build-run.sh

#!/bin/sh

. $(dirname $0)/version.sh
# version.sh has this defined -
# TERRAFORM_VERSION=0.7.3

fatal() { echo "ERROR: $1" 1>&2; exit 1; }

usage() {
  echo "Create a docker image for building AMIs using Packer"
  echo "Usage:"
  echo "  $(basename $0) build    - create a docker image with packer"
  echo "  $(basename $0) run      - use terraform inside the docker image"
}

download() {
  download='fatal No downloader found for '
  [ -n $(which wget>/dev/null 2>&1) ] && download="wget -nv --show-progess -c"
  [ -n $(which curl>/dev/null 2>&1) ] && download="curl -#LO"
  echo Downloading $@ ...
  $download $@
}

custom_build_steps() {
    [ ! -f terraform_${TERRAFORM_VERSION}_linux_amd64.zip ] && {
      download "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip"
      download "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS"
    }

    sed -i.bak -n -e '/^.*_linux_amd64.zip$/p' terraform_${TERRAFORM_VERSION}_SHA256SUMS
    sha256sum -c --status terraform_${TERRAFORM_VERSION}_SHA256SUMS || fatal "terraform zip file checksum mistmatch"

    mkdir -p terraform
    cd terraform
    unzip -qu ../terraform_${TERRAFORM_VERSION}_linux_amd64.zip
    cd ..
}

case $1 in
  build)
    custom_build_steps
    docker build -t ${DOCKER_IMAGE_NAME} . || fatal "Docker build failed"
    ;;
  run)
    shift; # remove 'run' from arg list
    docker run -ti --rm ${DOCKER_IMAGE_NAME} $@ || fatal "Terraform failed"
    ;;
  *)
    usage
    exit 1
esac

compose.sh

#!/bin/sh

. $(dirname $0)/version.sh

# DOCKER_IMAGE_NAME is defined in version.sh
export DOCKER_IMAGE_NAME
export EXTERNAL_IP=$(docker-machine ip)

exec docker-compose $@

docker-compose.yml

version: "2"

services:

  terraform:
    build: .
    # from ./version.sh via ./compose.sh
    image: ${DOCKER_IMAGE_NAME}
    command: apply
    # environment:
    #   - "TF_LOG=DEBUG"
    dns:
    # for some reason docker internal dns often fails
      - 8.8.8.8
      - 8.8.4.4

Dockerfile

FROM alpine:3.4

# ca-certificates required to use AWS APIs
RUN apk --no-cache add py-pip ca-certificates curl openjdk8-jre-base jq \
    && pip install -U pip \
    && pip install -U awscli

# "make terraform work" trick from http://stackoverflow.com/a/35613430
# assume MUSL-libc is compatible "enough" with Glibc for Terraform needs
RUN mkdir -p /lib64 && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2

# terraform is downloaded by ./build.sh
COPY . /opt/terraform
COPY terraform/ /usr/local/bin/

WORKDIR /opt/terraform

# for a build to succeed - validation must pass!
RUN chmod +x /usr/local/bin/terraform* \
    && find . -name "*.sh" -exec chmod +x {} +  \
    && terraform validate

ENTRYPOINT [ "/opt/terraform/terraform.sh" ]

CMD [ "plan" ]

terraform.sh

#!/bin/sh

fatal() { echo -e "ERROR: $@" 1>&2; exit 1; }

action=${1:-"plan"}
shift
arguments=${@:-"-var-file secrets.tfvars"}

# FIRST: check sanity
aws --version || fatal 'The `aws` CLI tool is not available.'
terraform --version || fatal 'The `terraform` CLI tool is not available.'

[ ! -f secrets.tfvars ] && \
  fatal "secrets.tfvars with AWS credentials is required.\n" \
        "Use example from secrets.tfvars.example."

# helper to retrieve a value from secrets.tfvars or its default from variables.tf
get_secret() {
  secret=$(sed -ne 's/^\s*'$1'\s*=[^"]*"\([^"]*\)".*$/\1/gp' secrets.tfvars)
  [ -z "$secret" ] && \
      secret=$(sed -ne 's/variable.*"'$1'"[^"]*"\([^"]*\)*".*$/\1/gp' variables.tf)
  echo -n $secret
}

# first, check sanity!
terraform validate

# configure remote state for pulling/pushing across different sessions
terraform remote config \
  -backend=s3 \
  -backend-config="bucket=$(get_secret tfstate_s3_bucket)" \
  -backend-config="access_key=$(get_secret tfstate_aws_access_key)" \
  -backend-config="secret_key=$(get_secret tfstate_aws_secret_key)" \
  -backend-config="region=$(get_secret tfstate_aws_region)" \
  -backend-config="key=$(get_secret tfstate_aws_key)" \
  -backend-config="acl=private"

# always needs to happen! update modules, even local folder ones.
terraform get

trap "terraform remote push" EXIT # always push config back to remote

case $action in
    apply)
        # terraform plan -var-file secrets.tfvars $arguments
        terraform apply -var-file secrets.tfvars $arguments
        # apply also displays outputs at the end
        terraform remote push # push config back to remote
        ;;
    output)
        terraform output -var-file secrets.tfvars $arguments
        ;;
    plan)
        terraform plan -var-file secrets.tfvars $arguments
	    ;;
    destroy)
        terraform destroy -force -var-file secrets.tfvars $arguments
        terraform remote push # push config back to remote
        ;;
    refresh)
        terraform refresh -var-file secrets.tfvars $arguments
        ;;
    *)
        terraform $action -var-file secrets.tfvars $arguments
        ;;
esac


echo
echo '################################################################################'
echo 'Infinite loop for your `docker-compose exec terraform sh`. Ctrl-C to stop.'
echo '################################################################################'

while true; do sleep 10; done