125 lines
3.6 KiB
YAML
125 lines
3.6 KiB
YAML
# Copyright 2023 Google LLC
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
default:
|
|
image:
|
|
name: hashicorp/terraform
|
|
entrypoint:
|
|
- "/usr/bin/env"
|
|
- "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
|
|
|
variables:
|
|
GOOGLE_CREDENTIALS: cicd-sa-credentials.json
|
|
FAST_OUTPUTS_BUCKET: ${outputs_bucket}
|
|
FAST_SERVICE_ACCOUNT: ${service_account}
|
|
FAST_WIF_PROVIDER: ${identity_provider}
|
|
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
|
|
%{~ if tf_providers_file != "" ~}
|
|
TF_PROVIDERS_FILE: ${tf_providers_file}
|
|
%{~ endif ~}
|
|
TF_VAR_FILES: ${tf_var_files == [] ? "''" : join("\n ", tf_var_files)}
|
|
|
|
stages:
|
|
- gcp-auth
|
|
- tf-files
|
|
- tf-plan
|
|
- tf-apply
|
|
|
|
cache:
|
|
key: gcp-auth
|
|
paths:
|
|
- cicd-sa-credentials.json
|
|
- token.txt
|
|
%{~ if tf_providers_file != "" ~}
|
|
- ${tf_providers_file}
|
|
%{~ endif ~}
|
|
%{~ for f in tf_var_files ~}
|
|
- ${f}
|
|
%{~ endfor ~}
|
|
|
|
gcp-auth:
|
|
id_tokens:
|
|
GITLAB_TOKEN:
|
|
aud:
|
|
%{~ for aud in audiences ~}
|
|
- ${aud}
|
|
%{~ endfor ~}
|
|
image:
|
|
name: google/cloud-sdk:slim
|
|
stage: gcp-auth
|
|
script:
|
|
- echo "$${GITLAB_TOKEN}" > token.txt
|
|
- |
|
|
gcloud iam workload-identity-pools create-cred-config \
|
|
$${FAST_WIF_PROVIDER} \
|
|
--service-account=$${FAST_SERVICE_ACCOUNT} \
|
|
--service-account-token-lifetime-seconds=3600 \
|
|
--output-file=$${GOOGLE_CREDENTIALS} \
|
|
--credential-source-file=token.txt
|
|
|
|
tf-files:
|
|
dependencies:
|
|
- gcp-auth
|
|
image:
|
|
name: google/cloud-sdk:slim
|
|
stage: tf-files
|
|
script:
|
|
# - gcloud components install -q alpha
|
|
- gcloud config set auth/credential_file_override $${GOOGLE_CREDENTIALS}
|
|
%{~ if tf_providers_file != "" ~}
|
|
- gcloud alpha storage cp -r "gs://$${FAST_OUTPUTS_BUCKET}/providers/${tf_providers_file}" ./
|
|
%{~ endif ~}
|
|
%{~ for f in tf_var_files ~}
|
|
- gcloud alpha storage cp -r "gs://$${FAST_OUTPUTS_BUCKET}/tfvars/${f}" ./
|
|
%{~ endfor ~}
|
|
- ls -l
|
|
|
|
tf-plan:
|
|
dependencies:
|
|
- tf-files
|
|
stage: tf-plan
|
|
# uncomment the following lines and set the SSH key secret for private modules repo
|
|
# before_script:
|
|
# - |
|
|
# ssh-agent -a $SSH_AUTH_SOCK > /dev/null
|
|
# echo "$CICD_MODULES_KEY" | base64 -d | tr -d '\r' | ssh-add - > /dev/null
|
|
# mkdir -p ~/.ssh
|
|
# ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
|
|
# ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
|
|
script:
|
|
- terraform init
|
|
- terraform validate
|
|
- terraform plan
|
|
|
|
tf-apply:
|
|
dependencies:
|
|
- tf-files
|
|
stage: tf-apply
|
|
# uncomment the following lines and set the SSH key secret for private modules repo
|
|
# before_script:
|
|
# - |
|
|
# ssh-agent -a $SSH_AUTH_SOCK > /dev/null
|
|
# echo "$CICD_MODULES_KEY" | base64 -d | tr -d '\r' | ssh-add - > /dev/null
|
|
# mkdir -p ~/.ssh
|
|
# ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
|
|
# ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
|
|
script:
|
|
- terraform init
|
|
- terraform validate
|
|
- terraform apply -input=false -auto-approve
|
|
when: manual
|
|
only:
|
|
variables:
|
|
- $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
|