zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

working (#807)

This commit is contained in:
Ludovico Magnocavallo 2022-09-12 07:26:48 +02:00 committed by GitHub
parent 8b20475698
commit 6253df72c9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 65 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

167
fast/assets/templates/workflow-gitlab.yaml
View File

@ -13,145 +13,108 @@
# limitations under the License.
default:
image:
name: registry.gitlab.com/gitlab-org/terraform-images/releases/1.1
before_script:
- |
ssh-agent -a $SSH_AUTH_SOCK > /dev/null
echo "$CICD_MODULES_KEY" | base64 -d | tr -d '\r' | ssh-add - > /dev/null
mkdir -p ~/.ssh
ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
cd "$${TF_ROOT}"
cp -R .tf-setup/. .
- echo "${CI_JOB_JWT_V2}" > token.txt
image:
name: hashicorp/terraform
entrypoint:
- "/usr/bin/env"
- "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
variables:
GOOGLE_CREDENTIALS: cicd-sa-credentials.json
FAST_OUTPUTS_BUCKET: ${outputs_bucket}
FAST_SERVICE_ACCOUNT: ${service_account}
FAST_WIF_PROVIDER: ${identity_provider}
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
TF_PROVIDERS_FILE: ${tf_providers_file}
TF_VAR_FILES: ${tf_var_files == [] ? "''" : join("\n ", tf_var_files)}
TF_VERSION: 1.1.7
TF_ROOT: $${CI_PROJECT_DIR} # The relative path to the root directory of the Terraform project
stages:
- gcp-auth
- tf-setup
- tf-init
- tf-validate
- tf-files
- tf-plan
- tf-apply
cache:
key: "$${TF_ROOT}"
key: gcp-auth
paths:
- $${TF_ROOT}/.terraform/
- $${TF_ROOT}/.tf-setup/
- cicd-sa-credentials.json
- .tf-setup
# Configure GCP Auth with Access Token
gcp-auth:
image:
name: google/cloud-sdk:slim
stage: gcp-auth
before_script: []
script:
- |
PAYLOAD="$(cat <<EOF
{
"audience": "//iam.googleapis.com/$${FAST_WIF_PROVIDER}",
"grantType": "urn:ietf:params:oauth:grant-type:token-exchange",
"requestedTokenType": "urn:ietf:params:oauth:token-type:access_token",
"scope": "https://www.googleapis.com/auth/cloud-platform",
"subjectTokenType": "urn:ietf:params:oauth:token-type:jwt",
"subjectToken": "$${CI_JOB_JWT_V2}"
}
EOF
)"
FEDERATED_TOKEN="$(curl --silent "https://sts.googleapis.com/v1/token" \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data "$${PAYLOAD}" \
| jq -r '.access_token'
)"
GOOGLE_OAUTH_ACCESS_TOKEN="$(curl --silent --show-error --fail "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/$${FAST_SERVICE_ACCOUNT}:generateAccessToken" \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $${FEDERATED_TOKEN}" \
--data '{"scope": ["https://www.googleapis.com/auth/cloud-platform"]}' \
| jq -r '.accessToken'
)"
echo "GOOGLE_OAUTH_ACCESS_TOKEN=$GOOGLE_OAUTH_ACCESS_TOKEN" >> gcp-auth.env
if [ -z "$GOOGLE_OAUTH_ACCESS_TOKEN" ]; then exit 1; fi
# WIP - will have to find a better way of doing this
artifacts:
reports:
dotenv: gcp-auth.env
# Downloading from bucket into cache
tf-setup:
stage: tf-setup
before_script: []
script:
- |
mkdir -p .tf-setup
curl -X GET \
-H "Authorization: Bearer $GOOGLE_OAUTH_ACCESS_TOKEN" \
-o ".tf-setup/$${TF_PROVIDERS_FILE}" \
"https://storage.googleapis.com/$${FAST_OUTPUTS_BUCKET}/providers/$${TF_PROVIDERS_FILE}"
for f in $TF_VAR_FILES; do
curl -X GET \
-H "Authorization: Bearer $GOOGLE_OAUTH_ACCESS_TOKEN" \
-o ".tf-setup/$f" \
"https://storage.googleapis.com/$${FAST_OUTPUTS_BUCKET}/tfvars/$f"
done
gcloud iam workload-identity-pools create-cred-config \
${FAST_WIF_PROVIDER} \
--service-account=${FAST_SERVICE_ACCOUNT} \
--service-account-token-lifetime-seconds=3600 \
--output-file=${GOOGLE_CREDENTIALS} \
--credential-source-file=token.txt
tf-files:
dependencies:
- gcp-auth
# Terraform Init
tf-init:
stage: tf-init
image:
name: google/cloud-sdk:slim
stage: tf-files
script:
# - gcloud components install -q alpha
- gcloud config set auth/credential_file_override ${GOOGLE_CREDENTIALS}
- mkdir -p .tf-setup
- |
gitlab-terraform init
dependencies:
- gcp-auth
# Terraform Validate
tf-validate:
stage: tf-validate
script:
gcloud alpha storage cp -r \
"gs://${FAST_OUTPUTS_BUCKET}/providers/${TF_PROVIDERS_FILE}" .tf-setup/
- |
gitlab-terraform validate
dependencies:
- gcp-auth
gcloud alpha storage cp -r \
"gs://${FAST_OUTPUTS_BUCKET}/tfvars" .tf-setup/
# Terraform Plan
tf-plan:
# uncomment the following lines and set the SSH key secret for private modules repo
# before_script:
# - |
# ssh-agent -a $SSH_AUTH_SOCK > /dev/null
# echo "$CICD_MODULES_KEY" | base64 -d | tr -d '\r' | ssh-add - > /dev/null
# mkdir -p ~/.ssh
# ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
# ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
stage: tf-plan
script:
- |
gitlab-terraform plan
gitlab-terraform plan-json
- cp .tf-setup/${TF_PROVIDERS_FILE} ./
- |
for f in ${TF_VAR_FILES}; do
ln -s ".tf-setup/tfvars/$f" ./
done
- terraform init
- terraform validate
- terraform plan
dependencies:
- gcp-auth
artifacts:
paths:
- $${TF_ROOT}/plan.cache
reports:
terraform: $${TF_ROOT}/plan.json
- tf-files
# Terraform Apply
tf-apply:
# uncomment the following lines and set the SSH key secret for private modules repo
# before_script:
# - |
# ssh-agent -a $SSH_AUTH_SOCK > /dev/null
# echo "$CICD_MODULES_KEY" | base64 -d | tr -d '\r' | ssh-add - > /dev/null
# mkdir -p ~/.ssh
# ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
# ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
stage: tf-apply
script:
- cd "$${TF_ROOT}"
- gitlab-terraform apply
- cp .tf-setup/${TF_PROVIDERS_FILE} ./
- |
for f in ${TF_VAR_FILES}; do
ln -s ".tf-setup/tfvars/$f" ./
done
- terraform init
- terraform validate
- terraform apply -input=false -auto-approve
dependencies:
- tf-files
when: manual
only:
variables:
- $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
dependencies:
- gcp-auth