wp-opentofu/main.go

package main

import (
	"fmt"
	"io/ioutil"
	"os"
	"os/exec"
	"strings"
    "time"
    "github.com/aws/aws-sdk-go/aws/credentials"
    "github.com/aws/aws-sdk-go/aws/credentials/stscreds"
    "github.com/aws/aws-sdk-go/aws/session"
    "github.com/aws/aws-sdk-go/service/sts"
    "github.com/drone/drone-plugin-go/plugin"
)

var (
	buildCommit string
)

type terraform struct {
	Remote    remote            `json:"remote"`
	Plan      bool              `json:"plan"`
	Vars      map[string]string `json:"vars"`
	Cacert    string            `json:"ca_cert"`
	Sensitive bool              `json:"sensitive"`
	RoleARN	  string            `json:"role_arn_to_assume"`
}

type remote struct {
	Backend string            `json:"backend"`
	Config  map[string]string `json:"config"`
}

func main() {
	fmt.Printf("Drone Terraform Plugin built from %s\n", buildCommit)

	workspace := plugin.Workspace{}
	vargs := terraform{}

	plugin.Param("workspace", &workspace)
	plugin.Param("vargs", &vargs)
	plugin.MustParse()

	if vargs.RoleARN != "" {
		assumeRole(vargs.RoleARN)
	}

	var commands []*exec.Cmd
	remote := vargs.Remote
	if vargs.Cacert != "" {
		commands = append(commands, installCaCert(vargs.Cacert))
	}
	if remote.Backend != "" {
		commands = append(commands, deleteCache())
		commands = append(commands, remoteConfigCommand(remote))
	}
	commands = append(commands, planCommand(vargs.Vars))
	if !vargs.Plan {
		commands = append(commands, applyCommand())
	}
	commands = append(commands, deleteCache())

	for _, c := range commands {
		c.Env = os.Environ()
		c.Dir = workspace.Path
		c.Stdout = os.Stdout
		c.Stderr = os.Stderr
		if !vargs.Sensitive {
			trace(c)
		}

		err := c.Run()
		if err != nil {
			fmt.Println("Error!")
			fmt.Println(err)
			os.Exit(1)
		}
		fmt.Println("Command completed successfully")
	}

}

func installCaCert(cacert string) *exec.Cmd {
	ioutil.WriteFile("/usr/local/share/ca-certificates/ca_cert.crt", []byte(cacert), 0644)
	return exec.Command(
		"update-ca-certificates",
	)
}

func deleteCache() *exec.Cmd {
	return exec.Command(
		"rm",
		"-rf",
		".terraform",
	)
}

func remoteConfigCommand(config remote) *exec.Cmd {
	args := []string{
		"remote",
		"config",
		fmt.Sprintf("-backend=%s", config.Backend),
	}
	for k, v := range config.Config {
		args = append(args, fmt.Sprintf("-backend-config=%s=%s", k, v))
	}
	return exec.Command(
		"terraform",
		args...,
	)
}

func planCommand(variables map[string]string) *exec.Cmd {
	args := []string{
		"plan",
		"-out=plan.tfout",
	}
	for k, v := range variables {
		args = append(args, "-var")
		args = append(args, fmt.Sprintf("%s=%s", k, v))
	}
	return exec.Command(
		"terraform",
		args...,
	)
}

func applyCommand() *exec.Cmd {
	return exec.Command(
		"terraform",
		"apply",
		"plan.tfout",
	)
}

func assumeRole(roleArn string) {
    client := sts.New(session.New())
    duration := time.Hour * 1
    stsProvider := &stscreds.AssumeRoleProvider{
        Client: client,
        Duration: duration,
        RoleARN: roleArn,
        RoleSessionName: "drone",
    }

    value, err := credentials.NewCredentials(stsProvider).Get()
	if err != nil {
		fmt.Println("Error assuming role!")
		fmt.Println(err)
		os.Exit(1)
	}
    os.Setenv("AWS_ACCESS_KEY_ID",value.AccessKeyID)
    os.Setenv("AWS_SECRET_ACCESS_KEY",value.SecretAccessKey)
    os.Setenv("AWS_SESSION_TOKEN",value.SessionToken)
}

func trace(cmd *exec.Cmd) {
	fmt.Println("$", strings.Join(cmd.Args, " "))
}
Initial commit. 2015-11-09 20:23:42 +01:00			`package main`

			`import (`
			`"fmt"`
Print out the plugin version to help debugging 2016-02-21 12:41:22 +01:00			`"io/ioutil"`
Initial commit. 2015-11-09 20:23:42 +01:00			`"os"`
			`"os/exec"`
			`"strings"`
allow assume role before running terraform commands 2016-03-23 13:43:20 +01:00			`"time"`
			`"github.com/aws/aws-sdk-go/aws/credentials"`
			`"github.com/aws/aws-sdk-go/aws/credentials/stscreds"`
			`"github.com/aws/aws-sdk-go/aws/session"`
			`"github.com/aws/aws-sdk-go/service/sts"`
			`"github.com/drone/drone-plugin-go/plugin"`
Initial commit. 2015-11-09 20:23:42 +01:00			`)`

Print out the plugin version to help debugging 2016-02-21 12:41:22 +01:00			`var (`
			`buildCommit string`
			`)`

Configure terraform commands, don't allow any command. 2015-11-10 02:07:05 +01:00			`type terraform struct {`
Add sensitive flag Do not show commands being ran if sensitive is true 2016-02-11 19:07:08 +01:00			Remote remote `json:"remote"`
			Plan bool `json:"plan"`
			Vars map[string]string `json:"vars"`
			Cacert string `json:"ca_cert"`
			Sensitive bool `json:"sensitive"`
allow assume role before running terraform commands 2016-03-23 13:43:20 +01:00			RoleARN string `json:"role_arn_to_assume"`
Configure terraform commands, don't allow any command. 2015-11-10 02:07:05 +01:00			`}`

			`type remote struct {`
			Backend string `json:"backend"`
			Config map[string]string `json:"config"`
Initial commit. 2015-11-09 20:23:42 +01:00			`}`

			`func main() {`
Print out the plugin version to help debugging 2016-02-21 12:41:22 +01:00			`fmt.Printf("Drone Terraform Plugin built from %s\n", buildCommit)`
Initial commit. 2015-11-09 20:23:42 +01:00
			`workspace := plugin.Workspace{}`
Configure terraform commands, don't allow any command. 2015-11-10 02:07:05 +01:00			`vargs := terraform{}`
Initial commit. 2015-11-09 20:23:42 +01:00
			`plugin.Param("workspace", &workspace)`
			`plugin.Param("vargs", &vargs)`
			`plugin.MustParse()`

allow assume role before running terraform commands 2016-03-23 13:43:20 +01:00			`if vargs.RoleARN != "" {`
			`assumeRole(vargs.RoleARN)`
			`}`

Configure terraform commands, don't allow any command. 2015-11-10 02:07:05 +01:00			`var commands []*exec.Cmd`
			`remote := vargs.Remote`
Move ca_certs from 'remote' to 'terraform' Did this as the CA Cert if needed for all terraform commands, not just remote. So just made more sense to move it to base of vargs. 2016-02-11 18:32:55 +01:00			`if vargs.Cacert != "" {`
			`commands = append(commands, installCaCert(vargs.Cacert))`
Add ability to inject internal CA Cert 2016-02-09 20:27:12 +01:00			`}`
Configure terraform commands, don't allow any command. 2015-11-10 02:07:05 +01:00			`if remote.Backend != "" {`
Delete .terraform cache Terraform will pull and cache config. This causes issues if you try to change remotes as the cache will be pushed to your remote when it initializes the new remote. 2016-02-19 01:09:23 +01:00			`commands = append(commands, deleteCache())`
Configure terraform commands, don't allow any command. 2015-11-10 02:07:05 +01:00			`commands = append(commands, remoteConfigCommand(remote))`
			`}`
			`commands = append(commands, planCommand(vargs.Vars))`
use plan instead of dry-run 2016-02-14 23:00:32 +01:00			`if !vargs.Plan {`
Configure terraform commands, don't allow any command. 2015-11-10 02:07:05 +01:00			`commands = append(commands, applyCommand())`
Initial commit. 2015-11-09 20:23:42 +01:00			`}`
Delete .terraform cache Terraform will pull and cache config. This causes issues if you try to change remotes as the cache will be pushed to your remote when it initializes the new remote. 2016-02-19 01:09:23 +01:00			`commands = append(commands, deleteCache())`
Initial commit. 2015-11-09 20:23:42 +01:00
Configure terraform commands, don't allow any command. 2015-11-10 02:07:05 +01:00			`for _, c := range commands {`
			`c.Env = os.Environ()`
			`c.Dir = workspace.Path`
			`c.Stdout = os.Stdout`
			`c.Stderr = os.Stderr`
Add sensitive flag Do not show commands being ran if sensitive is true 2016-02-11 19:07:08 +01:00			`if !vargs.Sensitive {`
			`trace(c)`
			`}`
Initial commit. 2015-11-09 20:23:42 +01:00
Configure terraform commands, don't allow any command. 2015-11-10 02:07:05 +01:00			`err := c.Run()`
Initial commit. 2015-11-09 20:23:42 +01:00			`if err != nil {`
Debug and need glibc in image. 2015-11-10 14:56:18 +01:00			`fmt.Println("Error!")`
			`fmt.Println(err)`
Initial commit. 2015-11-09 20:23:42 +01:00			`os.Exit(1)`
			`}`
Debug and need glibc in image. 2015-11-10 14:56:18 +01:00			`fmt.Println("Command completed successfully")`
Initial commit. 2015-11-09 20:23:42 +01:00			`}`

			`}`

Add ability to inject internal CA Cert 2016-02-09 20:27:12 +01:00			`func installCaCert(cacert string) *exec.Cmd {`
			`ioutil.WriteFile("/usr/local/share/ca-certificates/ca_cert.crt", []byte(cacert), 0644)`
			`return exec.Command(`
			`"update-ca-certificates",`
			`)`
			`}`

Delete .terraform cache Terraform will pull and cache config. This causes issues if you try to change remotes as the cache will be pushed to your remote when it initializes the new remote. 2016-02-19 01:09:23 +01:00			`func deleteCache() *exec.Cmd {`
			`return exec.Command(`
			`"rm",`
			`"-rf",`
			`".terraform",`
			`)`
			`}`

Configure terraform commands, don't allow any command. 2015-11-10 02:07:05 +01:00			`func remoteConfigCommand(config remote) *exec.Cmd {`
			`args := []string{`
			`"remote",`
			`"config",`
			`fmt.Sprintf("-backend=%s", config.Backend),`
			`}`
			`for k, v := range config.Config {`
Don't need to quote since we aren't in a shell. Also make sure to split on spaces in args. 2015-11-10 03:44:38 +01:00			`args = append(args, fmt.Sprintf("-backend-config=%s=%s", k, v))`
Configure terraform commands, don't allow any command. 2015-11-10 02:07:05 +01:00			`}`
			`return exec.Command(`
			`"terraform",`
			`args...,`
			`)`
			`}`

			`func planCommand(variables map[string]string) *exec.Cmd {`
			`args := []string{`
			`"plan",`
			`"-out=plan.tfout",`
			`}`
			`for k, v := range variables {`
Don't need to quote since we aren't in a shell. Also make sure to split on spaces in args. 2015-11-10 03:44:38 +01:00			`args = append(args, "-var")`
			`args = append(args, fmt.Sprintf("%s=%s", k, v))`
Configure terraform commands, don't allow any command. 2015-11-10 02:07:05 +01:00			`}`
			`return exec.Command(`
			`"terraform",`
			`args...,`
			`)`
			`}`

			`func applyCommand() *exec.Cmd {`
			`return exec.Command(`
			`"terraform",`
			`"apply",`
			`"plan.tfout",`
			`)`
Initial commit. 2015-11-09 20:23:42 +01:00			`}`

allow assume role before running terraform commands 2016-03-23 13:43:20 +01:00			`func assumeRole(roleArn string) {`
			`client := sts.New(session.New())`
			`duration := time.Hour * 1`
			`stsProvider := &stscreds.AssumeRoleProvider{`
			`Client: client,`
			`Duration: duration,`
			`RoleARN: roleArn,`
			`RoleSessionName: "drone",`
			`}`

			`value, err := credentials.NewCredentials(stsProvider).Get()`
			`if err != nil {`
			`fmt.Println("Error assuming role!")`
			`fmt.Println(err)`
			`os.Exit(1)`
			`}`
			`os.Setenv("AWS_ACCESS_KEY_ID",value.AccessKeyID)`
			`os.Setenv("AWS_SECRET_ACCESS_KEY",value.SecretAccessKey)`
			`os.Setenv("AWS_SESSION_TOKEN",value.SessionToken)`
			`}`

Initial commit. 2015-11-09 20:23:42 +01:00			`func trace(cmd *exec.Cmd) {`
			`fmt.Println("$", strings.Join(cmd.Args, " "))`
			`}`