1
0
Fork 0
llvm-premerge-checks/terraform/cloudbuild.yaml
Grigory Movsesyan ba66080689
Add secrets support and instruction for budget notifications (#444)
* Move to secrets

* Add billing actions
2023-05-26 12:15:44 +02:00

57 lines
No EOL
2 KiB
YAML

steps:
- name: gcr.io/cloud-builders/git
args:
- '-c'
- 'git clone ${_GIT_REPO} repo --depth 1'
entrypoint: bash
- name: hashicorp/terraform
args:
- init
- '-backend-config=bucket=${_TF_BACKEND_BUCKET}'
- '-backend-config=prefix=${_TF_BACKEND_PREFIX}'
dir: repo/terraform
- name: hashicorp/terraform
args:
- plan
- '-var=project-id=${PROJECT_ID}'
- '-var=buildkite-api-token-readonly=$$BUILDKITE_API_TOKEN_READONLY'
- '-var=buildkite-agent-token=$$BUILDKITE_AGENT_TOKEN'
- '-var=conduit-api-token=$$CONDUIT_API_TOKEN'
- '-var=git-id-rsa=$$GIT_ID_RSA'
- '-var=id-rsa-pub=$$ID_RSA_PUB'
- '-var=git-known-hosts=$$GIT_KNOWN_HOSTS'
- '-out=/workspace/tfplan-${BUILD_ID}'
secretEnv:
- 'BUILDKITE_API_TOKEN_READONLY'
- 'BUILDKITE_AGENT_TOKEN'
- 'CONDUIT_API_TOKEN'
- 'GIT_ID_RSA'
- 'ID_RSA_PUB'
- 'GIT_KNOWN_HOSTS'
dir: repo/terraform
# - name: hashicorp/terraform
# args:
# - apply
# - '-auto-approve'
# - /workspace/tfplan-${BUILD_ID}
# dir: repo/terraform
substitutions:
_GIT_REPO: $(body.project.git_http_url)
_TF_BACKEND_BUCKET: 'terraform-state-${PROJECT_ID}'
_TF_BACKEND_PREFIX: terraform/state
availableSecrets:
secretManager:
- versionName: 'projects/${PROJECT_ID}/secrets/buildkite-api-token-readonly/versions/latest'
env: 'BUILDKITE_API_TOKEN_READONLY'
- versionName: 'projects/${PROJECT_ID}/secrets/buildkite-agent-token/versions/latest'
env: 'BUILDKITE_AGENT_TOKEN'
- versionName: 'projects/${PROJECT_ID}/secrets/conduit-api-token/versions/latest'
env: 'CONDUIT_API_TOKEN'
- versionName: 'projects/${PROJECT_ID}/secrets/git-id-rsa/versions/latest'
env: 'GIT_ID_RSA'
- versionName: 'projects/${PROJECT_ID}/secrets/id-rsa-pub/versions/latest'
env: 'ID_RSA_PUB'
- versionName: 'projects/${PROJECT_ID}/secrets/git-known-hosts/versions/latest'
env: 'GIT_KNOWN_HOSTS'
options:
dynamic_substitutions: true