An application for performing Terraform operations on targeted git repositories.
Terraform Repo executor takes input from a corresponding Qontract Reconcile integration and uses that input to manage the lifecycle of a repository of raw HCL/Terraform definitions through App Interface.
- Required
VAULT_ADDR
- http address of Vault instance to retrieve/write secrets toVAULT_ROLE_ID
- used for AppRole authVAULT_SECRET_ID
- used for AppRole auth
- Optional
CONFIG_FILE
- input/config file location, defaults to/config.yaml
WORKDIR
- working directory for tf operations, defaults to/tf-repo
VAULT_TF_KV_VERSION
- defaults toKV_V2
. Specifies which version of the Vaultkv
secrets engine to use for reading/writing secrets
The application processes the yaml/json defined at CONFIG_FILE
for determining targets. The schema for this file is defined in QR.
dry-run
: boolean - iftrue
, the application executesterraform plan
; iffalse
, the application executesterraform apply
.repos
: list(Repo) - a list of tf-repo targets. Below attributes comprise a tf-repo object:repository
: string - URL of Git repositoryname
: string - custom name for the repository, used as an identifier throughout the applicationref
: string - commit sha in the repository to be targetedproject_path
: string - Terraform Git repositories can include multiple Terraform root modules in one repo so this path defines where the provider and other required files for this repo are locateddelete
: boolean - iftrue
, the application will execute the Terraform action with thedestroy
flag setrequire_fips
: boolean - iftrue
then the executor will validate the generated plan to ensure that AWS is using FIPS endpointsbucket
: string - optional S3 bucket name to store Terraform state in. If not specified then the executor will try to extract this fromaws_creds
Vault secretbucket_path
: string - optional path of where to store specific Terraform state files inbucket
region
: string - optional AWS region of where thebucket
is storedtf_version
: string - required, determines which tf binary to run, full enumeration in schemasaws_creds
: AWSCreds - reference to a Vault secret including credentials for accessing the S3 state backend for Terraform. Attributes defined below:path
: string - path to the secret in the vault. For KV v2, do not include the hiddendata
path segmentversion
: integer - for KV2 engine, defines which version of secret to read, ignored for KV1 engines as they don't have a concept of secret versioning
variables
: Variables - optionally defines Vault paths to read inputs, write outputs toinputs
: Inputspath
: string - path in vault to read fromversion
: integer - which version of secret to read (ignored for KV1 vault)
outputs
: Outputspath
: string - path in vault to write to
Note that this file is auto generated by the Qontract Reconcile integration.
dry_run: true
repos:
- repository: https://gitlab.myinstance.com/some-gl-group/project_a
name: foo-foo
ref: d82b3cb292d91ec2eb26fc282d751555088819f3
project_path: prod/networking
delete: false
tf_version: "1.5.7"
aws_creds:
path: terraform/creds/prod-acount
version: 4
variables:
inputs:
path: terraform/inputs/foo-foo
outputs:
path: terraform/outputs/foo-foo
- repository: https://gitlab.myinstance.com/another-gl-group/project_b
name: bar-bar
ref: 47ef09135da2d158ede78dbbe8c59de1775a274c
project_path: stage/rds
delete: false
tf_version: "1.5.7"
aws_creds:
path: terraform/creds/stage-account
version: 1
bucket: bar-bar-backend
bucket_path: bar
region: us-east-1