working (#807)
This commit is contained in:
parent
8b20475698
commit
6253df72c9
|
@ -13,145 +13,108 @@
|
|||
# limitations under the License.
|
||||
|
||||
default:
|
||||
image:
|
||||
name: registry.gitlab.com/gitlab-org/terraform-images/releases/1.1
|
||||
before_script:
|
||||
- |
|
||||
ssh-agent -a $SSH_AUTH_SOCK > /dev/null
|
||||
echo "$CICD_MODULES_KEY" | base64 -d | tr -d '\r' | ssh-add - > /dev/null
|
||||
mkdir -p ~/.ssh
|
||||
ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
|
||||
ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
|
||||
cd "$${TF_ROOT}"
|
||||
cp -R .tf-setup/. .
|
||||
- echo "${CI_JOB_JWT_V2}" > token.txt
|
||||
image:
|
||||
name: hashicorp/terraform
|
||||
entrypoint:
|
||||
- "/usr/bin/env"
|
||||
- "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
|
||||
variables:
|
||||
GOOGLE_CREDENTIALS: cicd-sa-credentials.json
|
||||
FAST_OUTPUTS_BUCKET: ${outputs_bucket}
|
||||
FAST_SERVICE_ACCOUNT: ${service_account}
|
||||
FAST_WIF_PROVIDER: ${identity_provider}
|
||||
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
|
||||
TF_PROVIDERS_FILE: ${tf_providers_file}
|
||||
TF_VAR_FILES: ${tf_var_files == [] ? "''" : join("\n ", tf_var_files)}
|
||||
TF_VERSION: 1.1.7
|
||||
TF_ROOT: $${CI_PROJECT_DIR} # The relative path to the root directory of the Terraform project
|
||||
|
||||
stages:
|
||||
- gcp-auth
|
||||
- tf-setup
|
||||
- tf-init
|
||||
- tf-validate
|
||||
- tf-files
|
||||
- tf-plan
|
||||
- tf-apply
|
||||
|
||||
cache:
|
||||
key: "$${TF_ROOT}"
|
||||
key: gcp-auth
|
||||
paths:
|
||||
- $${TF_ROOT}/.terraform/
|
||||
- $${TF_ROOT}/.tf-setup/
|
||||
- cicd-sa-credentials.json
|
||||
- .tf-setup
|
||||
|
||||
# Configure GCP Auth with Access Token
|
||||
gcp-auth:
|
||||
image:
|
||||
name: google/cloud-sdk:slim
|
||||
stage: gcp-auth
|
||||
before_script: []
|
||||
script:
|
||||
- |
|
||||
PAYLOAD="$(cat <<EOF
|
||||
{
|
||||
"audience": "//iam.googleapis.com/$${FAST_WIF_PROVIDER}",
|
||||
"grantType": "urn:ietf:params:oauth:grant-type:token-exchange",
|
||||
"requestedTokenType": "urn:ietf:params:oauth:token-type:access_token",
|
||||
"scope": "https://www.googleapis.com/auth/cloud-platform",
|
||||
"subjectTokenType": "urn:ietf:params:oauth:token-type:jwt",
|
||||
"subjectToken": "$${CI_JOB_JWT_V2}"
|
||||
}
|
||||
EOF
|
||||
)"
|
||||
|
||||
FEDERATED_TOKEN="$(curl --silent "https://sts.googleapis.com/v1/token" \
|
||||
--header "Accept: application/json" \
|
||||
--header "Content-Type: application/json" \
|
||||
--data "$${PAYLOAD}" \
|
||||
| jq -r '.access_token'
|
||||
)"
|
||||
|
||||
GOOGLE_OAUTH_ACCESS_TOKEN="$(curl --silent --show-error --fail "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/$${FAST_SERVICE_ACCOUNT}:generateAccessToken" \
|
||||
--header "Accept: application/json" \
|
||||
--header "Content-Type: application/json" \
|
||||
--header "Authorization: Bearer $${FEDERATED_TOKEN}" \
|
||||
--data '{"scope": ["https://www.googleapis.com/auth/cloud-platform"]}' \
|
||||
| jq -r '.accessToken'
|
||||
)"
|
||||
|
||||
echo "GOOGLE_OAUTH_ACCESS_TOKEN=$GOOGLE_OAUTH_ACCESS_TOKEN" >> gcp-auth.env
|
||||
|
||||
if [ -z "$GOOGLE_OAUTH_ACCESS_TOKEN" ]; then exit 1; fi
|
||||
# WIP - will have to find a better way of doing this
|
||||
artifacts:
|
||||
reports:
|
||||
dotenv: gcp-auth.env
|
||||
|
||||
# Downloading from bucket into cache
|
||||
tf-setup:
|
||||
stage: tf-setup
|
||||
before_script: []
|
||||
script:
|
||||
- |
|
||||
mkdir -p .tf-setup
|
||||
curl -X GET \
|
||||
-H "Authorization: Bearer $GOOGLE_OAUTH_ACCESS_TOKEN" \
|
||||
-o ".tf-setup/$${TF_PROVIDERS_FILE}" \
|
||||
"https://storage.googleapis.com/$${FAST_OUTPUTS_BUCKET}/providers/$${TF_PROVIDERS_FILE}"
|
||||
for f in $TF_VAR_FILES; do
|
||||
curl -X GET \
|
||||
-H "Authorization: Bearer $GOOGLE_OAUTH_ACCESS_TOKEN" \
|
||||
-o ".tf-setup/$f" \
|
||||
"https://storage.googleapis.com/$${FAST_OUTPUTS_BUCKET}/tfvars/$f"
|
||||
done
|
||||
gcloud iam workload-identity-pools create-cred-config \
|
||||
${FAST_WIF_PROVIDER} \
|
||||
--service-account=${FAST_SERVICE_ACCOUNT} \
|
||||
--service-account-token-lifetime-seconds=3600 \
|
||||
--output-file=${GOOGLE_CREDENTIALS} \
|
||||
--credential-source-file=token.txt
|
||||
tf-files:
|
||||
dependencies:
|
||||
- gcp-auth
|
||||
|
||||
# Terraform Init
|
||||
tf-init:
|
||||
stage: tf-init
|
||||
image:
|
||||
name: google/cloud-sdk:slim
|
||||
stage: tf-files
|
||||
script:
|
||||
# - gcloud components install -q alpha
|
||||
- gcloud config set auth/credential_file_override ${GOOGLE_CREDENTIALS}
|
||||
- mkdir -p .tf-setup
|
||||
- |
|
||||
gitlab-terraform init
|
||||
dependencies:
|
||||
- gcp-auth
|
||||
|
||||
# Terraform Validate
|
||||
tf-validate:
|
||||
stage: tf-validate
|
||||
script:
|
||||
gcloud alpha storage cp -r \
|
||||
"gs://${FAST_OUTPUTS_BUCKET}/providers/${TF_PROVIDERS_FILE}" .tf-setup/
|
||||
- |
|
||||
gitlab-terraform validate
|
||||
dependencies:
|
||||
- gcp-auth
|
||||
gcloud alpha storage cp -r \
|
||||
"gs://${FAST_OUTPUTS_BUCKET}/tfvars" .tf-setup/
|
||||
|
||||
# Terraform Plan
|
||||
tf-plan:
|
||||
# uncomment the following lines and set the SSH key secret for private modules repo
|
||||
# before_script:
|
||||
# - |
|
||||
# ssh-agent -a $SSH_AUTH_SOCK > /dev/null
|
||||
# echo "$CICD_MODULES_KEY" | base64 -d | tr -d '\r' | ssh-add - > /dev/null
|
||||
# mkdir -p ~/.ssh
|
||||
# ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
|
||||
# ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
|
||||
stage: tf-plan
|
||||
script:
|
||||
- cp .tf-setup/${TF_PROVIDERS_FILE} ./
|
||||
- |
|
||||
gitlab-terraform plan
|
||||
gitlab-terraform plan-json
|
||||
for f in ${TF_VAR_FILES}; do
|
||||
ln -s ".tf-setup/tfvars/$f" ./
|
||||
done
|
||||
- terraform init
|
||||
- terraform validate
|
||||
- terraform plan
|
||||
dependencies:
|
||||
- gcp-auth
|
||||
artifacts:
|
||||
paths:
|
||||
- $${TF_ROOT}/plan.cache
|
||||
reports:
|
||||
terraform: $${TF_ROOT}/plan.json
|
||||
- tf-files
|
||||
|
||||
# Terraform Apply
|
||||
tf-apply:
|
||||
# uncomment the following lines and set the SSH key secret for private modules repo
|
||||
# before_script:
|
||||
# - |
|
||||
# ssh-agent -a $SSH_AUTH_SOCK > /dev/null
|
||||
# echo "$CICD_MODULES_KEY" | base64 -d | tr -d '\r' | ssh-add - > /dev/null
|
||||
# mkdir -p ~/.ssh
|
||||
# ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
|
||||
# ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
|
||||
stage: tf-apply
|
||||
script:
|
||||
- cd "$${TF_ROOT}"
|
||||
- gitlab-terraform apply
|
||||
- cp .tf-setup/${TF_PROVIDERS_FILE} ./
|
||||
- |
|
||||
for f in ${TF_VAR_FILES}; do
|
||||
ln -s ".tf-setup/tfvars/$f" ./
|
||||
done
|
||||
- terraform init
|
||||
- terraform validate
|
||||
- terraform apply -input=false -auto-approve
|
||||
dependencies:
|
||||
- tf-files
|
||||
when: manual
|
||||
only:
|
||||
variables:
|
||||
- $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
|
||||
dependencies:
|
||||
- gcp-auth
|
Loading…
Reference in New Issue