My current Terraform Build Script Skip to main content

My current Terraform Build Script

 The cycle time from changing a line of code to seeing if it worked in terraform coding is LONG. Like maybe as much as half an hour.

You really want to detect problems early.

This was developed on windows, where bash is a 2nd class citizen. I use git-bash which plays poorly with docker, so I had to do a few tricks.

The file docker.sh contains

!/bin/bash
# This version works on windows, specifically git-bash
# If you you gitbash, to use tflint, etc docker version, you need this.
(export MSYS_NO_PATHCONV=1; "docker.exe" "$@")


Every time you use a new custom module or 3rd party module you need to run init again.

terraform init


If you don't specify --recursive, this will fail to reformat any code in subfolders

terraform fmt --recursive


Validate catches syntax errors and not much else. It is not very strict.

terraform validate


Tflint is somewhat more strict. Watch out, tflint doesn't check subfolders. At the moment,

you have to run tflint on each subfolder as a separate command.

This code pulls latest tflint, runs it for ONLY the current directory and then checks if we need to stop the build script.

time ./docker.sh pull wata727/tflint:latest
./docker.sh run --rm -v "$(pwd)":/data -t wata727/tflint
retVal=$?
if [ $retVal -ne 0 ]; then
    echo Failed
    kill -INT $$
    return
fi

I check the return value after each command, but I won't repeat that code here.


tfsec and checkov check for an overlapping set of security issues. You will need to ignore some

rules because some security rules just don't apply to everyone. There are cost and maintenance issues

that enter the question about what is the right tradeoffs for security.

./docker.sh run --rm --volume "$(pwd)":/tf bridgecrew/checkov -d /tf --quiet

./docker.sh run --rm --volume "$(pwd)":/data wesleydeanflexion/tfsec /data


Pre-commit will make sure that many checks are run on each git-commit. I run pre-commit both ways, installed locally with pipenv

and with the docker container. By default, it will not process all files, and will process only recently changed files. This works

fine until you realize that there are still errors all over because pre-commit decided no files changed recently. It is simpler to just

run `--all-files` all the time. Likewise, keep re-installing that git-hook because you probably will forget to run install right after git

clone.

pipenv install "pre-commit==2.6.0" --skip-lock

pipenv run pre-commit install

./docker.sh run --rm --volume "$PWD":/code git.loc.gov:4567/devops/pre-commit-docker/master run --all-files


Comments

Post a Comment

Popular posts from this blog

Not flunking the tech interview

 There already is a book on " Cracking the Coding Interview ", but not one for how to not totally flunk it. This blog post assumes an interview for a job involving coding. Many server admin jobs, UI jobs, testing jobs, might not call for you to ever write a line of code. If you don't know it say so. I have never written a line of rust or so much as read a book about it. I know it is a programming language. I will not try to leverage that into solving a live programming puzzle in rust on a whiteboard. If you don't know, say so, don't bullshit. Better to preface it with, "I'm not sure but...." than to confidently bullshit as if no one will notice. The HR person might not notice, but techies will. And don't waste your breath on technobabble with the HR folk anyhow, even if it is actually true and coherent. HR wants to hear about successful past projects and happy customers, not the finers points of fdisk. Go read up on the common questions. They...
Post a Comment
Read more

Shopping at crafty bastards

Today's lunch at Union Market . http://maps.google.com/maps/api/staticmap?center=38.9084635008196,-76.99757606902054&zoom=16&size=420x260&maptype=roadmap&sensor=false&markers=color:red%7C38.9084635008196,-76.99757606902054 // more... http://4sq.com/KIyDnE
Post a Comment
Read more

So you got chest pains and want to know if you're going to die...

This story might apply to you if you are a: - skinny, nondiabetic vegan - life long runner - amateur runner who is cranking up the volume right now - have arthritis in other parts of your body (I got what one doctor called knee arthritis in one knee) - have a mystery chest pain you didn't use to have - you're an increasing old male, about 50 or older If not, then my story might not apply to you, go read real medical advice. So I wake up in the middle of the night with chest pains. I google to see if it is a heart attack-- no feeling of weight on chest, heart rate is slow, no arm pain, etc. I go back to sleep but figure I should get it checked out. Chest continues to hurt during the day. Worse at the end of a hard run, fine in early morning, starts up again as the day goes on. Dr Google suggests that as an old, 49 year old, male life long runner, I might have atrial fibrillation or something else, maybe costochondritis (rib cage arthritis) or heart burn. It probably is not heart...
Post a Comment
Read more