This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ebs_block_device = { | |
"/dev/sdl" = { | |
volume_type = "standard" | |
volume_size = 50 | |
encrypted = true | |
kms_key_id = var.kms_key_arn | |
}, | |
"xvdf" = { | |
volume_type = "gp2" | |
volume_size = 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# If all lines evaluated, and we still haven't decided to require approval, then all | |
# resources have been checked and none triggered approval flow | |
if [[ $approvalRequired == "no" ]]; then | |
echo "****************************************" | |
echo "##[section]Approval will not be required" | |
echo "****************************************" | |
echo "##vso[task.setvariable variable=approvalRequired;isOutput=true]false" | |
echo "" | |
echo "" | |
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# If approval required, exit immediately and export values | |
if [[ $approvalRequired == "yes" ]]; then | |
echo "****************************************" | |
echo "##[section]Approval will be required" | |
echo "****************************************" | |
echo "" | |
echo "##vso[task.setvariable variable=approvalRequired;isOutput=true]true" | |
echo "" | |
echo "" | |
break |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
if [[ $line == *"will be created"* ]]; then | |
echo "##[section]Approval not required for" $resource_path | |
approvalRequired="no" | |
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
if [[ $line == *"will be destroyed"* ]]; then | |
# If destroyed resource is always unsafe, trigger approval | |
if [[ ${ResourceTypesAlwaysUnsafe[@]} =~ ${resource_type} ]]; then | |
# Mark this path unsafe, require approval | |
echo "This resource is planned to be deleted, and is always unsafe to destroy without approval:" $resource_path | |
approvalRequired="yes" | |
# If destroyed resource is always safe, then don't trigger approval | |
elif [[ ${ResourceTypesAlwaysSafe[@]} =~ ${resource_type} ]]; then |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
while IFS= read -r line; do | |
# Set approvalRequired | |
approvalRequired="notSure" | |
# Prepare resource path, e.g.: module.networking.aws_security_group_rule.Inbound_192Slash16_PermitAll | |
resource_path=$(echo $line | cut -d " " -f 2) | |
# Prepare resource type, e.g.: aws_security_group_rule | |
resource_type=$(echo $resource_path | rev | cut -d "." -f 2 | rev) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
if terraform show plan.out | grep -q " 0 to add, 0 to change, 0 to destroy"; then | |
echo "##[section]No changes detected, terraform apply will not run"; | |
# There are no changes | |
exit 0 | |
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
declare -a ResourceTypesAlwaysUnsafe=( | |
"aws_instance" | |
"foobar" | |
) | |
declare -a ResourceTypesAlwaysSafe=( | |
"aws_security_group_rule" | |
"foobar" | |
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Plan.out is binary file populated with "terraform plan -out plan.out" | |
# Use terraform show to read plan.out as text, and filter for resource change lines, output to file | |
terraform show -no-color plan.out | grep "will be" > plan_decoded.out | |
terraform show -no-color plan.out | grep "must be" >> plan_decoded.out | |
input="plan_decoded.out" |