-
-
Save stone-monkeys/25fd683b3f1379ebb8a26a6c92922da1 to your computer and use it in GitHub Desktop.
Setup config & continue config files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| version: 2.1 | |
| orbs: | |
| terraform: circleci/terraform@3.1.0 | |
| parameters: | |
| cluster_suffix: | |
| type: string | |
| default: "solutions-eng" | |
| is_main_branch: | |
| type: boolean | |
| default: false | |
| statefile_to_destroy: | |
| type: string | |
| default: "" | |
| jobs: | |
| provision-eks: | |
| docker: | |
| - image: cimg/aws:2022.06.1 | |
| environment: | |
| AWS_DEFAULT_REGION: us-west-2 | |
| steps: | |
| - checkout | |
| - run: | |
| # Need to ensure cluster name is trimmed to not exceed 37 characters. See comment in eks/vpc.tf for more context. | |
| command: | | |
| temp_cluster_name=$(echo "cera-<< pipeline.parameters.cluster_suffix >><<^pipeline.parameters.is_main_branch>>-<< pipeline.git.branch >><</pipeline.parameters.is_main_branch>>" | cut -c 1-37) | |
| echo "Cluster name is: $temp_cluster_name" | |
| echo "export cluster_name=$temp_cluster_name" >> $BASH_ENV | |
| - enable-oidc | |
| - terraform/install: | |
| terraform_version: 1.2.5 | |
| - terraform/init: | |
| path: /home/circleci/project/eks | |
| backend_config: key=statefiles/cera/<< pipeline.git.branch >> | |
| - terraform/plan: | |
| var: cluster_suffix=<< pipeline.parameters.cluster_suffix >><<^pipeline.parameters.is_main_branch>>-<< pipeline.git.branch >><</pipeline.parameters.is_main_branch>> | |
| path: /home/circleci/project/eks | |
| - terraform/apply: | |
| var: cluster_suffix=<< pipeline.parameters.cluster_suffix >><<^pipeline.parameters.is_main_branch>>-<< pipeline.git.branch >><</pipeline.parameters.is_main_branch>> | |
| path: /home/circleci/project/eks | |
| - run: | |
| name: Install Metrics Server (required for `kubectl top`) | |
| command: | | |
| aws eks update-kubeconfig --name $cluster_name | |
| kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml | |
| create-sa: | |
| docker: | |
| - image: cimg/aws:2022.06.1 | |
| environment: | |
| AWS_DEFAULT_REGION: us-west-2 | |
| steps: | |
| - checkout | |
| - enable-oidc | |
| - run: | |
| # Need to ensure cluster name is trimmed to not exceed 37 characters. See comment in eks/vpc.tf for more context. | |
| command: | | |
| cluster_name=$(echo "cera-<< pipeline.parameters.cluster_suffix >><<^pipeline.parameters.is_main_branch>>-<< pipeline.git.branch >><</pipeline.parameters.is_main_branch>>" | cut -c 1-37) | |
| aws eks update-kubeconfig --name $cluster_name \ | |
| --alias << pipeline.parameters.cluster_suffix >> | |
| name: Pull kubeconfig | |
| - terraform/install: | |
| terraform_version: 1.3.3 | |
| - terraform/init: | |
| path: /home/circleci/project/service-accounts | |
| backend_config: key=statefiles/cera/accounts-<< pipeline.git.branch >> | |
| - terraform/plan: | |
| var: context=<< pipeline.parameters.cluster_suffix >> | |
| var_file: values.tfvars | |
| path: /home/circleci/project/service-accounts | |
| - terraform/apply: | |
| var: context=<< pipeline.parameters.cluster_suffix >> | |
| var_file: values.tfvars | |
| path: /home/circleci/project/service-accounts | |
| - when: | |
| condition: | |
| equal: [ main, << pipeline.git.branch >> ] | |
| steps: | |
| - run: | |
| name: Update Credentials for App Teams | |
| command: bash .circleci/credential_updater.sh | |
| # Since feature branches create their own cluster, we dont want to update contexts | |
| # otherwise it would replace production credentials. | |
| # Testing BOA deployments to a dev cluster requires workarounds, but should be uncommon | |
| destroy-eks: | |
| docker: | |
| - image: cimg/aws:2022.06.1 | |
| environment: | |
| AWS_DEFAULT_REGION: us-west-2 | |
| steps: | |
| - when: | |
| condition: | |
| equal: [ main, << pipeline.parameters.statefile_to_destroy >> ] | |
| steps: | |
| - run: | |
| command: | | |
| echo "Cannot perform terraform destroy on CERA main cluster" | |
| exit 1 | |
| - checkout | |
| - enable-oidc | |
| - terraform/init: | |
| path: /home/circleci/project/eks | |
| backend_config: key=statefiles/cera/<< pipeline.git.branch >> | |
| - terraform/destroy: | |
| var: cluster_suffix=<< pipeline.parameters.cluster_suffix >><<^pipeline.parameters.is_main_branch>>-<< pipeline.git.branch >><</pipeline.parameters.is_main_branch>> | |
| path: /home/circleci/project/eks | |
| - run: | |
| command: | | |
| aws s3 rm s3://se-cluster-tf/statefiles/cera/<< pipeline.git.branch >> | |
| aws s3 rm s3://se-cluster-tf/statefiles/cera/accounts-<< pipeline.git.branch >> | |
| name: Deleting statefile | |
| workflows: | |
| test-and-deploy-terraform: | |
| unless: << pipeline.parameters.statefile_to_destroy >> | |
| jobs: | |
| - provision-eks: | |
| context: reference-arch-aws-oidc | |
| - create-sa: | |
| name: Create-App-SA | |
| context: reference-arch-aws-oidc | |
| requires: [ provision-eks ] | |
| - hold: | |
| filters: | |
| branches: | |
| ignore: main | |
| type: approval | |
| requires: [ "Create-App-SA" ] | |
| - destroy-eks: | |
| filters: | |
| branches: | |
| ignore: main | |
| context: reference-arch-aws-oidc | |
| requires: [ hold ] | |
| terraform-destroy: | |
| when: << pipeline.parameters.statefile_to_destroy >> | |
| jobs: | |
| - destroy-eks: | |
| context: reference-arch-aws-oidc | |
| commands: | |
| enable-oidc: | |
| steps: | |
| - run: | |
| name: authenticate-and-interact | |
| command: | | |
| # use the OpenID Connect token to obtain AWS credentials | |
| read -r AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN \<<< \ | |
| $(aws sts assume-role-with-web-identity \ | |
| --role-arn ${AWS_ROLE_ARN} \ | |
| --role-session-name "CircleCI-${CIRCLE_WORKFLOW_ID}-${CIRCLE_JOB}" \ | |
| --web-identity-token $CIRCLE_OIDC_TOKEN \ | |
| --duration-seconds 3600 \ | |
| --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' \ | |
| --output text) | |
| export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN | |
| # interact with AWS | |
| aws sts get-caller-identity | |
| echo "export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}" >> $BASH_ENV | |
| echo "export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}" >> $BASH_ENV | |
| echo "export AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}" >> $BASH_ENV | |
| source $BASH_ENV | |
| # VS Code Extension Version: 1.0.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| version: 2.1 | |
| setup: true | |
| parameters: | |
| statefile_to_destroy: | |
| type: string | |
| default: "" | |
| orbs: | |
| continuation: circleci/continuation@0.3.1 | |
| jobs: | |
| build: | |
| docker: | |
| - image: cimg/base:2022.07 | |
| steps: | |
| - checkout | |
| - run: | |
| command: | | |
| if [[ "main" == "<< pipeline.git.branch >>" ]]; then | |
| echo '{"is_main_branch": true}' >> parameters.json | |
| else | |
| echo '{"is_main_branch": false}' >> parameters.json | |
| fi | |
| name: Check if running on main branch | |
| - continuation/continue: | |
| configuration_path: .circleci/continue_config.yml | |
| parameters: parameters.json |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment