Terraform Infrastructure as Code (IaC) to provision the required infrastructure for any tooling required by the Planning Inspectorate application environments. This includes resources such as a container registry, Azure build agents, a Hub network, etc.
- IaC defined using Terraform
- Validation and linting with TFLint
- Checkov for static analysis of the code for security issues and misconfigurations
- Pre-commit hooks run checks to identify issues before code submission
- Azure DevOps YAML pipelines to deploy the infrastructure
- Azure CLI required for deployments
- Custom build agents configured using Packer
The main tool required to work with this repo is Terraform. Instructrions to install can be found via the Terraform website (see Tooling section).
However, if you are running macOS or Linux it is recommended you use a version manager for ease in case working with multiple Terraform versions. For this you can use tfenv.
Install tfenv (Homebrew):
brew install tfenvInstall tfenv manually by checking out the repo and adding .tfenv/bin to your $PATH:
git clone https://github.com/tfutils/tfenv.git ~/.tfenv
echo 'export PATH="$HOME/.tfenv/bin:$PATH"' >> ~/.bash_profileInstall Terraform using tfenv:
tfenv install 1.1.6Install pre-commit (requires Python/Pip):
pip install pre-commitInstall pre-commit (Homebrew):
brew install pre-commitOnce pre-commit is installed, configure it in the project by running from the root:
pre-commit installPre-commit is configured using the .pre-commit-config.yaml file in the root of the project. In order for it to run, the required tools need to be installed which is covered below, and in the Tooling section.
Install terraform-docs (Homebrew):
brew install terraform-docsInstall terraform-docs (Chocolatey):
choco install terraform-docsTerraform-docs automates Terraform documentation and makes it available in Markdown syntax. These have been placed in README.md files within each Terraform module throughout the repository.
This documentation has been automated using pre-commit hooks (see above). The README.md file for each Terraform module contains tags:
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->When the pre-commit hook runs then Terraform-docs will generate the documentation and add to the space between the tags.
If you create a new Terraform module, simply add a README.md file and add the above tags. Terraform-docs will then run for this module each time you make a commit.
To run Terraform-docs for the whole repository, run:
pre-commit run -a terraform-docsInstall tflint (Bash script Linux):
curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bashInstall tflint (Homebrew):
brew install tflintInstall tflint (Choolatey):
choco install tflintTFLint is configured via the .tflint.hcl file in the project root. It needs to be initialised before running.
tflint --initInstall Checkov (Python/Pip):
pip install checkovInstall Checkov (Homebrew):
brew install checkovCheckov runs a scan of the infrastructure as code, and can be pointed a Terraform module using the -d flag:
checkov -d /path/to/moduleIn some scenarios Checkov may report configuration issues that are intentional. In order to bypass these checks, you can add a comment to the Terraform resource it complains about like so:
resource "azurerm_storage_account" "my_storage_account" {
#checkov:skip=CKV_AZURE_109: Skip reason
...
}Where in this example, CKV_AZURE_109 is the check to bypass.
Install Packer (Homebre):
brew tap hashicorp/tap
brew install hashicorp/tap/packerInstall via binary - https://www.packer.io/downloads
The Pipelines run in the Azure DevOps infrastructure project. They are defined in YAML templates in the pipelines folder.
There is a CI pipeline which runs validation and various checks. This is linked to Pull Requests, so it must pass before it is possible to merge.
The CD pipeline deploys the tooling infrastructure to the Tooling subscription (pins-odt-tooling-shared-sub). This is triggered automatically to the Dev environment when there is a merge to the main branch. For manual runs, you must choose the region and stack you wish to deploy.
The build agents are set up using Packer templates. Therer are 2 pipelines that run using Microsoft Hosted agents. One to build the image, and one to clean up any old images.
The Packer templates can be found within the packer/azure-agents folder. The tools.sh script contains the setup instructions for the image.
Once the image has been created, the regular CD pipeline can be run to update the Azure Scale Set with the new image.