-
Notifications
You must be signed in to change notification settings - Fork 4
/
.gitlab-ci.yml
131 lines (123 loc) · 2.61 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
---
variables:
TF_ROOT: ${CI_PROJECT_DIR}/terraform
TF_HTTP_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/${CI_COMMIT_BRANCH}
TF_STATE_NAME: ${CI_COMMIT_BRANCH}
TF_CACHE_KEY: ${CI_COMMIT_BRANCH}
TF_VAR_branch: ${CI_COMMIT_BRANCH}
cache:
key: "${TF_ROOT}"
paths:
- ${TF_ROOT}/.terraform/
- ${TF_ROOT}/.terraform.lock.hcl
# Test
before_script:
- cd ${TF_ROOT}
- export TF_VAR_subnet="$(python3 helpers/subnet_prefix.py)"
- export TF_VAR_subnet_list="$(python3 helpers/subnet_list.py)"
stages:
- prepare-tf
- validate-tf
- build-tf
- deploy-tf
- ansible
- destroy-tf
.global:
tags:
- shell
rules:
- changes:
- docs/*
- .vscode/*
- .github/*
- README.md
- LICENSE
when: never
- when: on_success
init:
stage: prepare-tf
extends: .global
environment:
name: production
script:
- terraform init
- terraform validate
rules:
- when: on_success
validate:
extends: .global
environment:
name: production
stage: validate-tf
script:
- terraform validate
rules:
- when: on_success
plan:
stage: build-tf
extends: .global
environment:
name: production
artifacts:
name: plan
paths:
- ${TF_ROOT}/plan.cache
reports:
terraform: ${TF_ROOT}/plan.json
script:
- terraform plan
rules:
- when: on_success
create:
stage: deploy-tf
extends: .global
environment:
name: production
dependencies:
- plan
script:
- terraform apply -auto-approve
rules:
- if: '$TF_VAR_subnet != ""'
when: on_success
- when: never
artifacts:
paths:
- ${TF_ROOT}/.terraform
- ${TF_ROOT}/hosts.ini
# Ansible section here
run-playbooks:
stage: ansible
extends: .global
environment:
name: production
dependencies:
- create
script:
- cd ${CI_PROJECT_DIR}/ansible
- echo ${ANSIBLE_VAULT_PASSWORD} > ${CI_PROJECT_DIR}/ansible/.vault-password
- ansible-galaxy install -r requirements.yaml
- ansible-galaxy collection install -r requirements.yaml
- ansible-playbook -i ${TF_ROOT}/hosts.ini --vault-password-file ./.vault-password playbook.yaml
rules:
- if: '$TF_VAR_subnet != ""'
when: on_success
- when: never
destroy:
stage: destroy-tf
extends: .global
environment:
name: production
dependencies:
- create
script:
- terraform destroy -auto-approve
rules:
- if: '$CI_COMMIT_BRANCH == "prod"'
when: never
- if: '$TF_VAR_subnet != "" && $CI_COMMIT_BRANCH != "prod"'
when: manual
- when: never
artifacts:
paths:
- ${TF_ROOT}/.terraform