-
Notifications
You must be signed in to change notification settings - Fork 0
/
cloudbuild.yaml
116 lines (107 loc) · 2.82 KB
/
cloudbuild.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
steps:
# creates a python virtualenv stored in /workspace/venv that will persist across container runs
- id: virtual envrionment
name: us.gcr.io/$PROJECT_ID/gcloud-python
entrypoint: /bin/bash
args: ["-c", "virtualenv /workspace/venv"]
# installs dependencies
- id: install requirements
name: us.gcr.io/$PROJECT_ID/gcloud-python
entrypoint: venv/bin/pip
args: ["install", "awscli", "checkov"]
waitFor:
- virtual envrionment
# set aws access key id
- id: set aws access key id
name: us.gcr.io/$PROJECT_ID/gcloud-python
entrypoint: venv/bin/aws
args: ["configure", "set", "aws_access_key_id", "${_AWS_ACCESS_KEY_ID}"]
waitFor:
- install requirements
# set aws secret access key id
- id: set aws secret access key id
name: us.gcr.io/$PROJECT_ID/gcloud-python
entrypoint: venv/bin/aws
args:
[
"configure",
"set",
"aws_secret_access_key",
"${_AWS_SECRET_ACCESS_KEY_ID}",
]
waitFor:
- set aws access key id
# set aws region
- id: set aws region
name: us.gcr.io/$PROJECT_ID/gcloud-python
entrypoint: venv/bin/aws
args: ["configure", "set", "region", "${AWS_REGION}"]
waitFor:
- set aws secret access key id
# initialize the working Terraform directory
- id: terraform init
name: hashicorp/terraform:0.12.26
entrypoint: "sh"
args:
- "-c"
- |
cd tfstate
terraform init
waitFor:
- set aws region
# create an execution plan
- id: terraform plan
name: hashicorp/terraform:0.12.26
entrypoint: "sh"
args:
- "-c"
- |
cd tfstate
terraform plan
waitFor:
- terraform init
# apply the new or updated resources
- id: terraform apply
name: hashicorp/terraform:0.12.26
entrypoint: "sh"
args:
- "-c"
- |
cd tfstate
terraform apply -auto-approve
waitFor:
- terraform plan
# run compliance and vulnerability checks with checkov
- id: run checkov
name: us.gcr.io/$PROJECT_ID/gcloud-python
entrypoint: venv/bin/checkov
args: ["-d", "tfstate/", "-s"]
waitFor:
- terraform apply
# destroy the Terraform managed infrastructure
- id: terraform destroy
name: hashicorp/terraform:0.12.26
entrypoint: "sh"
args:
- "-c"
- |
cd tfstate
terraform destroy -auto-approve
waitFor:
- run checkov
# WITH MULTIPLE TERRAFORM MODULES YOU COULD DO A FOR LOOP
# - id: terraform commands
# name: hashicorp/terraform:0.12.26
# entrypoint: "sh"
# args:
# - "-c"
# - |
# for tf in tfstate, vpc, cluster
# do
# cd tf
# terraform init
# terraform plan
# terraform apply -auto-approve
# checkov -d tf
# terraform destroy -auto-approve
# done