Use CircleCI version 2.1 at the top of your .circleci/config.yml file.
version: 2.1Add the orbs stanza below your version, invoking the orb:
orbs:
terraform: orbies/[email protected]Use terraform elements in your existing workflows and jobs.
Opt-in to use of uncertified orbs on your organization’s Security settings page.
| PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
|---|---|---|---|---|
access_key | - | Yes | - | string |
secret_access_key | - | Yes | - | string |
environment | - | Yes | - | string |
aws_region | - | No | eu-west-1 | string |
working_directory | - | Yes | - | string |
checkout | - | No | true | boolean |
attach_workspace | - | No | false | boolean |
| PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
|---|---|---|---|---|
checkout | - | No | false | boolean |
environment | - | Yes | - | string |
working_directory | - | Yes | - | string |
config_file | - | No | .tflint.hcl | string |
| PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
|---|---|---|---|---|
access_key | - | Yes | - | string |
secret_access_key | - | Yes | - | string |
environment | - | Yes | - | string |
aws_region | - | No | eu-west-1 | string |
working_directory | - | Yes | - | string |
| PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
|---|---|---|---|---|
checkout | - | No | false | boolean |
attach_workspace | - | No | false | boolean |
working_directory | - | Yes | - | string |
environment | - | Yes | - | string |
Terraform init, validate and fmt.
| PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
|---|---|---|---|---|
access_key | - | Yes | - | string |
secret_access_key | - | Yes | - | string |
environment | - | Yes | - | string |
aws_region | - | No | eu-west-1 | string |
Run Checkov static code analysis tool
| PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
|---|---|---|---|---|
environment | - | Yes | - | string |
Run terraform linter on files
| PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
|---|---|---|---|---|
environment | - | Yes | - | string |
working_directory | - | Yes | - | string |
config_file | - | No | .tflint.hcl | string |
Applies terraform configuration
| PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
|---|---|---|---|---|
access_key | - | Yes | - | string |
secret_access_key | - | Yes | - | string |
environment | - | Yes | - | string |
aws_region | - | No | eu-west-1 | string |
| PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
|---|---|---|---|---|
working-directory | - | No | . | string |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
# This code is licensed from CircleCI to the user under the MIT license.
# See here for details: https://circleci.com/developer/orbs/licensing
version: 2.1
description: |
Terraform orb for init, validate, format, lint and apply code.
executors:
tf:
docker:
- image: hashicorp/terraform:0.14.11
environment:
TF_IN_AUTOMATION: "true"
working_directory: << parameters.working-directory >>
parameters:
working-directory:
default: .
type: string
circleci-base-image:
docker:
- image: cimg/base:2020.08
working_directory: << parameters.working-directory >>
parameters:
working-directory:
default: .
type: string
python:
docker:
- image: cimg/python:3.9.6
working_directory: << parameters.working-directory >>
parameters:
working-directory:
default: .
type: string
default_config: &default_config
parameters: &default_params
access_key:
type: string
secret_access_key:
type: string
environment:
type: string
aws_region:
default: "eu-west-1"
type: string
conditional_checkout: &conditional_checkout
when:
condition:
equal: [true, << parameters.checkout >>]
steps:
- checkout
conditional_attach_workspace: &conditional_attach_workspace
when:
condition:
equal: [true, << parameters.attach_workspace >>]
steps:
- attach_workspace:
at: .
add_keys: &add_keys
run:
name: Set AWS env vars
command: |
echo "export AWS_ACCESS_KEY_ID=<< parameters.access_key >>" >> $BASH_ENV
echo "export AWS_SECRET_ACCESS_KEY=<< parameters.secret_access_key >>" >> $BASH_ENV
echo "export AWS_DEFAULT_REGION=<< parameters.aws_region >>" >> $BASH_ENV
commands:
configure-ssh-known-hosts:
description: Adds github to ~/.ssh/known_hosts
steps:
- run: mkdir -p ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts
validate:
description: Terraform init, validate and fmt.
<<: *default_config
steps:
- *add_keys
- configure-ssh-known-hosts
- run:
name: Terraform initialization
command: cd "<< parameters.environment >>" && terraform init -input=false
- run:
name: Validate terraform configs
command: find * -type f -name "*.tf" ! -path "*/.terraform" ! -path "*/.terraform/*" ! -path modules/ ! -path "modules/*" -exec dirname {} \; | sort -u | while read directory; do terraform validate; done || exit 1
- run:
name: Check if Terraform configurations are properly formatted
command: if [[ -n "$(terraform fmt -recursive -write=false)" ]]; then echo "Some terraform files need be formatted, run 'terraform fmt' to fix"; exit 1; fi
- run:
name: Terraform plan and output the tfplan
command: cd "<< parameters.environment >>" && terraform plan -input=false -out=tfplan
checkov:
description: Run Checkov static code analysis tool
parameters:
environment:
type: string
steps:
- run:
name: install checkov
command: pip install -Iv checkov==2.0.392
- run:
name: Run checkov
command: cd << parameters.environment >> && checkov -d .
lint:
description: Run terraform linter on files
parameters:
environment:
type: string
working_directory:
type: string
config_file:
type: string
default: .tflint.hcl
steps:
- attach_workspace:
at: << parameters.working_directory >>
- run:
name: Install tflint
command: curl -L "$(curl -Ls https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" -o tflint.zip && unzip tflint.zip && mkdir -p /home/circleci/.local/bin/ && mv -v tflint /home/circleci/.local/bin/ && rm tflint.zip
- run:
name: Run tflint
command: cd "<< parameters.environment >>" && tflint --module -c << parameters.working_directory >>/<< parameters.config_file >>
apply:
description: Applies terraform configuration
<<: *default_config
steps:
- *add_keys
- run:
name: Running terraform apply
command: |
cd "<< parameters.environment >>" && terraform apply -input=false tfplan
install-aws-cli:
description: Install aws cli
steps:
- run:
name: Install aws cli
command: |
apk --no-cache add binutils curl
GLIBC_VER=$(curl -s https://api.github.com/repos/sgerrand/alpine-pkg-glibc/releases/latest | grep tag_name | cut -d : -f 2,3 | tr -d \",' ')
curl -sL https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub -o /etc/apk/keys/sgerrand.rsa.pub
curl -sLO https://github.com/sgerrand/alpine-pkg-glibc/releases/download/${GLIBC_VER}/glibc-${GLIBC_VER}.apk
curl -sLO https://github.com/sgerrand/alpine-pkg-glibc/releases/download/${GLIBC_VER}/glibc-bin-${GLIBC_VER}.apk
apk add --no-cache glibc-${GLIBC_VER}.apk glibc-bin-${GLIBC_VER}.apk
curl -sL https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o awscliv2.zip
unzip awscliv2.zip
aws/install
rm -rf awscliv2.zip aws /usr/local/aws-cli/v2/*/dist/aws_completer /usr/local/aws-cli/v2/*/dist/awscli/data/ac.index /usr/local/aws-cli/v2/*/dist/awscli/examples
apk --no-cache del binutils curl
rm glibc-${GLIBC_VER}.apk glibc-bin-${GLIBC_VER}.apk
rm -rf /var/cache/apk/*
jobs:
validate:
executor: tf
shell: /bin/sh -leo pipefail
environment:
- BASH_ENV: /etc/profile
parameters:
<<: *default_params
working_directory:
type: string
checkout:
type: boolean
default: true
attach_workspace:
type: boolean
default: false
working_directory: << parameters.working_directory >>
steps:
- *conditional_checkout
- *conditional_attach_workspace
- run:
name: Install openssl package
command: apk add openssl
- validate:
access_key: << parameters.access_key >>
secret_access_key: << parameters.secret_access_key >>
environment: << parameters.environment >>
- persist_to_workspace:
root: << parameters.working_directory >>
paths: << parameters.environment >>/tfplan
<< parameters.environment >>/.terraform/*
<< parameters.environment >>/.terraform.lock.hcl
.tflint.hcl
lint:
executor: circleci-base-image
parameters:
checkout:
type: boolean
default: false
environment:
type: string
working_directory:
type: string
config_file:
type: string
default: .tflint.hcl
working_directory: << parameters.working_directory >>
steps:
- *conditional_checkout
- lint:
config_file: << parameters.config_file >>
environment: << parameters.environment >>
working_directory: << parameters.working_directory >>
apply:
executor: tf
shell: /bin/sh -leo pipefail
environment:
- BASH_ENV: /etc/profile
parameters:
<<: *default_params
working_directory:
type: string
working_directory: << parameters.working_directory >>
steps:
- install-aws-cli
- attach_workspace:
at: << parameters.working_directory >>
- apply:
access_key: << parameters.access_key >>
secret_access_key: << parameters.secret_access_key >>
environment: << parameters.environment >>
checkov:
executor: python
parameters:
checkout:
type: boolean
default: false
attach_workspace:
type: boolean
default: false
working_directory:
type: string
environment:
type: string
working_directory: << parameters.working_directory >>
steps:
- *conditional_checkout
- *conditional_attach_workspace
- attach_workspace:
at: << parameters.working_directory >>
- checkov:
environment: << parameters.environment >>
