Skip to content

Instantly share code, notes, and snippets.

@dstecholution

dstecholution/cloudbuild.yml

Created June 30, 2022 16:23
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save dstecholution/eaa51810bc343f813b575bd1dcda954c to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save dstecholution/eaa51810bc343f813b575bd1dcda954c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
cloudbuild.yml
---
options:
dynamic_substitutions: true
availableSecrets:
secretManager:
- versionName: projects/$PROJECT_ID/secrets/secret-admin-token/versions/latest
env: 'ADMIN_TOKEN'
- versionName: projects/$PROJECT_ID/secrets/secrets-admin-user/versions/latest
env: 'ADMIN_USER'
- versionName: projects/$PROJECT_ID/secrets/secret-source-token/versions/latest
env: 'SOURCE_TOKEN'
substitutions:
_SNYK_API_KEY: ''
steps:
- id: 'branch name'
name: 'alpine'
entrypoint: 'sh'
args:
- '-c'
- echo -ne "*********************\n$BRANCH_NAME\n*********************\n"
- id: 'IaC init'
name: 'hashicorp/terraform:latest'
entrypoint: 'sh'
args:
- '-c'
- |
echo "[ INFO ] Validate at environemnt '$BRANCH_NAME'."; \
find environments -maxdepth 1 -type d -name $BRANCH_NAME \
| xargs -I{} terraform -chdir={} init -upgrade \
|| exit 1
- id: 'IaC validate'
name: 'hashicorp/terraform:latest'
entrypoint: 'sh'
args:
- '-c'
- |
echo "[ INFO ] Validate at environemnt '$BRANCH_NAME'."; \
find environments -maxdepth 1 -type d -name $BRANCH_NAME \
| xargs -I{} terraform -chdir={} validate \
|| exit 1
- id: 'IaC plan'
name: 'hashicorp/terraform:latest'
entrypoint: 'sh'
volumes:
- name: 'assets'
path: '/assets'
env:
- "ASSET=/assets/${BRANCH_NAME}_plan"
secretEnv:
- 'ADMIN_TOKEN'
- 'ADMIN_USER'
- 'SOURCE_TOKEN'
args:
- '-c'
- |
echo "[ INFO ] Plan at environemnt '$BRANCH_NAME'."; \
find environments -maxdepth 1 -type d -name $BRANCH_NAME \
| xargs -I{} terraform -chdir={} plan -out=$${ASSET}.bin \
|| exit 1
- id: 'IaC report'
name: 'hashicorp/terraform:latest'
entrypoint: 'sh'
volumes:
- name: 'assets'
path: '/assets'
env:
- "ASSET=/assets/${BRANCH_NAME}_plan"
args:
- '-c'
- |
terraform show -json $${ASSET}.bin 2>&1 > $${ASSET}.json
- id: 'Quality Check'
name: 'snyk/snyk-cli:1.927.0-docker'
env:
- 'SNYK_TOKEN=${_SNYK_API_KEY}'
- "ASSET=/assets/${BRANCH_NAME}_plan"
volumes:
- name: 'assets'
path: '/assets'
args:
- iac
- test
- "$${ASSET}.json"
- id: 'Deployment costs'
name: 'infracost/infracost:ci-latest'
volumes:
- name: 'assets'
path: '/assets'
env:
- "ASSET=/assets/${BRANCH_NAME}_plan"
args:
- 'breakdown'
- '--path'
- "$${ASSET}.json"
- id: 'Policy check'
name: 'openpolicyagent/opa:latest'
volumes:
- name: 'assets'
path: '/assets'
env:
- "ASSET=/assets/${BRANCH_NAME}_plan"
args:
- |
opa eval \
--fail-defined \
--format pretty \
--data policy/ \
--input $${ASSET}.json \
'data.main.deny[x]'
# - id: 'IaC apply'
# name: 'hashicorp/terraform:latest'
# volumes:
# - name: 'assets'
# path: '/assets'
# env:
# - "ASSET=/assets/${BRANCH_NAME}_plan"
# args:
# - "apply"
# - "/assets/${BRANCH_NAME}_plan.bin"
...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment