llvm-premerge-checks/terraform/cloudbuild.yaml

steps:
 - name: gcr.io/cloud-builders/git
   args:
     - '-c'
     - 'git clone ${_GIT_REPO} repo --depth 1'
   entrypoint: bash
 - name: hashicorp/terraform
   args:
     - init
     - '-backend-config=bucket=${_TF_BACKEND_BUCKET}'
     - '-backend-config=prefix=${_TF_BACKEND_PREFIX}'
   dir: repo/terraform
 - name: hashicorp/terraform
   args:
     - plan
     - '-var=project-id=${PROJECT_ID}'
     - '-var=buildkite-api-token-readonly=$$BUILDKITE_API_TOKEN_READONLY'
     - '-var=buildkite-agent-token=$$BUILDKITE_AGENT_TOKEN'
     - '-var=conduit-api-token=$$CONDUIT_API_TOKEN'
     - '-var=git-id-rsa=$$GIT_ID_RSA'
     - '-var=id-rsa-pub=$$ID_RSA_PUB'
     - '-var=git-known-hosts=$$GIT_KNOWN_HOSTS'
     - '-out=/workspace/tfplan-${BUILD_ID}'
   secretEnv:
    - 'BUILDKITE_API_TOKEN_READONLY'
    - 'BUILDKITE_AGENT_TOKEN'
    - 'CONDUIT_API_TOKEN'
    - 'GIT_ID_RSA'
    - 'ID_RSA_PUB'
    - 'GIT_KNOWN_HOSTS'
   dir: repo/terraform
#  - name: hashicorp/terraform
#    args:
#      - apply
#      - '-auto-approve'
#      - /workspace/tfplan-${BUILD_ID}
#    dir: repo/terraform
substitutions:
 _GIT_REPO: $(body.project.git_http_url)
 _TF_BACKEND_BUCKET: 'terraform-state-${PROJECT_ID}'
 _TF_BACKEND_PREFIX: terraform/state
availableSecrets:
 secretManager:
   - versionName: 'projects/${PROJECT_ID}/secrets/buildkite-api-token-readonly/versions/latest'
     env: 'BUILDKITE_API_TOKEN_READONLY'
   - versionName: 'projects/${PROJECT_ID}/secrets/buildkite-agent-token/versions/latest'
     env: 'BUILDKITE_AGENT_TOKEN'
   - versionName: 'projects/${PROJECT_ID}/secrets/conduit-api-token/versions/latest'
     env: 'CONDUIT_API_TOKEN'
   - versionName: 'projects/${PROJECT_ID}/secrets/git-id-rsa/versions/latest'
     env: 'GIT_ID_RSA'
   - versionName: 'projects/${PROJECT_ID}/secrets/id-rsa-pub/versions/latest'
     env: 'ID_RSA_PUB'
   - versionName: 'projects/${PROJECT_ID}/secrets/git-known-hosts/versions/latest'
     env: 'GIT_KNOWN_HOSTS'
options:
  dynamic_substitutions: true