|
| 1 | +--- |
| 2 | +layout: default |
| 3 | +title: CircleCI |
| 4 | +nav_order: 1 |
| 5 | +has_children: false |
| 6 | +parent: Using in CI/CD |
| 7 | +--- |
| 8 | + |
| 9 | +# CircleCI |
| 10 | + |
| 11 | +For this example, we are using the following Orbs to illustrate how you might implement Terraform Compliance into your |
| 12 | +CI/CD pipeline. |
| 13 | + |
| 14 | +- [circleci/terraform](https://circleci.com/developer/orbs/orb/circleci/terraform) |
| 15 | +- [circleci/python](https://circleci.com/developer/orbs/orb/circleci/python) |
| 16 | + |
| 17 | +## Workflow |
| 18 | + |
| 19 | +We have set up our pipeline to follow this basic workflow: |
| 20 | + |
| 21 | +1. `terraform validate`: Using the Job provided by the Terraform Orb |
| 22 | +2. `terraform plan`: Using a custom Job, we will use the `plan` command that is provided by the Terraform Orb, but we'll also export that plan to json for `terraform-compliance` to access |
| 23 | +3. `terraform-compliance`: Using the Python Orb and Pip to install requirements |
| 24 | +4. `terraform apply`: Using the Job provided by the Terraform Orb, and only run on the `main` branch |
| 25 | + |
| 26 | +## Setup |
| 27 | + |
| 28 | +You will need to add a `requirements.txt` to your project. You can rename this file to anything you would like, but |
| 29 | +be sure to update the name in your `.circleci/config.yml`. |
| 30 | + |
| 31 | +Following [Pip requirements format](https://pip.pypa.io/en/stable/reference/requirements-file-format/). You can specify |
| 32 | +any level of requirement that you desire for `terraform-compliance`. |
| 33 | + |
| 34 | +`requirements.txt`: |
| 35 | + |
| 36 | +``` |
| 37 | +terraform-compliance >= 1.3.0 |
| 38 | +``` |
| 39 | + |
| 40 | +Below is an example of the workflow described above. |
| 41 | + |
| 42 | +`.circleci/config.yml`: |
| 43 | + |
| 44 | +```yaml |
| 45 | +version: '2.1' |
| 46 | + |
| 47 | +orbs: |
| 48 | + # Orb used for all of our Terraform related commands/jobs |
| 49 | + # https://circleci.com/developer/orbs/orb/circleci/terraform for available versions |
| 50 | + terraform: circleci/terraform@3.2.1 |
| 51 | + # Orb used for installing and running Terraform Compliance |
| 52 | + # https://circleci.com/developer/orbs/orb/circleci/python for available versions |
| 53 | + python: circleci/python@2.1.1 |
| 54 | + |
| 55 | +parameters: |
| 56 | + terraform-tag: |
| 57 | + type: string |
| 58 | + description: Specify the Terraform Docker image tag for the executor |
| 59 | + # https://hub.docker.com/r/hashicorp/terraform/tags for available versions |
| 60 | + # If you also run Terraform locally, then you should use the same version here |
| 61 | + default: 1.5.7 |
| 62 | + workspace-root: |
| 63 | + type: string |
| 64 | + description: Path of the workspace to persist to relative to workspace-root |
| 65 | + # Can be updated if you desire. The default specified here matches the default used by the CircleCI's Terraform Orb |
| 66 | + default: . |
| 67 | + workspace-path: |
| 68 | + type: string |
| 69 | + description: Workspace root path that is either an absolute path or a path relative to the working directory |
| 70 | + # Can be updated if you desire. The default specified here matches the default used by the CircleCI's Terraform Orb |
| 71 | + default: . |
| 72 | + |
| 73 | +executors: |
| 74 | + # This default executor is used for our custom job that needs to run Terraform |
| 75 | + default: |
| 76 | + docker: |
| 77 | + # Our default executor should match the tag that the Terraform Orb will use |
| 78 | + - image: hashicorp/terraform:<< pipeline.parameters.terraform-tag >> |
| 79 | + |
| 80 | +jobs: |
| 81 | + terraform_plan: |
| 82 | + executor: default |
| 83 | + steps: |
| 84 | + - checkout |
| 85 | + # Invoke the terraform/plan command that is provided by the Terraform Orb |
| 86 | + - terraform/plan: |
| 87 | + # And also output that plan |
| 88 | + out: plan.out |
| 89 | + # Convert our plan to JSON so that terraform-compliance can run without the use of Terraform |
| 90 | + - run: |
| 91 | + command: terraform show -json plan.out > plan.out.json |
| 92 | + name: Convert Terraform plan to JSON |
| 93 | + # Persist our workspace so that plan.out.json is available to terraform-compliance |
| 94 | + - persist_to_workspace: |
| 95 | + paths: |
| 96 | + - << pipeline.parameters.workspace-path >> |
| 97 | + root: << pipeline.parameters.workspace-root >> |
| 98 | + |
| 99 | + terraform_compliance: |
| 100 | + executor: python/default |
| 101 | + steps: |
| 102 | + # Attach the workspace so that we have access to plan.out.json from terraform_plan |
| 103 | + - attach_workspace: |
| 104 | + at: << pipeline.parameters.workspace-root >> |
| 105 | + - python/install-packages: |
| 106 | + # Update requirements.txt to match the location of your requirements file. This is currently referencing a |
| 107 | + # file in the root of your project |
| 108 | + pip-dependency-file: requirements.txt |
| 109 | + pkg-manager: pip |
| 110 | + - run: |
| 111 | + command: terraform-compliance -f features -p plan.out.json |
| 112 | + name: Terraform Compliance |
| 113 | + |
| 114 | +workflows: |
| 115 | + deploy_infra: |
| 116 | + jobs: |
| 117 | + # Use the standard validate job that is provided by the CircleCI Orb |
| 118 | + - terraform/validate: |
| 119 | + checkout: true |
| 120 | + # Make sure the CircleCI Orb uses the same version of Terraform as our default executor |
| 121 | + tag: << pipeline.parameters.terraform-tag >> |
| 122 | + |
| 123 | + # For terraform plan we'll use a custom job so that we can run additional commands |
| 124 | + - terraform_plan: |
| 125 | + requires: |
| 126 | + - terraform/validate |
| 127 | + |
| 128 | + # For terraform-compliance we'll use another custom job, and this will also be using our Python executor |
| 129 | + - terraform_compliance: |
| 130 | + requires: |
| 131 | + - terraform_plan |
| 132 | + |
| 133 | + # Use the standard apply job that is provided by the CircleCI Orb |
| 134 | + - terraform/apply: |
| 135 | + attach-workspace: true |
| 136 | + # Make sure the CircleCI Orb uses the same version of Terraform as our default executor |
| 137 | + tag: << pipeline.parameters.terraform-tag >> |
| 138 | + # Update your filters as you require. One provided here as an example |
| 139 | + filters: |
| 140 | + branches: |
| 141 | + only: main |
| 142 | + requires: |
| 143 | + - terraform_compliance |
| 144 | + |
| 145 | +``` |
| 146 | + |
| 147 | +Not provided above is the authentication method for AWS. |
| 148 | + |
| 149 | +CircleCI provides authentication through [OpenID Connect](https://circleci.com/blog/openid-connect-identity-tokens/) as |
| 150 | +well as through AWS user Access Keys. |
0 commit comments