-
Notifications
You must be signed in to change notification settings - Fork 0
/
.gitlab-ci.yml
131 lines (122 loc) · 3.87 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
stages:
- plan
- check
- apply
- finops
- destroy
- infracost
variables:
TF_ROOT: ${CI_PROJECT_DIR}/infracost
TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/example-production
TF_STATE: ${CI_PROJECT_NAME}
cache:
key: example-production
paths:
- ${TF_ROOT}/.terraform
plan_terraform:
stage: plan
image:
name: registry.gitlab.com/gitlab-org/terraform-images/stable:latest
entrypoint:
- '/usr/bin/env'
- 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
script:
- cd ${TF_ROOT}
- echo $GOOGLE_SA_KEY > key.json
- export GOOGLE_APPLICATION_CREDENTIALS="$(pwd)/key.json"
- ./init.sh
- gitlab-terraform validate
- gitlab-terraform plan
- gitlab-terraform plan-json
artifacts:
name: plan
paths:
- ${TF_ROOT}/plan.cache
reports:
terraform: ${TF_ROOT}/plan.json
run_infracost:
image: registry.gitlab.com/gitlab-org/terraform-images/stable:latest
stage: finops
when: manual
script:
- os=$(uname | tr '[:upper:]' '[:lower:]')
- arch=$(uname -m | tr '[:upper:]' '[:lower:]' | sed -e s/x86_64/amd64/)
- echo "Downloading latest release of infracost-$os-$arch..."
- curl -sL https://github.com/infracost/infracost/releases/latest/download/infracost-$os-$arch.tar.gz | tar xz -C /tmp
- echo "Moving /tmp/infracost-$os-$arch to /usr/local/bin/infracost"
- mv /tmp/infracost-$os-$arch /usr/local/bin/infracost
- echo "Completed installing $(infracost --version)"
- cd ${TF_ROOT}
- echo $GOOGLE_SA_KEY > key.json
- export GOOGLE_APPLICATION_CREDENTIALS="$(pwd)/key.json"
- ./init.sh
- infracost breakdown --path . --terraform-plan-flags "-var-file=terraform.tfvars"
- infracost diff --path . --terraform-plan-flags "-var-file=terraform.tfvars"
infracost-job:
image:
name: infracost/infracost:latest # Use a specific version of the image instead of latest if locking the image is preferred
entrypoint: [""] # Do not run the default entrypoint
script:
- cd ${TF_ROOT}
- echo $GOOGLE_SA_KEY > key.json
- export GOOGLE_APPLICATION_CREDENTIALS="$(pwd)/key.json"
- ./init.sh
- /scripts/ci/diff.sh
only:
- merge_requests
stage: infracost
variables:
path: "${TF_ROOT}"
terraform_plan_flags: "-var-file=terraform.tfvars"
post_condition: '{"has_diff": true}'
apply_terraform:
stage: apply
only:
- master
image:
name: registry.gitlab.com/gitlab-org/terraform-images/stable:latest
entrypoint:
- '/usr/bin/env'
- 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
script:
- cd ${TF_ROOT}
- echo $GOOGLE_SA_KEY > key.json
- export GOOGLE_APPLICATION_CREDENTIALS="$(pwd)/key.json"
- ./init.sh
- gitlab-terraform validate
- gitlab-terraform apply
run_custodian:
image: python:latest
when: manual
variables:
PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
cache:
paths:
- .cache/pip
- venv/
stage: finops
before_script:
- python -V
- pip install virtualenv
- virtualenv venv
- source venv/bin/activate
- pip install -r cloud-custodian/requirements.txt
- echo $GOOGLE_SA_KEY > key.json
- export GOOGLE_APPLICATION_CREDENTIALS="$(pwd)/key.json"
script:
- c7n-org run -c cloud-custodian/environments/gcp.yml -s output -u cloud-custodian/policies/gcp.yml
destroy_terraform:
stage: destroy
when: manual
image:
name: registry.gitlab.com/gitlab-org/terraform-images/stable:latest
entrypoint:
- '/usr/bin/env'
- 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
script:
- cd ${TF_ROOT}
- echo $GOOGLE_SA_KEY > key.json
- export GOOGLE_APPLICATION_CREDENTIALS="$(pwd)/key.json"
- ./init.sh
- gitlab-terraform validate
- gitlab-terraform destroy