-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathentrypoint.sh
249 lines (180 loc) · 9.2 KB
/
entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
#!/usr/bin/env bash
set -eou pipefail
print_success() {
lightcyan='\033[1;36m'
nocolor='\033[0m'
echo -e "${lightcyan}$1${nocolor}"
}
print_error() {
lightred='\033[1;31m'
nocolor='\033[0m'
echo -e "${lightred}$1${nocolor}" ; exit 1;
}
print_alert() {
yellow='\033[1;33m'
nocolor='\033[0m'
echo -e "${yellow}$1${nocolor}"
}
print_alert "checkov version = $(print_success "$(checkov --version)")"
print_alert "tfsec version = $(print_success "$(tfsec --version)")"
print_alert "terraform-compliance version below"
terraform-compliance --version
# Prepare variables with better common names
if [[ -n "${1}" ]]; then
terraform_path="${1}" && \
cd "${terraform_path}"
else
print_error "Code path is empty or invalid, check the following tree output and see if it is as you expect - Error - LDO_TF_CODE_PATH" && tree . && exit 1
fi
if [[ -n "${2}" ]]; then
rm -rf .terraform && \
mkdir -p ".terraform"
touch ".terraform/environment"
terraform_workspace_name="${2}"
printf '%s' "${terraform_workspace_name}" | tee .terraform/environment >/dev/null
else
print_error "Workspace variable appears to be empty or invalid, ensure that you can see - ${2} - if you cannot, set your workspace as a plain text chars and try again - Error - LDO_TF_WORKSPACE" ; exit 1
fi
if [[ -n "${3}" ]]; then
terraform_backend_sa_rg_name="${3}"
else
print_error "Variable assignment for backend storage account resource group failed or is invalid, ensure it is correct and try again - Error LDO_TF_BACKEND_SA_RG_NAME" ; exit 1
fi
if [[ -n "${4}" ]]; then
terraform_backend_sa_name="${4}"
else
print_error "Variable assignment for backend storage account name failed or is invalid, ensure it is correct and try again - Error LDO_TF_BACKEND_SA_NAME" ; exit 1
fi
if [[ -n "${5}" ]]; then
terraform_backend_blob_container_name="${5}"
else
print_error "Variable assignment for backend storage account blob container failed or is invalid, ensure it is correct and try again - Error LDO_TF_BACKEND_BLOB_CONTAINER_NAME" ; exit 1
fi
if [[ -n "${6}" ]]; then
terraform_backend_storage_access_key="${6}"
else
print_error "Variable assignment for backend storage access key name has failed or is invalid, ensure it is correct and try again - Error LDO_TF_BACKEND_SA_ACCESS_KEY" ; exit 1
fi
if [[ -n "${7}" ]]; then
terraform_backend_state_name="${7}"
else
print_error "Variable assignment for backend state name has failed or is invalid, ensure you are providing a canonical statefile name - Error LDO_TF_BACKEND_STATE_NAME" ; exit 1
fi
if [[ -n "${8}" ]]; then
terraform_provider_client_id="${8}"
else
print_error "Variable assignment for provider client id has failed or is invalid, ensure it is correct and try again - Error LDO_TF_AZURERM_PROVIDER_CLIENT_ID" ; exit 1
fi
if [[ -n "${9}" ]]; then
terraform_provider_client_secret="${9}"
else
print_error "Variable assignment for provider client secret has failed or is invalid, ensure it is correct and try again - Error LDO_TF_AZURERM_PROVIDER_CLIENT_SECRET" ; exit 1
fi
if [[ -n "${10}" ]]; then
terraform_provider_client_subscription_id="${10}"
else
print_error "Variable assignment for provider subscription id has failed or is invalid, ensure it is correct and try again - Error LDO_TF_AZURERM_PROVIDER_SUBSCRIPTION_ID" ; exit 1
fi
if [[ -n "${11}" ]]; then
terraform_provider_client_tenant_id="${11}"
else
print_error "Variable assignment for provider tenant id has failed or is invalid, ensure it is correct and try again - Error LDO_TF_AZURERM_PROVIDER_TENANT_ID" ; exit 1
fi
if [[ -n "${12}" ]]; then
terraform_compliance_path="${12}"
else
print_error "Terraform compliance path is invalid or empty, ensure you are using either a accurate local path or remote git path which the action can access try again - Error LDO_TF_TERRAFORM_COMPLIANCE" ; exit 1
fi
if [[ -n "${13}" ]]; then
checkov_skipped_test="${13}"
else
checkov_skipped_test=""
fi
if [[ -n "${14}" ]]; then
run_terraform_destroy="${14}"
else
print_error "Terraform destroy is empty, it must be either true or false - change this and try again - Error code - LDO_TF_TERRAFORM_DESTROY" ; exit 1
fi
if [[ -n "${15}" ]]; then
run_terraform_plan_only="${15}"
else
print_error "Terraform Plan only is empty, it must be either true or false - change this and try again - Error code - LDO_TF_TERRAFORM_PLAN_ONLY" ; exit 1
fi
if [[ -n "${16}" ]]; then
terraform_version="${16}"
tfenv install "${terraform_version}" && tfenv use "${terraform_version}"
else
print_alert "Terraform Version is empty, by default, this pipeline will use the latest if it is set as empty, otherwise, you must specify a canonical type version. Error code - LDO_TF_TERRAFORM_VERSION"
tfenv install latest && tfenv use latest
fi
export ARM_CLIENT_ID="${terraform_provider_client_id}"
export ARM_CLIENT_SECRET="${terraform_provider_client_secret}"
export ARM_SUBSCRIPTION_ID="${terraform_provider_client_subscription_id}"
export ARM_TENANT_ID="${terraform_provider_client_tenant_id}"
# Run Terraform Plan Only
if [ "${run_terraform_destroy}" = "false" ] && [ "${run_terraform_plan_only}" = "true" ]; then
terraform init \
-backend-config="resource_group_name=${terraform_backend_sa_rg_name}" \
-backend-config="storage_account_name=${terraform_backend_sa_name}" \
-backend-config="access_key=${terraform_backend_storage_access_key}" \
-backend-config="container_name=${terraform_backend_blob_container_name}" \
-backend-config="key=${terraform_backend_state_name}"
terraform workspace new "${terraform_workspace_name}" || terraform workspace select "${terraform_workspace_name}"
terraform validate
terraform plan -out pipeline.plan
print_alert "Running terraform-compliance now..."
terraform-compliance -p pipeline.plan -f "${terraform_compliance_path}"
print_alert "Running tfsec now..."
tfsec
terraform show -json pipeline.plan | tee pipeline.plan.json >/dev/null
print_alert "Running checkov now..."
checkov -f pipeline.plan.json --skip-check "${checkov_skipped_test}"
print_success "Build ran successfully" || { print_error "Build Failed" ; exit 1; }
# Run Terraform Plan and Terraform Apply
elif [ "${run_terraform_destroy}" = "false" ] && [ "${run_terraform_plan_only}" = "false" ]; then
terraform init \
-backend-config="resource_group_name=${terraform_backend_sa_rg_name}" \
-backend-config="storage_account_name=${terraform_backend_sa_name}" \
-backend-config="access_key=${terraform_backend_storage_access_key}" \
-backend-config="container_name=${terraform_backend_blob_container_name}" \
-backend-config="key=${terraform_backend_state_name}"
terraform workspace new "${terraform_workspace_name}" || terraform workspace select "${terraform_workspace_name}"
terraform validate
terraform plan -out pipeline.plan
print_alert "Running terraform-compliance now..."
terraform-compliance -p pipeline.plan -f "${terraform_compliance_path}"
print_alert "Running tfsec now..."
tfsec
terraform show -json pipeline.plan | tee pipeline.plan.json >/dev/null
print_alert "Running checkov now..."
checkov -f pipeline.plan.json --skip-check "${checkov_skipped_test}"
print_alert "Running terraform apply now..."
terraform apply -auto-approve pipeline.plan
print_success "Build ran successfully" || { print_error "Build Failed" ; exit 1; }
# Run Terraform Plan -Destroy only
elif [ "${run_terraform_destroy}" = "true" ] && [ "${run_terraform_plan_only}" = "true" ]; then
terraform init \
-backend-config="resource_group_name=${terraform_backend_sa_rg_name}" \
-backend-config="storage_account_name=${terraform_backend_sa_name}" \
-backend-config="access_key=${terraform_backend_storage_access_key}" \
-backend-config="container_name=${terraform_backend_blob_container_name}" \
-backend-config="key=${terraform_backend_state_name}"
terraform workspace new "${terraform_workspace_name}" || terraform workspace select "${terraform_workspace_name}"
terraform validate
terraform plan -destroy -out pipeline.plan
print_success "Build ran successfully" || { print_error "Build Failed" ; exit 1; }
# Run terraform plan -destroy and terraform apply
elif [ "${run_terraform_destroy}" = "true" ] && [ "${run_terraform_plan_only}" = "false" ]; then
terraform init \
-backend-config="resource_group_name=${terraform_backend_sa_rg_name}" \
-backend-config="storage_account_name=${terraform_backend_sa_name}" \
-backend-config="access_key=${terraform_backend_storage_access_key}" \
-backend-config="container_name=${terraform_backend_blob_container_name}" \
-backend-config="key=${terraform_backend_state_name}"
terraform workspace new "${terraform_workspace_name}" || terraform workspace select "${terraform_workspace_name}"
terraform validate
terraform plan -destroy -out pipeline.plan
print_alert "Running terraform apply now... Note, this is a terraform destroy run"
terraform apply -auto-approve pipeline.plan
print_success "Build ran successfully" || { print_error "Build Failed" ; exit 1; }
fi