My current Terraform Build Script Skip to main content

My current Terraform Build Script

 The cycle time from changing a line of code to seeing if it worked in terraform coding is LONG. Like maybe as much as half an hour.

You really want to detect problems early.

This was developed on windows, where bash is a 2nd class citizen. I use git-bash which plays poorly with docker, so I had to do a few tricks.

The file docker.sh contains

!/bin/bash
# This version works on windows, specifically git-bash
# If you you gitbash, to use tflint, etc docker version, you need this.
(export MSYS_NO_PATHCONV=1; "docker.exe" "$@")


Every time you use a new custom module or 3rd party module you need to run init again.

terraform init


If you don't specify --recursive, this will fail to reformat any code in subfolders

terraform fmt --recursive


Validate catches syntax errors and not much else. It is not very strict.

terraform validate


Tflint is somewhat more strict. Watch out, tflint doesn't check subfolders. At the moment,

you have to run tflint on each subfolder as a separate command.

This code pulls latest tflint, runs it for ONLY the current directory and then checks if we need to stop the build script.

time ./docker.sh pull wata727/tflint:latest
./docker.sh run --rm -v "$(pwd)":/data -t wata727/tflint
retVal=$?
if [ $retVal -ne 0 ]; then
    echo Failed
    kill -INT $$
    return
fi

I check the return value after each command, but I won't repeat that code here.


tfsec and checkov check for an overlapping set of security issues. You will need to ignore some

rules because some security rules just don't apply to everyone. There are cost and maintenance issues

that enter the question about what is the right tradeoffs for security.

./docker.sh run --rm --volume "$(pwd)":/tf bridgecrew/checkov -d /tf --quiet

./docker.sh run --rm --volume "$(pwd)":/data wesleydeanflexion/tfsec /data


Pre-commit will make sure that many checks are run on each git-commit. I run pre-commit both ways, installed locally with pipenv

and with the docker container. By default, it will not process all files, and will process only recently changed files. This works

fine until you realize that there are still errors all over because pre-commit decided no files changed recently. It is simpler to just

run `--all-files` all the time. Likewise, keep re-installing that git-hook because you probably will forget to run install right after git

clone.

pipenv install "pre-commit==2.6.0" --skip-lock

pipenv run pre-commit install

./docker.sh run --rm --volume "$PWD":/code git.loc.gov:4567/devops/pre-commit-docker/master run --all-files


Comments

Post a Comment

Popular posts from this blog

So why again am I doing this FMD?

ABSTRACT. I've been doing health related experiments my whole life. FMD is a continuation. The goal is to not die, not just out of a fear of death, but because I have dependents who need me to live well past 60 and to be healthy enough to work well past 60. Well, it starts back when I was in my teens and started reading books at random at the library. I ended up in the health section and found it a strangely compelling genre because unlike fiction, it had actionable advice. So starts a lifetime of health hacking. First major experiment - vegetarianism. A read a book that made a solid case about the environmental, ethical and health case for vegetarianism. I signed up as a vegetarian, aka cheesatarian, because I could find cheese & egg dishes my family made & restaurants served. I spend the next 20+ years eating too much dairy, bounded only by some low-fat protocols I followed. Second major experiment - low fat. This was highly compatible with vegetarianism. It...
Post a Comment
Read more

Sliding

Today's lunch at Opal A. Daniels Park . http://maps.google.com/maps/api/staticmap?center=38.981116845433,-77.00400458158938&zoom=16&size=420x260&maptype=roadmap&sensor=false&markers=color:red%7C38.981116845433,-77.00400458158938 // more... http://4sq.com/nsKIKf
Post a Comment
Read more

So I'm FMD fasting again

I'm doing a Fasting Mimicking Diet again. This my 3rd. I've been too cheap to buy a Prolon kit, so I'm using Enid Kassner's recipe set . I'm starting late because it is hard to do the cooking in addition to regular cooking during the week. I couldn't start any later because I don't want to end fast exactly on Thanksgiving. I'll have 24 hours of regular eating to prepare for the big lunch on Thanksgiving. Yesterday I did my last run until after the fast. I'm training for a 5K in 6 months. I'll just be doing my unavoidable walking for exercise. My weight is 148 or so, so I should survive losing the 5+ lbs. The first FMD I did, I went from 150 to 145, and mostly felt fine. The second FMD I did, I went from like 145 to under 140 and I was ravenously hungry all the time. After that one, my new rule is I don't fast if I'm not at or near 150 lbs. My cheats enumerated: * Swapping sesame for walnut, my knee hurts from running & sesa...
Post a Comment
Read more