My current Terraform Build Script Skip to main content

My current Terraform Build Script

 The cycle time from changing a line of code to seeing if it worked in terraform coding is LONG. Like maybe as much as half an hour.

You really want to detect problems early.

This was developed on windows, where bash is a 2nd class citizen. I use git-bash which plays poorly with docker, so I had to do a few tricks.

The file docker.sh contains

!/bin/bash
# This version works on windows, specifically git-bash
# If you you gitbash, to use tflint, etc docker version, you need this.
(export MSYS_NO_PATHCONV=1; "docker.exe" "$@")


Every time you use a new custom module or 3rd party module you need to run init again.

terraform init


If you don't specify --recursive, this will fail to reformat any code in subfolders

terraform fmt --recursive


Validate catches syntax errors and not much else. It is not very strict.

terraform validate


Tflint is somewhat more strict. Watch out, tflint doesn't check subfolders. At the moment,

you have to run tflint on each subfolder as a separate command.

This code pulls latest tflint, runs it for ONLY the current directory and then checks if we need to stop the build script.

time ./docker.sh pull wata727/tflint:latest
./docker.sh run --rm -v "$(pwd)":/data -t wata727/tflint
retVal=$?
if [ $retVal -ne 0 ]; then
    echo Failed
    kill -INT $$
    return
fi

I check the return value after each command, but I won't repeat that code here.


tfsec and checkov check for an overlapping set of security issues. You will need to ignore some

rules because some security rules just don't apply to everyone. There are cost and maintenance issues

that enter the question about what is the right tradeoffs for security.

./docker.sh run --rm --volume "$(pwd)":/tf bridgecrew/checkov -d /tf --quiet

./docker.sh run --rm --volume "$(pwd)":/data wesleydeanflexion/tfsec /data


Pre-commit will make sure that many checks are run on each git-commit. I run pre-commit both ways, installed locally with pipenv

and with the docker container. By default, it will not process all files, and will process only recently changed files. This works

fine until you realize that there are still errors all over because pre-commit decided no files changed recently. It is simpler to just

run `--all-files` all the time. Likewise, keep re-installing that git-hook because you probably will forget to run install right after git

clone.

pipenv install "pre-commit==2.6.0" --skip-lock

pipenv run pre-commit install

./docker.sh run --rm --volume "$PWD":/code git.loc.gov:4567/devops/pre-commit-docker/master run --all-files


Comments

Post a Comment

Popular posts from this blog

Not flunking the tech interview

 There already is a book on " Cracking the Coding Interview ", but not one for how to not totally flunk it. This blog post assumes an interview for a job involving coding. Many server admin jobs, UI jobs, testing jobs, might not call for you to ever write a line of code. If you don't know it say so. I have never written a line of rust or so much as read a book about it. I know it is a programming language. I will not try to leverage that into solving a live programming puzzle in rust on a whiteboard. If you don't know, say so, don't bullshit. Better to preface it with, "I'm not sure but...." than to confidently bullshit as if no one will notice. The HR person might not notice, but techies will. And don't waste your breath on technobabble with the HR folk anyhow, even if it is actually true and coherent. HR wants to hear about successful past projects and happy customers, not the finers points of fdisk. Go read up on the common questions. They...
Post a Comment
Read more

Shopping at crafty bastards

Today's lunch at Union Market . http://maps.google.com/maps/api/staticmap?center=38.9084635008196,-76.99757606902054&zoom=16&size=420x260&maptype=roadmap&sensor=false&markers=color:red%7C38.9084635008196,-76.99757606902054 // more... http://4sq.com/KIyDnE
Post a Comment
Read more

My Twitter Accounts

Some people do whole life tweeting, some people don't.  I happen to be a liberal, a vegan & a Buddhist & don't want people to think I'm doing advocacy just because I mention one of those. There is a time for advocacy and a time for not doing advocacy. I also have a few accounts that are primarily consumption accounts, for consuming content from celebrities, artists, actors, writer and so on- people who are unlikely to chat with me.  Interaction Accounts. You'd benefit from following me here. @ mistersql   - DC Tech & Software Dev Account @ vegdevops - Health, plant based cooking, running, and the like @ mott_st - NYC Tech & Software Dev Account (& sometimes business travel topics) @ matthewmartin - My Buddhism account Consumption Accounts. I do low volume tweeting here, but if I tweet I stay on topic. @ vegantrain  - Almost entirely pictures of my dinners at vegan restaurants. @ flyscifiguy - Sci Fi, space and...
Post a Comment
Read more