This repository is for infrastructure relating to Terraform backend
Non-secret variables will be automatically added as environment variables which can be consumed without any mapping. The variables listed below are the minimum needed to use all templates.
Name | Description |
---|---|
TF_ARTIFACT_NAME |
Name of terraform artifact |
TF_BACKEND_AWS_KEY_ID |
AWS Key ID |
TF_BACKEND_AWS_REGION |
AWS Region |
TF_BACKEND_AWS_SECRET_KEY |
AWS Secret |
TF_CLI_ARGS_INIT |
Terraform init args |
variables:
- group: terraform.infrastructure
Apply the changes described in the .tfplan
file
This template will:
- Download the specified artifact
- Extract the files from the downloaded artifact
- Install the specified Terraform version
- Apply the Terraform changes
The apply template is a step template meaning it needs to be nested under a steps:
block.
Name | Description | Type | Default |
---|---|---|---|
applyAdditionalCommandOptions | Additional command options for Terraform apply | string | " " |
artifactName | Name of the published artifact to download | string | $(TF_ARTIFACT_NAME) |
version | Terraform version to download and install | string | 1.2.5 |
workingDirectory | Working directory | string | $(Pipeline.Workspace) |
resources:
repositories:
- repository: terraform-templates
type: github
name: expensely/infra-terraform-backend
endpoint: expensely
steps:
- template: ./pipelines/templates/apply.yml@terraform-templates
Destroy infrastructure and delete the relevant workspace
This template will:
- Install the specified Terraform version
- Initialise the Terraform
- Select the relevant workspace
- Destroy the infrastructure
- Delete the workspace
The destroy template is a step template meaning it needs to be nested under a steps:
block.
Name | Description | Type | Default |
---|---|---|---|
destroyAdditionalArguments | Additional command options for Terraform destroy command | string | " " |
initAdditionalCommandOptions | Additional command options for Terraform init command | string | " " |
version | Terraform version to download and install | string | 1.2.5 |
workingDirectory | Directory where Terraform files are located | string | $(Build.SourcesDirectory)/infrastructure |
workspace | Terraform workspace | string |
resources:
repositories:
- repository: terraform-templates
type: github
name: expensely/infra-terraform-backend
endpoint: expensely
steps:
- template: ./pipelines/templates/destroy.yml@terraform-templates
parameters:
workspace: time-preview-23
Get a cost breakdown of the infrastructure
This template will:
- Install Infracost
- Run Infracost Breakdown
- Generate HTML report
- Destroy the infrastructure
- Publish Infracost HTML report
The infracost template is a step template meaning it needs to be nested under a steps:
block.
Name | Description | Type | Default | Default value found in |
---|---|---|---|---|
apiKey | Infracost api key | string | $(INFRACOST_API_KEY) |
Variable group named infracost |
version | Infracost version to install | string | 0.10.x |
|
breakdownAdditionalCommandOptions | Additional command options for Infracost breakdown command | string | " " | Terraform variable file |
enableDashboard | Enable Infracost dashboard | boolean | true |
|
currency | Currency to show cost in | string | AUD |
|
workingDirectory | Directory where Terraform files are located | string | $(Build.SourcesDirectory)/infrastructure |
resources:
repositories:
- repository: terraform-templates
type: github
name: expensely/infra-terraform-backend
endpoint: expensely
steps:
- template: ./pipelines/templates/infracost.yml@terraform-templates
parameters:
breakdownAdditionalCommandOptions: --terraform-var-file variables/${{ variables.ENVIRONMENT }}.${{ variables.AWS_DEFAULT_REGION }}.tfvars
Create a Terraform plan.
This template will:
- Install the specified Terraform version
- Initialise the Terraform
- Select or create the relevant workspace
- Plan the changes and save them to a file
- Archive the changes to
tar.gz
- Publish the archive
This template will install the specified Terraform version, initialise Terraform, and apply the changes described in .tfplan
file.
The plan template is a step template meaning it needs to be nested under a steps:
block.
Name | Description | Type | Default |
---|---|---|---|
artifactName | Name of the published artifact, that contains the plan file, to download and extract | string | $(TF_ARTIFACT_NAME) |
initAdditionalCommandOptions | Additional command options for Terraform init | string | " " |
planAdditionalCommandOptions | Additional command options for the Terraform plan | string | " " |
version | Terraform version to download and install | string | 1.2.5 |
workingDirectory | Directory where Terraform files are located | string | $(Build.SourcesDirectory)/infrastructure |
workspace | Terraform workspace | string |
resources:
repositories:
- repository: terraform-templates
type: github
name: expensely/infra-terraform-backend
endpoint: expensely
steps:
- template: ./pipelines/templates/plan.yml@terraform-templates
parameters:
workspace: time-preview-23
Static analysis of your terraform code to spot potential misconfigurations
This template will:
- Install the specified tfsec version
- Run tfsec
- Publish HTML report
The tfsec template is a step template meaning it needs to be nested under a steps:
block.
If you are going to use this to apply changes to infrastructure in AWS you will need to configure the credentials using the configure template.
Name | Description | Type | Default | Default value found in |
---|---|---|---|---|
version | Terraform Static code Analyzer version to download and install | string | 1.26.0 |
|
commandOptions | Command options | string | ||
workspace | Terraform workspace | string | ||
workingDirectory | Directory where Terraform files are located | string | $(Build.SourcesDirectory)/infrastructure |
resources:
repositories:
- repository: terraform-templates
type: github
name: expensely/infra-terraform-backend
endpoint: expensely
steps:
- template: ./pipelines/templates/tfsec.yml@terraform-templates
parameters:
commandOptions: -var-file="variables/${{ variables.ENVIRONMENT }}.${{ variables.AWS_DEFAULT_REGION }}.tfvars"
Job:
- Plan
a. Run the plan template
b. Run the infracost template
c. Run the tfsec template - Manually validate the Terraform plan
- Apply
a. Run the apply template
The plan-and-approve template is a job template meaning it needs to be nested under a jobs:
block.
If you are going to use this to apply changes to infrastructure in AWS you will need to configure the credentials using the configure template.
Name | Description | Type | Default | Default value found in |
---|---|---|---|---|
environment | Name of the environment to deploy to | string | ||
infracostApiKey | API key for Infracost | string | $(INFRACOST_API_KEY) |
|
infracostBreakdownAdditionalCommandOptions | Additional command options for Infracost breakdown command | string | " " | |
infracostEnableDashboard | Enable Infracost dashboard | boolean | true |
|
infracostVersion | Infracost version to install | string | 0.10.x |
|
infracostCurrency | Currency to show cost in | string | AUD |
|
runInfracost | Run Infracost? | boolean | true |
|
runTfsec | Run TFSEC? | boolean | true |
|
runTerraformApply | Run Terraform Apply? | boolean | true |
|
terraformArtifactName | Name of the Terraform plan artifact | string | $(TF_ARTIFACT_NAME) |
|
terraformWorkspace | Name of the Terraform workspace | string | ||
terraformApplyAdditionalCommandOptions | Additional options for Terraform apply command | string | " " | |
terraformInitAdditionalCommandOptions | Additional options for Terraform init command | string | " " | |
terraformPlanAdditionalCommandOptions | Additional options for the Terraform plan command | string | " " | |
terraformVariablesFile | Terraform variable file | string | ||
terraformVersion | Terraform version to install | string | 1.2.5 |
|
tfsecCommandOptions | Command options | string | " " | |
tfsecVersion | Terraform Static Code Analyzer version to download and install | string | 1.26.0 |
|
workingDirectory | Directory where Terraform files are located | string | $(Build.SourcesDirectory)/infrastructure |
resources:
repositories:
- repository: terraform-templates
type: github
name: expensely/infra-terraform-backend
endpoint: expensely
jobs:
- template: ./pipelines/templates/plan-and-approve.yml@terraform-templates
parameters:
terraformVariablesFile: variables/${{ variables.ENVIRONMENT }}.${{ variables.AWS_DEFAULT_REGION }}.tfvars
terraformWorkspace: time-production
environment: production
Role Arn:
- arn:aws:iam::931649473445:role/terraform.infrastructure
Trusted users:
- arn:aws:iam::931649473445:user/cicd/terraform.platform.production
Role Arn:
- arn:aws:iam::266556396524:role/terraform.infrastructure
Trusted users:
- arn:aws:iam::931649473445:user/cicd/terraform.shared.production
- arn:aws:iam::931649473445:user/cicd/terraform.user.production
Role Arn:
- arn:aws:iam::172837312601:role/terraform.infrastructure
Trusted users:
- arn:aws:iam::931649473445:user/cicd/terraform.shared.preview
- arn:aws:iam::931649473445:user/cicd/terraform.user.preview
Role Arn:
- arn:aws:iam::104633789203:role/terraform.infrastructure
Trusted users:
- arn:aws:iam::931649473445:user/cicd/terraform.shared.production
- arn:aws:iam::931649473445:user/cicd/terraform.user.production
- arn:aws:iam::931649473445:user/cicd/terraform.kronos.production
Role Arn:
- arn:aws:iam::829991159560:role/terraform.infrastructure
Trusted users:
- arn:aws:iam::931649473445:user/cicd/terraform.shared.preview
- arn:aws:iam::931649473445:user/cicd/terraform.user.preview
- arn:aws:iam::931649473445:user/cicd/terraform.kronos.preview
Role Arn:
- arn:aws:iam::556018441473:role/terraform.infrastructure
Trusted users:
- arn:aws:iam::931649473445:user/cicd/terraform.platform.production
- arn:aws:iam::931649473445:user/cicd/terraform.shared.production
- arn:aws:iam::931649473445:user/cicd/terraform.user.production
- arn:aws:iam::931649473445:user/cicd/terraform.kronos.production
Role Arn:
- arn:aws:iam::151170476258:role/terraform.infrastructure
Trusted users:
- arn:aws:iam::931649473445:user/cicd/terraform.platform.preview
- arn:aws:iam::931649473445:user/cicd/terraform.shared.preview
- arn:aws:iam::931649473445:user/cicd/terraform.user.preview
- arn:aws:iam::931649473445:user/cicd/terraform.kronos.preview
Role Arn:
- arn:aws:iam::217292076671:role/terraform.infrastructure
Trusted users:
- arn:aws:iam::931649473445:user/cicd/terraform.platform.production
Role Arn:
- arn:aws:iam::537521289459:role/terraform.infrastructure
Trusted users:
- arn:aws:iam::931649473445:user/cicd/terraform.platform.preview
Role Arn:
- arn:aws:iam::087484524822:role/terraform.infrastructure
Trusted users:
- arn:aws:iam::931649473445:user/cicd/terraform.platform.production
Role Arn:
- arn:aws:iam::365677886296:role/terraform.infrastructure
Trusted users:
- arn:aws:iam::931649473445:user/cicd/terraform.platform.preview
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TerraformNetworkingPreview",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::931649473445:user/cicd/terraform.platform.preview"
]
},
"Action": "sts:AssumeRole"
}
]
}