Terraform is an infrastructure-as-code (IaC) tool that helps you create, update, and version your infrastructure in a secure and repeatable manner.
The scope of this pattern is to provide a guide and ready to use terraform configurations to setup validation pipelines with end-to-end tests based on AWS CodePipeline, AWS CodeBuild, AWS CodeCommit and Terraform.
The created pipeline uses the best practices for infrastructure validation and has the below stages
- validate - This stage focuses on terraform IaC validation tools and commands such as terraform validate, terraform format, tfsec, tflint and checkov
- plan - This stage creates an execution plan, which lets you preview the changes that Terraform plans to make to your infrastructure.
- apply - This stage uses the plan created above to provision the infrastructure in the test account.
- destroy - This stage destroys the infrastructure created in the above stage. Running these four stages ensures the integrity of the terraform configurations.
|-- CODE_OF_CONDUCT.md
|-- CONTRIBUTING.md
|-- LICENSE
|-- README.md
|-- data.tf
|-- examples
| `-- terraform.tfvars
|-- locals.tf
|-- main.tf
|-- modules
| |-- codebuild
| | |-- README.md
| | |-- main.tf
| | |-- outputs.tf
| | `-- variables.tf
| |-- codecommit
| | |-- README.md
| | |-- data.tf
| | |-- main.tf
| | |-- outputs.tf
| | `-- variables.tf
| |-- codepipeline
| | |-- README.md
| | |-- main.tf
| | |-- outputs.tf
| | `-- variables.tf
| |-- iam-role
| | |-- README.md
| | |-- data.tf
| | |-- main.tf
| | |-- outputs.tf
| | `-- variables.tf
| |-- kms
| | |-- README.md
| | |-- main.tf
| | |-- outputs.tf
| | `-- variables.tf
| `-- s3
| |-- README.md
| |-- main.tf
| |-- outputs.tf
| `-- variables.tf
|-- templates
| |-- buildspec_apply.yml
| |-- buildspec_destroy.yml
| |-- buildspec_plan.yml
| |-- buildspec_validate.yml
| `-- scripts
| `-- tf_ssp_validation.sh
`-- variables.tf
[email protected]:aws-samples/aws-codepipeline-terraform-cicd-samples.gitNote: If you don't have git installed, install git.
Step 2: Update the variables in examples/terraform.tfvars based on your requirement. Make sure you ae updating the variables project_name, environment, source_repo_name, source_repo_branch, create_new_repo, stage_input and build_projects.
- If you are planning to use an existing terraform CodeCommit repository, then update the variable create_new_repo as false and provide the name of your existing repo under the variable source_repo_name
- If you are planning to create new terraform CodeCommit repository, then update the variable create_new_repo as true and provide the name of your new repo under the variable source_repo_name
Step 4: Configure the AWS Command Line Interface (AWS CLI) where this IaC is being executed. For more information, see Configuring the AWS CLI.
Note: Sample terraform.tfvars are available in the examples directory. You may use the below command if you need to provide this sample tfvars as an input to the apply command.
terraform apply -var-file=./examples/terraform.tfvarsStep 1: You would get source_repo_clone_url_http as an output of the installation step. Clone the repository to your local.
git clone <source_repo_clone_url_http>
[email protected]:aws-samples/aws-eks-accelerator-for-terraform.gitNote: If you don't have git installed, install git.
Step 3: Copy the templates folder to the AWS CodeCommit sourcecode repository which contains the terraform code to be deployed.
cd examples/ci-cd/aws-codepipeline
cp -r templates $YOUR_CODECOMMIT_REPO_ROOTNote1: The IAM Role used by the newly created pipeline is very restrictive and follows the Principle of least privilege. Please update the IAM Policy with the required permissions. Alternatively, use the create_new_role = false option to use an existing IAM role and specify the role name using the variable codepipeline_iam_role_name
Note2: If the create_new_repo flag is set to true, a new blank repository will be created with the name assigned to the variable source_repo_name. Since this repository will not be containing the templates folder specified in Step 3 nor any code files, the initial run of the pipeline will be marked as failed in the Download-Source stage itself.
Note3: If the create_new_repo flag is set to false to use an existing repository, ensure the pre-requisite steps specified in step 3 have been done on the target repository.
| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| Name | Version |
|---|---|
| aws | >= 4.20.1 |
| Name | Source | Version |
|---|---|---|
| codebuild_terraform | ./modules/codebuild | n/a |
| codecommit_infrastructure_source_repo | ./modules/codecommit | n/a |
| codepipeline_iam_role | ./modules/iam-role | n/a |
| codepipeline_kms | ./modules/kms | n/a |
| codepipeline_terraform | ./modules/codepipeline | n/a |
| s3_artifacts_bucket | ./modules/s3 | n/a |
| Name | Type |
|---|---|
| aws_caller_identity.current | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| build_project_source | aws/codebuild/standard:4.0 | string |
"CODEPIPELINE" |
no |
| build_projects | Tags to be attached to the CodePipeline | list(string) |
n/a | yes |
| builder_compute_type | Relative path to the Apply and Destroy build spec file | string |
"BUILD_GENERAL1_SMALL" |
no |
| builder_image | Docker Image to be used by codebuild | string |
"aws/codebuild/amazonlinux2-x86_64-standard:3.0" |
no |
| builder_image_pull_credentials_type | Image pull credentials type used by codebuild project | string |
"CODEBUILD" |
no |
| builder_type | Type of codebuild run environment | string |
"LINUX_CONTAINER" |
no |
| codepipeline_iam_role_name | Name of the IAM role to be used by the Codepipeline | string |
"codepipeline-role" |
no |
| create_new_repo | Whether to create a new repository. Values are true or false. Defaulted to true always. | bool |
true |
no |
| create_new_role | Whether to create a new IAM Role. Values are true or false. Defaulted to true always. | bool |
true |
no |
| environment | Environment in which the script is run. Eg: dev, prod, etc | string |
n/a | yes |
| project_name | Unique name for this project | string |
n/a | yes |
| repo_approvers_arn | ARN or ARN pattern for the IAM User/Role/Group that can be used for approving Pull Requests | string |
n/a | yes |
| source_repo_branch | Default branch in the Source repo for which CodePipeline needs to be configured | string |
n/a | yes |
| source_repo_name | Source repo name of the CodeCommit repository | string |
n/a | yes |
| stage_input | Tags to be attached to the CodePipeline | list(map(any)) |
n/a | yes |
| Name | Description |
|---|---|
| codebuild_arn | The ARN of the Codebuild Project |
| codebuild_name | The Name of the Codebuild Project |
| codecommit_arn | The ARN of the Codecommit repository |
| codecommit_name | The name of the Codecommit repository |
| codecommit_url | The Clone URL of the Codecommit repository |
| codepipeline_arn | The ARN of the CodePipeline |
| codepipeline_name | The Name of the CodePipeline |
| iam_arn | The ARN of the IAM Role used by the CodePipeline |
| kms_arn | The ARN of the KMS key used in the codepipeline |
| s3_arn | The ARN of the S3 Bucket |
| s3_bucket_name | The Name of the S3 Bucket |
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent