-
Notifications
You must be signed in to change notification settings - Fork 1
/
vault-tfc-task.yaml
executable file
·129 lines (118 loc) · 3.72 KB
/
vault-tfc-task.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: vault-tfc
spec:
params:
- name: tfc_org
type: string
- name: tfworkspace
type: string
stepTemplate:
env:
- name: "VAULT_ADDR"
value: "http://vault.vault.svc.cluster.local:8200"
steps:
# - name: vault-token
# image: hashicorp/vault
# args:
# - agent
# - -config=/etc/vault/vault-agent-config.hcl
# - -log-level=debug
# env:
# - name: VAULT_ADDR
# value: http://vault.vault.svc.cluster.local:8200
# volumeMounts:
# - mountPath: /etc/vault
# name: config
# - mountPath: /home/vault
# name: shared-data
- name: vault-status
image: gcr.io/cloud-builders/curl
script: |
#!/usr/bin/bash
echo -e "Vault Address is http://${VAULT_ADDR} \xF0\x9F\x8D\xBB\x20\x0A\n\n"
curl "${VAULT_ADDR}/v1/sys/seal-status"
- name: tfc-workspace
image: gcr.io/cloud-builders/curl
script: |
#!/usr/bin/env bash
echo -e "Saving the Workspace ID in a file... \n"
TFE_TOKEN="$(cat /vault/secrets/credentials.tfrc.json | awk -F': ' '/token/ {print $NF}' | tr -d "\"")"
curl -s -H "Authorization: Bearer $TFE_TOKEN" \
-H "Content-Type: application/vnd.api+json" \
-X GET \
https://app.terraform.io/api/v2//organizations/$(params.tfc_org)/workspaces/$(params.tfworkspace) \
| cut -d : -f3 | cut -d , -f1 | tr -d '"' > /workspace/workspace_id
echo "The Workspace ID is: $(cat /workspace/workspace_id)"
volumeMounts:
- mountPath: /vault/secrets
name: shared-data
- name: run-json
image: ubuntu
script: |
#!/usr/bin/env bash
echo -e "Creating the payload to run the Terraform Workspace \xF0\x9F\x8D\xBB\x20\x0A\n\n"
cat - > /workspace/run.json <<EOF
{
"data":{
"attributes":{
"is-destroy": false,
"message": "API Apply from Tekton: $HOSTNAME 🎉 🍻 "
},
"type":"runs",
"relationships":{
"workspace":{
"data": {
"type": "workspaces",
"id": "$(cat /workspace/workspace_id)"
}
}
}
}
}
EOF
cat /workspace/run.json
- name: tfc-run
image: gcr.io/cloud-builders/curl
script: |
#!/usr/bin/env bash
echo -e "Running Terraform Cloud Workspace $(cat /workspace/workspace_id)! \xF0\x9F\x8D\xBB\x20\x0A"
TFE_TOKEN="$(cat /vault/secrets/credentials.tfrc.json | awk -F': ' '/token/ {print $NF}' | tr -d "\"")"
curl -H "Authorization: Bearer $TFE_TOKEN" \
-H "Content-Type: application/vnd.api+json" \
-d @/workspace/run.json \
https://app.terraform.io/api/v2/runs
volumeMounts:
- mountPath: /vault/secrets
name: shared-data
sidecars:
- image: hashicorp/vault
name: agent
securityContext:
privileged: true
args:
- agent
- -config=/etc/vault/vault-agent-config.hcl
- -log-level=debug
env:
- name: VAULT_ADDR
value: http://vault.vault.svc.cluster.local:8200
volumeMounts:
- mountPath: /etc/vault
name: config
- mountPath: /vault/secrets
name: shared-data
- mountPath: /home/vault
name: token-data
volumes:
- configMap:
items:
- key: vault-agent-config.hcl
path: vault-agent-config.hcl
name: vault-agent-config
name: config
- emptyDir: {}
name: shared-data
- emptyDir: {}
name: token-data