-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path.gitlab-ci.yml
72 lines (62 loc) · 1.71 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# Based on the template at:
# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform.gitlab-ci.yml
variables:
TF_AUTO_DEPLOY: "true"
include:
- local: templates/tf/Base.latest.gitlab-ci.yml
# See https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Terraform/
stages:
- validate
- test
- build
- deploy
- configure
- cleanup
fmt:
extends: .terraform:fmt
needs: []
validate:
extends: .terraform:validate
needs: []
build:
extends: .terraform:build
deploy:
extends: .terraform:deploy
before_script:
- mkdir generated
dependencies:
- build
environment:
name: $TF_STATE_NAME
artifacts:
name: variables
paths:
- ${TF_ROOT}/generated/*
tfsec:
image: aquasec/tfsec
stage: validate
script:
- cd "${TF_ROOT}"
- /usr/bin/tfsec
allow_failure: false
# Doesn't work with modules & moving resources to modules.
#terrascan:
# image: tenable/terrascan
# stage: validate
# script:
# - terrascan scan -i terraform --iac-version v14 --iac-dir ${TF_ROOT} --non-recursive --skip-rules=AC_AWS_0369
check_compliance:
image: eerkunt/terraform-compliance
stage: validate
variables:
TF_STATE_NAME: ${TF_STATE_NAME}
before_script:
- export TF_VAR_common_token_name=$COMMON_REPO_TOKEN_NAME
- export TF_VAR_common_token_pass=$COMMON_REPO_TOKEN_PASS
script:
- git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@bbpgitlab.epfl.ch/cs/cloud/aws/terraform-compliance
- ls -la terraform-compliance
- rm -f gitlab-config.tf
- terraform init
- terraform plan -out=plan.tfplan > /dev/null && terraform show -json plan.tfplan > plan.json
- terraform-compliance -f ./terraform-compliance -p ./plan.json