From 2e74fe1180a1e0ae288e1c4f5748dd40ed04aa9e Mon Sep 17 00:00:00 2001 From: Jacob McCann Date: Tue, 9 Feb 2016 13:27:12 -0600 Subject: [PATCH 1/3] Add ability to inject internal CA Cert --- DOCS.md | 6 ++++++ main.go | 12 ++++++++++++ 2 files changed, 18 insertions(+) diff --git a/DOCS.md b/DOCS.md index 8c353d6..22ab106 100644 --- a/DOCS.md +++ b/DOCS.md @@ -4,6 +4,7 @@ Use the Terraform plugin to apply the infrastructure configuration contained wit * `remote` - contains the configuration for the Terraform remote state tracking. * `backend` - the Terraform remote state backend to use. * `config` - a map of configuration parameters for the remote state backend. Each value is passed as a `-backend-config==` option. + * `ca_cert` - ca cert to add to your environment to allow terraform to use internal/private resources * `vars` - a map of variables to pass to the Terraform `plan` and `apply` commands. Each value is passed as a `-var =` option. The following is a sample Terraform configuration in your .drone.yml file: @@ -14,6 +15,11 @@ deploy: plan: false remote: backend: S3 + ca_cert: | + -----BEGIN CERTIFICATE----- + asdfsadf + asdfsadf + -----END CERTIFICATE----- config: bucket: my-terraform-config-bucket key: tf-states/my-project diff --git a/main.go b/main.go index 3626ad9..1bc4e0d 100644 --- a/main.go +++ b/main.go @@ -5,6 +5,7 @@ import ( "os" "os/exec" "strings" + "io/ioutil" "github.com/drone/drone-plugin-go/plugin" ) @@ -18,6 +19,7 @@ type terraform struct { type remote struct { Backend string `json:"backend"` Config map[string]string `json:"config"` + Cacert string `json:"ca_cert"` } func main() { @@ -31,6 +33,9 @@ func main() { var commands []*exec.Cmd remote := vargs.Remote + if remote.Cacert != "" { + commands = append(commands, installCaCert(remote.Cacert)) + } if remote.Backend != "" { commands = append(commands, remoteConfigCommand(remote)) } @@ -57,6 +62,13 @@ func main() { } +func installCaCert(cacert string) *exec.Cmd { + ioutil.WriteFile("/usr/local/share/ca-certificates/ca_cert.crt", []byte(cacert), 0644) + return exec.Command( + "update-ca-certificates", + ) +} + func remoteConfigCommand(config remote) *exec.Cmd { args := []string{ "remote", From 8d46f853c55862b7dc7ecceaf78340f77a17848b Mon Sep 17 00:00:00 2001 From: Jacob McCann Date: Thu, 11 Feb 2016 11:32:55 -0600 Subject: [PATCH 2/3] Move ca_certs from 'remote' to 'terraform' Did this as the CA Cert if needed for all terraform commands, not just remote. So just made more sense to move it to base of vargs. --- main.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/main.go b/main.go index 1bc4e0d..27c08b3 100644 --- a/main.go +++ b/main.go @@ -14,12 +14,12 @@ type terraform struct { Remote remote `json:"remote"` Plan bool `json:"plan"` Vars map[string]string `json:"vars"` + Cacert string `json:"ca_cert"` } type remote struct { Backend string `json:"backend"` Config map[string]string `json:"config"` - Cacert string `json:"ca_cert"` } func main() { @@ -33,8 +33,8 @@ func main() { var commands []*exec.Cmd remote := vargs.Remote - if remote.Cacert != "" { - commands = append(commands, installCaCert(remote.Cacert)) + if vargs.Cacert != "" { + commands = append(commands, installCaCert(vargs.Cacert)) } if remote.Backend != "" { commands = append(commands, remoteConfigCommand(remote)) From 66dcad910806f930a9f47474656c91ed26540a7a Mon Sep 17 00:00:00 2001 From: Jacob McCann Date: Thu, 11 Feb 2016 11:33:40 -0600 Subject: [PATCH 3/3] Update DOCS to move CA Cert example to an Advanced Config section Also fixed 'vars' key example in main example as it was under 'remote' and should be at the base of 'terraform'. --- DOCS.md | 42 ++++++++++++++++++++++++++++++++---------- 1 file changed, 32 insertions(+), 10 deletions(-) diff --git a/DOCS.md b/DOCS.md index 22ab106..980207d 100644 --- a/DOCS.md +++ b/DOCS.md @@ -4,8 +4,9 @@ Use the Terraform plugin to apply the infrastructure configuration contained wit * `remote` - contains the configuration for the Terraform remote state tracking. * `backend` - the Terraform remote state backend to use. * `config` - a map of configuration parameters for the remote state backend. Each value is passed as a `-backend-config==` option. - * `ca_cert` - ca cert to add to your environment to allow terraform to use internal/private resources -* `vars` - a map of variables to pass to the Terraform `plan` and `apply` commands. Each value is passed as a `-var =` option. +* `vars` - a map of variables to pass to the Terraform `plan` and `apply` commands. Each value is passed as a `-var + =` option. +* `ca_cert` - ca cert to add to your environment to allow terraform to use internal/private resources The following is a sample Terraform configuration in your .drone.yml file: @@ -15,16 +16,37 @@ deploy: plan: false remote: backend: S3 - ca_cert: | - -----BEGIN CERTIFICATE----- - asdfsadf - asdfsadf - -----END CERTIFICATE----- config: bucket: my-terraform-config-bucket key: tf-states/my-project region: us-east-1 - vars: - app_name: my-project - app_version: 1.0.0 + vars: + app_name: my-project + app_version: 1.0.0 +``` + +# Advanced Configuration + +## CA Certs +You may want to run terraform against internal resources, like an internal +OpenStack deployment. Usually these resources are signed by an internal +CA Certificate. You can inject your CA Certificate into the plugin by using +`ca_certs` key as described above. Below is an example. + +```yaml +deploy: + terraform: + dry_run: false + remote: + backend: swift + config: + path: drone/terraform + vars: + app_name: my-project + app_version: 1.0.0 + ca_cert: | + -----BEGIN CERTIFICATE----- + asdfsadf + asdfsadf + -----END CERTIFICATE----- ```