mirror of
https://github.com/thegeeklab/wp-opentofu.git
synced 2024-09-20 01:42:45 +02:00
96 lines
3.1 KiB
Markdown
96 lines
3.1 KiB
Markdown
Use the Terraform plugin to apply the infrastructure configuration contained within the repository. The following parameters are used to configure this plugin:
|
|
|
|
* `plan` - if true, calculates a plan but does __NOT__ apply it.
|
|
* `remote` - contains the configuration for the Terraform remote state tracking.
|
|
* `backend` - the Terraform remote state backend to use.
|
|
* `config` - a map of configuration parameters for the remote state backend. Each value is passed as a `-backend-config=<key>=<value>` option.
|
|
* `vars` - a map of variables to pass to the Terraform `plan` and `apply` commands. Each value is passed as a `-var
|
|
<key>=<value>` option.
|
|
* `ca_cert` - ca cert to add to your environment to allow terraform to use internal/private resources
|
|
* `sensitive` (default: `false`) - Whether or not to suppress terraform commands to stdout.
|
|
* `role_arn_to_assume` - A role to assume before running the terraform commands
|
|
|
|
The following is a sample Terraform configuration in your .drone.yml file:
|
|
|
|
```yaml
|
|
deploy:
|
|
terraform:
|
|
plan: false
|
|
remote:
|
|
backend: S3
|
|
config:
|
|
bucket: my-terraform-config-bucket
|
|
key: tf-states/my-project
|
|
region: us-east-1
|
|
vars:
|
|
app_name: my-project
|
|
app_version: 1.0.0
|
|
```
|
|
|
|
# Advanced Configuration
|
|
|
|
## CA Certs
|
|
You may want to run terraform against internal resources, like an internal
|
|
OpenStack deployment. Usually these resources are signed by an internal
|
|
CA Certificate. You can inject your CA Certificate into the plugin by using
|
|
`ca_certs` key as described above. Below is an example.
|
|
|
|
```yaml
|
|
deploy:
|
|
terraform:
|
|
plan: false
|
|
remote:
|
|
backend: swift
|
|
config:
|
|
path: drone/terraform
|
|
vars:
|
|
app_name: my-project
|
|
app_version: 1.0.0
|
|
ca_cert: |
|
|
-----BEGIN CERTIFICATE-----
|
|
asdfsadf
|
|
asdfsadf
|
|
-----END CERTIFICATE-----
|
|
```
|
|
|
|
## Suppress Sensitive Output
|
|
You may be passing sensitive vars to your terraform commands. If you do not want
|
|
the terraform commands to display in your drone logs then set `sensitive` to `true`.
|
|
The output from the commands themselves will still display, it just won't show
|
|
want command is actually being ran.
|
|
|
|
```yaml
|
|
deploy:
|
|
terraform:
|
|
plan: false
|
|
sensitive: true
|
|
remote:
|
|
backend: S3
|
|
config:
|
|
bucket: my-terraform-config-bucket
|
|
key: tf-states/my-project
|
|
region: us-east-1
|
|
vars:
|
|
app_name: my-project
|
|
app_version: 1.0.0
|
|
```
|
|
|
|
## Assume Role ARN
|
|
You may want to assume another role before running the terraform commands. This is useful for cross account access, where a central account ahs privileges to assume roles in other accounts. Using the current credentials, this role will be assumed and exported to environment variables. See [the discussion](https://github.com/hashicorp/terraform/issues/1275) in the Terraform issues.
|
|
|
|
```yaml
|
|
deploy:
|
|
terraform:
|
|
plan: false
|
|
remote:
|
|
backend: S3
|
|
config:
|
|
bucket: my-terraform-config-bucket
|
|
key: tf-states/my-project
|
|
region: us-east-1
|
|
vars:
|
|
app_name: my-project
|
|
app_version: 1.0.0
|
|
role_arn_to_assume: arn:aws:iam::account-of-role-to-assume:role/name-of-role
|
|
```
|