-
Notifications
You must be signed in to change notification settings - Fork 2
/
.drone.yml
103 lines (92 loc) · 3.28 KB
/
.drone.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
---
global-variables:
# testrunner-image: &testrunner-image quay.io/ukhomeofficedigital/tf-testrunner:32
testrunner-image: &testrunner-image quay.io/ukhomeofficedigital/tf-testrunner:TF1.6
# terragrunt-image: &terragrunt-image quay.io/ukhomeofficedigital/dq-docker-terragrunt:v0.23.18
# terragrunt-image: &terragrunt-image quay.io/ukhomeofficedigital/dq-docker-terragrunt:v0.26.2 # TF0.13
terragrunt-image: &terragrunt-image quay.io/ukhomeofficedigital/dq-docker-terragrunt:TGv0.54.4_TFv1.6.6
vault-image: &vault-image docker.digital.homeoffice.gov.uk/dq/dq-vault-awscli:1.43
kind: pipeline
name: dq-tf-ops
type: kubernetes
platform:
os: linux
arch: amd64
environment:
AWS_REGION: eu-west-2
x-anchors:
retrieve-aws-key: &retrieve-aws-key
- vault --version
# All Terraform operations need access to an AWS Account
# - so all Terraform steps will need to source AWS_SECRETS_FILE
- export AWS_CREDS_FILE="aws_creds.json"
- export AWS_SECRETS_FILE="set_aws_secrets.sh"
# Retrieve vault secrets
- vault read aws_dacc_dq/creds/drone > $${AWS_CREDS_FILE}
- export LEASE_ID=$(cat $${AWS_CREDS_FILE} | grep lease_id | awk -F ' ' '{print $2}')
- export ACCESS_KEY=$(cat $${AWS_CREDS_FILE} | grep access_key | awk -F ' ' '{print $2}')
- export SECRET_KEY=$(cat $${AWS_CREDS_FILE} | grep secret_key | awk -F ' ' '{print $2}')
# Update the token TTL to 10mins
- vault lease renew -increment=3600 $${LEASE_ID}
# Get the AWS credentials - for `Terragrunt/Terraform`
- echo "export AWS_ACCESS_KEY_ID=$${ACCESS_KEY}" > $${AWS_SECRETS_FILE}
- echo "export AWS_SECRET_ACCESS_KEY=$${SECRET_KEY}" >> $${AWS_SECRETS_FILE}
- echo "export AWS_DEFAULT_REGION=$${AWS_REGION}" >> $${AWS_SECRETS_FILE}
check-format: &check-format
- terraform --version
- terraform fmt --diff --check
run-testrunner-tests: &run-testrunner-tests
# Get AWS secrets for TF State
- export AWS_SECRETS_FILE="/drone/src/set_aws_secrets.sh"
- source $${AWS_SECRETS_FILE}
# Add SSH_KEY to allow git clone
- mkdir /root/.ssh && echo "$SSH_KEY" > /root/.ssh/id_rsa && chmod 0600 /root/.ssh/id_rsa
- ssh-keyscan -t rsa -p 2222 gitlab.digital.homeoffice.gov.uk >> ~/.ssh/known_hosts
# Run the actual tests
- python -m unittest tests/*_test.py
steps:
- name: check-format
pull: if-not-exists
image: *terragrunt-image
commands: *check-format
when:
event:
- push
- name: retrieve_aws_secrets
pull: if-not-exists
image: *vault-image
commands: *retrieve-aws-key
environment:
VAULT_ADDR:
from_secret: VAULT_ADDR_NOTPROD
VAULT_TOKEN:
from_secret: VAULT_TOKEN_NOTPROD
when:
event:
- push
- name: run-testrunner-tests
pull: if-not-exists
image: *testrunner-image
commands: *run-testrunner-tests
environment:
SSH_KEY:
from_secret: SSH_KEY
when:
event:
- push
- name: renew-vault-tokens
pull: if-not-exists
image: *vault-image
commands:
#Renew Dev Drone Vault Token
- export VAULT_TOKEN=$${VAULT_TOKEN_NOTPROD}
- export VAULT_ADDR=$${VAULT_ADDR_NOTPROD}
- vault token renew > /dev/null
environment:
VAULT_ADDR_DEV:
from_secret: VAULT_ADDR_NOTPROD
VAULT_TOKEN_DEV:
from_secret: VAULT_TOKEN_NOTPROD
when:
event: [ cron ]
cron: [ renew-vault-tokens ]