167 lines
5.0 KiB
YAML
167 lines
5.0 KiB
YAML
# Copyright 2022 Google LLC
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
default:
|
|
image:
|
|
name: registry.gitlab.com/gitlab-org/terraform-images/releases/1.1
|
|
|
|
variables:
|
|
FAST_OUTPUTS_BUCKET: ${outputs_bucket}
|
|
FAST_SERVICE_ACCOUNT: ${service_account}
|
|
FAST_WIF_PROVIDER: ${identity_provider}
|
|
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
|
|
TF_PROVIDERS_FILE: ${tf_providers_file}
|
|
TF_VAR_FILES: ${tf_var_files == [] ? "''" : join("\n ", tf_var_files)}
|
|
TF_VERSION: 1.1.7
|
|
TF_ROOT: $${CI_PROJECT_DIR} # The relative path to the root directory of the Terraform project
|
|
|
|
stages:
|
|
- gcp-auth
|
|
- tf-setup
|
|
- tf-init
|
|
- tf-validate
|
|
- tf-plan
|
|
- tf-apply
|
|
|
|
cache:
|
|
key: "$${TF_ROOT}"
|
|
paths:
|
|
- $${TF_ROOT}/.terraform/
|
|
- $${TF_ROOT}/.tf-setup/
|
|
|
|
# Configure GCP Auth with Access Token
|
|
gcp-auth:
|
|
stage: gcp-auth
|
|
script:
|
|
- |
|
|
PAYLOAD="$(cat <<EOF
|
|
{
|
|
"audience": "//iam.googleapis.com/$${FAST_WIF_PROVIDER}",
|
|
"grantType": "urn:ietf:params:oauth:grant-type:token-exchange",
|
|
"requestedTokenType": "urn:ietf:params:oauth:token-type:access_token",
|
|
"scope": "https://www.googleapis.com/auth/cloud-platform",
|
|
"subjectTokenType": "urn:ietf:params:oauth:token-type:jwt",
|
|
"subjectToken": "$${CI_JOB_JWT_V2}"
|
|
}
|
|
EOF
|
|
)"
|
|
|
|
FEDERATED_TOKEN="$(curl --silent "https://sts.googleapis.com/v1/token" \
|
|
--header "Accept: application/json" \
|
|
--header "Content-Type: application/json" \
|
|
--data "$${PAYLOAD}" \
|
|
| jq -r '.access_token'
|
|
)"
|
|
|
|
GOOGLE_OAUTH_ACCESS_TOKEN="$(curl --silent --show-error --fail "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/$${FAST_SERVICE_ACCOUNT}:generateAccessToken" \
|
|
--header "Accept: application/json" \
|
|
--header "Content-Type: application/json" \
|
|
--header "Authorization: Bearer $${FEDERATED_TOKEN}" \
|
|
--data '{"scope": ["https://www.googleapis.com/auth/cloud-platform"]}' \
|
|
| jq -r '.accessToken'
|
|
)"
|
|
|
|
echo "GOOGLE_OAUTH_ACCESS_TOKEN=$GOOGLE_OAUTH_ACCESS_TOKEN" >> gcp-auth.env
|
|
|
|
if [ -z "$GOOGLE_OAUTH_ACCESS_TOKEN" ]; then exit 1; fi
|
|
# WIP - will have to find a better way of doing this
|
|
artifacts:
|
|
reports:
|
|
dotenv: gcp-auth.env
|
|
|
|
# Downloading from bucket into cache
|
|
tf-setup:
|
|
stage: tf-setup
|
|
script:
|
|
- |
|
|
mkdir -p .tf-setup
|
|
curl -X GET \
|
|
-H "Authorization: Bearer $GOOGLE_OAUTH_ACCESS_TOKEN" \
|
|
-o ".tf-setup/$${TF_PROVIDERS_FILE}" \
|
|
"https://storage.googleapis.com/$${FAST_OUTPUTS_BUCKET}/providers/$${TF_PROVIDERS_FILE}"
|
|
for f in $TF_VAR_FILES; do
|
|
curl -X GET \
|
|
-H "Authorization: Bearer $GOOGLE_OAUTH_ACCESS_TOKEN" \
|
|
-o ".tf-setup/$f" \
|
|
"https://storage.googleapis.com/$${FAST_OUTPUTS_BUCKET}/tfvars/$f"
|
|
done
|
|
dependencies:
|
|
- gcp-auth
|
|
|
|
# Terraform Init
|
|
tf-init:
|
|
stage: tf-init
|
|
script:
|
|
- |
|
|
ssh-agent -a $SSH_AUTH_SOCK > /dev/null
|
|
echo "$CICD_MODULES_KEY" | tr -d '\r' | ssh-add - > /dev/null
|
|
mkdir -p ~/.ssh
|
|
ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
|
|
ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
|
|
cd "$${TF_ROOT}"
|
|
cp -R .tf-setup/. .
|
|
gitlab-terraform init
|
|
dependencies:
|
|
- gcp-auth
|
|
|
|
# Terraform Validate
|
|
tf-validate:
|
|
stage: tf-validate
|
|
script:
|
|
- |
|
|
ssh-agent -a $SSH_AUTH_SOCK > /dev/null
|
|
echo "$CICD_MODULES_KEY" | tr -d '\r' | ssh-add - > /dev/null
|
|
mkdir -p ~/.ssh
|
|
ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
|
|
ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
|
|
cd "$${TF_ROOT}"
|
|
cp -R .tf-setup/. .
|
|
gitlab-terraform validate
|
|
dependencies:
|
|
- gcp-auth
|
|
|
|
# Terraform Plan
|
|
tf-plan:
|
|
stage: tf-plan
|
|
script:
|
|
- |
|
|
ssh-agent -a $SSH_AUTH_SOCK > /dev/null
|
|
echo "$CICD_MODULES_KEY" | tr -d '\r' | ssh-add - > /dev/null
|
|
mkdir -p ~/.ssh
|
|
ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
|
|
ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
|
|
cd "$${TF_ROOT}"
|
|
cp -R .tf-setup/. .
|
|
gitlab-terraform plan
|
|
gitlab-terraform plan-json
|
|
dependencies:
|
|
- gcp-auth
|
|
artifacts:
|
|
paths:
|
|
- $${TF_ROOT}/plan.cache
|
|
reports:
|
|
terraform: $${TF_ROOT}/plan.json
|
|
|
|
# Terraform Apply
|
|
tf-apply:
|
|
stage: tf-apply
|
|
script:
|
|
- cd "$${TF_ROOT}"
|
|
- gitlab-terraform apply
|
|
when: manual
|
|
only:
|
|
variables:
|
|
- $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
|
|
dependencies:
|
|
- gcp-auth |