\_token\_secret\_crn) | The CRN of the Git token used for accessing the application repository. | `string` | `""` | no |

|  [ci\_app\_repo\_git\_token\_secret\_name](#input\_ci\_app\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider used for accessing the sample (or bring your own) application repository. | `string` | `""` | no |

|  [ci\_app\_repo\_secret\_group](#input\_ci\_app\_repo\_secret\_group) | Secret group for the App repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [ci\_artifactory\_token\_secret\_crn](#input\_ci\_artifactory\_token\_secret\_crn) | The CRN for the Artifactory access secret. | `string` | `""` | no |

|  [ci\_authorization\_policy\_creation](#input\_ci\_authorization\_policy\_creation) | Disable Toolchain Service to Secrets Manager/Key Protect/Notifications Service authorization policy creation. To disable set the value to `disabled`. | `string` | `""` | no |

|  [ci\_cluster\_name](#input\_ci\_cluster\_name) | Name of the cluster where the application is deployed. (can be the same cluster used for prod) | `string` | `""` | no |

|  [ci\_cluster\_namespace](#input\_ci\_cluster\_namespace) | Name of the cluster namespace where the application is deployed. | `string` | `"dev"` | no |

|  [ci\_cluster\_region](#input\_ci\_cluster\_region) | Region hosting the cluster where the application is deployed. Use the short form of the regions. For example `us-south`. | `string` | `""` | no |

|  [ci\_cluster\_resource\_group](#input\_ci\_cluster\_resource\_group) | The cluster resource group. | `string` | `""` | no |

|  [ci\_code\_engine\_project](#input\_ci\_code\_engine\_project) | The name of the Code Engine project to use. | `string` | `"DevSecOps_CE"` | no |

|  [ci\_code\_engine\_region](#input\_ci\_code\_engine\_region) | The region to create/lookup for the Code Engine project. | `string` | `""` | no |

|  [ci\_code\_engine\_resource\_group](#input\_ci\_code\_engine\_resource\_group) | The resource group of the Code Engine project. | `string` | `""` | no |

|  [ci\_compliance\_pipeline\_branch](#input\_ci\_compliance\_pipeline\_branch) | The CI Pipeline Compliance Pipeline branch. | `string` | `""` | no |

|  [ci\_compliance\_pipeline\_group](#input\_ci\_compliance\_pipeline\_group) | Specify the Git user or group for the compliance pipeline repository. | `string` | `""` | no |

|  [ci\_compliance\_pipeline\_pr\_branch](#input\_ci\_compliance\_pipeline\_pr\_branch) | The PR Pipeline Compliance Pipeline branch. | `string` | `""` | no |

|  [ci\_compliance\_pipeline\_repo\_auth\_type](#input\_ci\_compliance\_pipeline\_repo\_auth\_type) | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to `oauth` when unset. `pat` is a git `personal access token`. | `string` | `""` | no |

|  [ci\_compliance\_pipeline\_repo\_git\_token\_secret\_crn](#input\_ci\_compliance\_pipeline\_repo\_git\_token\_secret\_crn) | The CRN of the Git token used for accessing the Compliance Pipelines repository. | `string` | `""` | no |

|  [ci\_compliance\_pipeline\_repo\_git\_token\_secret\_name](#input\_ci\_compliance\_pipeline\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider used for accessing the compliance pipelines repository. | `string` | `""` | no |

|  [ci\_compliance\_pipeline\_repo\_secret\_group](#input\_ci\_compliance\_pipeline\_repo\_secret\_group) | Secret group for the Compliance Pipeline repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [ci\_cos\_api\_key\_secret\_crn](#input\_ci\_cos\_api\_key\_secret\_crn) | The CRN of the Cloud Object Storage apikey. | `string` | `""` | no |

|  [ci\_cos\_api\_key\_secret\_group](#input\_ci\_cos\_api\_key\_secret\_group) | Secret group for the COS API key secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [ci\_cos\_api\_key\_secret\_name](#input\_ci\_cos\_api\_key\_secret\_name) | Name of the Cloud Object Storage API key secret in the secret provider used for accessing the evidence COS bucket. | `string` | `""` | no |

|  [ci\_cos\_bucket\_name](#input\_ci\_cos\_bucket\_name) | The name of the Cloud Object Storage bucket used for storing the evidence. | `string` | `""` | no |

|  [ci\_cos\_endpoint](#input\_ci\_cos\_endpoint) | The endpoint for the Cloud Object Storage instance containing the evidence bucket. | `string` | `""` | no |

|  [ci\_doi\_toolchain\_id](#input\_ci\_doi\_toolchain\_id) | The ID of the toolchain containing the DevOps Insights integration. This variable is used to link the DevOps Insights toolcard to a specific instance. | `string` | `""` | no |

|  [ci\_doi\_toolchain\_id\_pipeline\_property](#input\_ci\_doi\_toolchain\_id\_pipeline\_property) | The pipeline property for the DevOps Insights instance toolchain ID. | `string` | `""` | no |

|  [ci\_enable\_key\_protect](#input\_ci\_enable\_key\_protect) | Set to `true` to the enable Key Protect integrations. | `string` | `""` | no |

|  [ci\_enable\_pipeline\_notifications](#input\_ci\_enable\_pipeline\_notifications) | When enabled, pipeline run events will be sent to the Event Notifications and Slack integrations in the enclosing toolchain. | `string` | `""` | no |

|  [ci\_enable\_secrets\_manager](#input\_ci\_enable\_secrets\_manager) | Set to `true` to enable the Secrets Manager integrations. | `string` | `""` | no |

|  [ci\_enable\_slack](#input\_ci\_enable\_slack) | Set to `true` to create the Slack toolchain integration. | `string` | `""` | no |

|  [ci\_event\_notifications\_crn](#input\_ci\_event\_notifications\_crn) | Set the Event Notifications CRN to create an Events Notification integration. | `string` | `""` | no |

|  [ci\_evidence\_group](#input\_ci\_evidence\_group) | Specify the Git user or group for the evidence repository. | `string` | `""` | no |

|  [ci\_evidence\_repo\_auth\_type](#input\_ci\_evidence\_repo\_auth\_type) | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to `oauth` when unset. `pat` is a git `personal access token`. | `string` | `""` | no |

|  [ci\_evidence\_repo\_git\_token\_secret\_crn](#input\_ci\_evidence\_repo\_git\_token\_secret\_crn) | The CRN of the Git token used for accessing the Evidence repository. | `string` | `""` | no |

|  [ci\_evidence\_repo\_git\_token\_secret\_name](#input\_ci\_evidence\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider used for accessing the evidence repository. | `string` | `""` | no |

|  [ci\_evidence\_repo\_secret\_group](#input\_ci\_evidence\_repo\_secret\_group) | Secret group for the Evidence repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [ci\_inventory\_group](#input\_ci\_inventory\_group) | Specify the Git user or group for the inventory repository. | `string` | `""` | no |

|  [ci\_inventory\_repo\_auth\_type](#input\_ci\_inventory\_repo\_auth\_type) | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to `oauth` when unset. `pat` is a git `personal access token`. | `string` | `""` | no |

|  [ci\_inventory\_repo\_git\_token\_secret\_crn](#input\_ci\_inventory\_repo\_git\_token\_secret\_crn) | The CRN of the Git token used for accessing the Inventory repository. | `string` | `""` | no |

|  [ci\_inventory\_repo\_git\_token\_secret\_name](#input\_ci\_inventory\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider used for accessing the inventory repository. | `string` | `""` | no |

|  [ci\_inventory\_repo\_secret\_group](#input\_ci\_inventory\_repo\_secret\_group) | Secret group for the Inventory repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [ci\_issues\_group](#input\_ci\_issues\_group) | Specify the Git user or group for the issues repository. | `string` | `""` | no |

|  [ci\_issues\_repo\_auth\_type](#input\_ci\_issues\_repo\_auth\_type) | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to `oauth` when unset. `pat` is a git `personal access token`. | `string` | `""` | no |

|  [ci\_issues\_repo\_git\_token\_secret\_crn](#input\_ci\_issues\_repo\_git\_token\_secret\_crn) | The CRN of the Git token used for accessing the Issues repository. | `string` | `""` | no |

|  [ci\_issues\_repo\_git\_token\_secret\_name](#input\_ci\_issues\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider used for accessing the issues repository. | `string` | `""` | no |

|  [ci\_issues\_repo\_secret\_group](#input\_ci\_issues\_repo\_secret\_group) | Secret group for the Issues repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [ci\_kp\_location](#input\_ci\_kp\_location) | The region hosting the Key Protect instance. | `string` | `""` | no |

|  [ci\_kp\_name](#input\_ci\_kp\_name) | Name of the Key Protect instance where the secrets are stored. | `string` | `""` | no |

|  [ci\_kp\_resource\_group](#input\_ci\_kp\_resource\_group) | The resource group containing the Key Protect instance. | `string` | `""` | no |

|  [ci\_link\_to\_doi\_toolchain](#input\_ci\_link\_to\_doi\_toolchain) | Enable a link to a DevOps Insights instance in another toolchain. | `bool` | `false` | no |

|  [ci\_locked\_properties](#input\_ci\_locked\_properties) | List of default locked properties | `list(string)` | [
  "artifactory-dockerconfigjson",
  "cluster",
  "cluster-namespace",
  "cluster-region",
  "compliance-baseimage",
  "cos-api-key",
  "cos-bucket-name",
  "cos-endpoint",
  "cra-bom-generate",
  "cra-deploy-analysis",
  "cra-generate-cyclonedx-format",
  "cra-vulnerability-scan",
  "custom-image-tag",
  "dev-region",
  "dev-resource-group",
  "doi-environment",
  "doi-ibmcloud-api-key",
  "doi-toolchain-id",
  "event-notifications",
  "evidence-repo",
  "git-token",
  "gosec-private-repository-host",
  "gosec-private-repository-ssh-key",
  "ibmcloud-api",
  "ibmcloud-api-key",
  "incident-repo",
  "inventory-repo",
  "opt-in-dynamic-api-scan",
  "opt-in-dynamic-scan",
  "opt-in-dynamic-ui-scan",
  "opt-in-gosec",
  "opt-in-sonar",
  "peer-review-compliance",
  "pipeline-config",
  "pipeline-config-branch",
  "pipeline-config-repo",
  "pipeline-dockerconfigjson",
  "print-code-signing-certificate",
  "registry-namespace",
  "registry-region",
  "signing-key",
  "slack-notifications",
  "sonarqube",
  "sonarqube-config",
  "version"
] | no |

|  [ci\_pipeline\_config\_group](#input\_ci\_pipeline\_config\_group) | Specify the Git user or group for the pipeline config repository. | `string` | `""` | no |

|  [ci\_pipeline\_config\_repo\_auth\_type](#input\_ci\_pipeline\_config\_repo\_auth\_type) | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to `oauth` when unset. `pat` is a git `personal access token`. | `string` | `""` | no |

|  [ci\_pipeline\_config\_repo\_branch](#input\_ci\_pipeline\_config\_repo\_branch) | Specify the branch containing the custom pipeline-config.yaml file. | `string` | `""` | no |

|  [ci\_pipeline\_config\_repo\_clone\_from\_url](#input\_ci\_pipeline\_config\_repo\_clone\_from\_url) | Specify a repository containing a custom pipeline-config.yaml file. | `string` | `""` | no |

|  [ci\_pipeline\_config\_repo\_existing\_url](#input\_ci\_pipeline\_config\_repo\_existing\_url) | Specify and link to an existing repository containing a custom pipeline-config.yaml file. | `string` | `""` | no |

|  [ci\_pipeline\_config\_repo\_git\_token\_secret\_crn](#input\_ci\_pipeline\_config\_repo\_git\_token\_secret\_crn) | The CRN of the Git token for accessing the pipeline config repository. | `string` | `""` | no |

|  [ci\_pipeline\_config\_repo\_git\_token\_secret\_name](#input\_ci\_pipeline\_config\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider used for accessing the pipeline config repository. | `string` | `""` | no |

|  [ci\_pipeline\_config\_repo\_secret\_group](#input\_ci\_pipeline\_config\_repo\_secret\_group) | Secret group for the Pipeline Config repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [ci\_pipeline\_doi\_api\_key\_secret\_crn](#input\_ci\_pipeline\_doi\_api\_key\_secret\_crn) | The CRN of the DOI (DevOps Insights) apikey used for accessing a specific toolchain Insights instance. | `string` | `""` | no |

|  [ci\_pipeline\_doi\_api\_key\_secret\_group](#input\_ci\_pipeline\_doi\_api\_key\_secret\_group) | Secret group for the pipeline DOI api key. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [ci\_pipeline\_doi\_api\_key\_secret\_name](#input\_ci\_pipeline\_doi\_api\_key\_secret\_name) | Name of the Cloud API key secret in the secret provider to access the toolchain containing the Devops Insights instance. | `string` | `""` | no |

|  [ci\_pipeline\_git\_tag](#input\_ci\_pipeline\_git\_tag) | The GIT tag selector for the Compliance Pipelines definitions. | `string` | `""` | no |

|  [ci\_pipeline\_ibmcloud\_api\_key\_secret\_crn](#input\_ci\_pipeline\_ibmcloud\_api\_key\_secret\_crn) | The CRN of the IBMCloud apikey used for running the pipelines. | `string` | `""` | no |

|  [ci\_pipeline\_ibmcloud\_api\_key\_secret\_group](#input\_ci\_pipeline\_ibmcloud\_api\_key\_secret\_group) | Secret group for the pipeline ibmcloud API key secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |

|  [ci\_pipeline\_ibmcloud\_api\_key\_secret\_name](#input\_ci\_pipeline\_ibmcloud\_api\_key\_secret\_name) | Name of the Cloud API key secret in the secret provider for running the pipelines. | `string` | `""` | no |

|  [ci\_pipeline\_properties](#input\_ci\_pipeline\_properties) | This JSON represents the pipeline properties belonging to the both the CI and PR pipelines in the CI toolchain. Each element in the JSON represents a separate pipeline property. Three attributes are required to create a property. These are the `name` field (how the name appears in the pipeline properties), the `type` (text, secure and enum) and then the `value`. Do not put secrets directly into JSON for the `secure` type, instead the value for a `secret` type should be a CRN to a secret in the configured secrets provider or a secret reference to a secret in the configured secrets provider. | `string` | `""` | no |

|  [ci\_pipeline\_properties\_filepath](#input\_ci\_pipeline\_properties\_filepath) | The path to the file containing the property JSON. If this is not set and `ci_pipeline_properties` is not set, it will by default read the `properties.json` file at the root of the CI module. | `string` | `""` | no |

|  [ci\_privateworker\_credentials\_secret\_crn](#input\_ci\_privateworker\_credentials\_secret\_crn) | The CRN of the private worker service apikey that runs the pipeline tasks. | `string` | `""` | no |

|  [ci\_registry\_region](#input\_ci\_registry\_region) | The IBM Cloud Region where the IBM Cloud Container Registry namespace is to be created. Use the short form of the regions. For example `us-south`. | `string` | `""` | no |

|  [ci\_repositories\_prefix](#input\_ci\_repositories\_prefix) | Prefix name for the cloned compliance repos. For the repositories\_prefix value only a-z, A-Z and 0-9 and the special characters `-_` are allowed. In addition the string must not end with a special character or have two consecutive special characters. | `string` | `""` | no |

|  [ci\_repository\_properties](#input\_ci\_repository\_properties) | Stringified JSON containing the repositories and triggers that get created in the CI toolchain pipelines. | `string` | `""` | no |

|  [ci\_repository\_properties\_filepath](#input\_ci\_repository\_properties\_filepath) | The path to a file containing the repository and triggers JSON. If this is not set, it will by default read the `repositories.json` file at the root of the CI module. | `string` | `""` | no |

|  [ci\_signing\_key\_secret\_name](#input\_ci\_signing\_key\_secret\_name) | Name of the signing key secret in the secret provider used for signing images/artifacts. | `string` | `"signing-key"` | no |

|  [ci\_slack\_channel\_name](#input\_ci\_slack\_channel\_name) | The name of the Slack channel where notifications are posted. | `string` | `""` | no |

|  [ci\_slack\_pipeline\_fail](#input\_ci\_slack\_pipeline\_fail) | Set to `true` to generate pipeline failed notifications. | `bool` | `true` | no |

|  [ci\_slack\_pipeline\_start](#input\_ci\_slack\_pipeline\_start) | Set to `true` to generate pipeline start notifications. | `bool` | `true` | no |

|  [ci\_slack\_pipeline\_success](#input\_ci\_slack\_pipeline\_success) | Set to `true` to generate pipeline succeeded notifications. | `bool` | `true` | no |

|  [ci\_slack\_team\_name](#input\_ci\_slack\_team\_name) | The Slack team name, which is the word or phrase before `.slack.com` in the team URL. | `string` | `""` | no |

|  [ci\_slack\_toolchain\_bind](#input\_ci\_slack\_toolchain\_bind) | Set to `true` to Generate tool added to toolchain notifications. | `bool` | `true` | no |

|  [ci\_slack\_toolchain\_unbind](#input\_ci\_slack\_toolchain\_unbind) | Set to `true` to generate tool removed from toolchain notifications. | `bool` | `true` | no |

|  [ci\_slack\_webhook\_secret\_crn](#input\_ci\_slack\_webhook\_secret\_crn) | The CRN of the Slack webhook secret used for accessing the specified Slack channel. | `string` | `""` | no |

|  [ci\_slack\_webhook\_secret\_group](#input\_ci\_slack\_webhook\_secret\_group) | Secret group for the Slack webhook secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manage
ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-alm

Awesome Lists containing this project

README
