descrepes · September 1, 2020 17:58
diff --git a/Terraform Workflow Template - Consul Templaterb b/Terraform Workflow Template - Consul Templaterb
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: WorkflowTemplate
 metadata:
  name: terraform
  namespace: argo
 spec:
  templates:
    - name: plan
      inputs:
        artifacts:
        - name: terraform
          path: /home/terraform
          git:
            repo: https://github.com/descrepes/terraform-argo-consul-templaterb-demo.git
            depth: 1
      serviceAccountName: argo
      script:
        imagePullPolicy: "Always"
        image: descrepes/terraform:0.12.9-demo-consul-templaterb
        env:
          - name: HOST_IP
            valueFrom:
              fieldRef:
                fieldPath: status.hostIP
          - name: CONSUL_HTTP_ADDR
            value: http://$(HOST_IP):8500
        command: ["sh"]
        source: |
          consul-templaterb -t /home/terraform/01-providers.tf.erb:/home/myuser/01-providers.tf -t /home/terraform/10-clients.tf.erb:/home/myuser/10-clients.tf -o
          if [ $? -ne 0 ];then
              echo "Consul-Templaterb error !"
              exit $?
          fi
          if [ ! -f "/home/myuser/01-providers.tf" ]; then
              echo "/home/myuser/01-providers.tf does not exist !"
              exit 2
          fi
          export VAULT_ADDR="https://vault.default:8200"
          export VAULT_SKIP_VERIFY="true"
          export VAULT_TOKEN=$(cat /vault/secrets/token)
          source /home/myuser/.env/azure
          source /home/myuser/.env/cloudflare
          source /home/myuser/.env/pingdom
          cp -r /home/terraform/manifests /home/myuser/
          /bin/terraform init -input=false /home/myuser
          /bin/terraform plan -parallelism=2 -input=false -no-color -out=/home/myuser/tfclientsplan /home/myuser >> /tmp/terraform-change.log
      outputs:
        artifacts:
          - name: terraform-plan
            path: /home/myuser/
            archive:
              none: {}
          - name: terraform-log
            path: /tmp/terraform-change.log
            archive:
              none: {}
      metadata:
        annotations:
          vault.hashicorp.com/agent-inject: "true"
          vault.hashicorp.com/role: "terraform"
          vault.hashicorp.com/agent-inject-token: "true"
          vault.hashicorp.com/tls-skip-verify: "true"
          vault.hashicorp.com/agent-inject-secret-azure: "argo/azure"
          vault.hashicorp.com/agent-inject-template-azure: |
            {{- with secret "argo/azure" -}}
              {{ range $k, $v := .Data.data }}
            export ARM_{{ $k }}={{ $v }}
              {{ end }}
            {{- end -}}
          vault.hashicorp.com/secret-volume-path-azure: "/home/myuser/.env"
          vault.hashicorp.com/agent-inject-secret-cloudflare: "argo/cloudflare"
          vault.hashicorp.com/agent-inject-template-cloudflare: |
            {{- with secret "argo/cloudflare" -}}
            export CLOUDFLARE_API_TOKEN={{.Data.data.api_token}}
            export TF_VAR_cloudflare_zone_id={{.Data.data.zone_id}}
            {{- end -}}
          vault.hashicorp.com/secret-volume-path-cloudflare: "/home/myuser/.env"
          vault.hashicorp.com/agent-inject-secret-pingdom: "argo/pingdom"
          vault.hashicorp.com/agent-inject-template-pingdom: |
            {{- with secret "argo/pingdom" -}}
            export TF_VAR_pingdom_user={{ .Data.data.username }}
            export TF_VAR_pingdom_password={{ .Data.data.password }}
            export TF_VAR_pingdom_api_key={{ .Data.data.api_key }}
            {{- end -}}
          vault.hashicorp.com/secret-volume-path-pingdom: "/home/myuser/.env"

    - name: apply
      inputs:
        artifacts:
        - name: terraform-plan
          path: /home/terraform
      serviceAccountName: argo
      script:
        imagePullPolicy: "Always"
        image: descrepes/terraform:0.12.9-demo-consul-templaterb
        env:
          - name: HOST_IP
            valueFrom:
              fieldRef:
                fieldPath: status.hostIP
          - name: CONSUL_HTTP_ADDR
            value: http://$(HOST_IP):8500
        command: ["sh"]
        source: |
          export VAULT_ADDR="https://vault.default:8200"
          export VAULT_SKIP_VERIFY="true"
          export VAULT_TOKEN=$(cat /vault/secrets/token)
          source /home/myuser/.env/azure
          source /home/myuser/.env/cloudflare
          source /home/myuser/.env/pingdom
          /bin/terraform apply -input=false -parallelism=2 -no-color /home/terraform/tfclientsplan
      metadata:
        annotations:
          vault.hashicorp.com/agent-inject: "true"
          vault.hashicorp.com/role: "terraform"
          vault.hashicorp.com/agent-inject-token: "true"
          vault.hashicorp.com/tls-skip-verify: "true"
          vault.hashicorp.com/agent-inject-secret-azure: "argo/azure"
          vault.hashicorp.com/agent-inject-template-azure: |
            {{- with secret "argo/azure" -}}
              {{ range $k, $v := .Data.data }}
            export ARM_{{ $k }}={{ $v }}
              {{ end }}
            {{- end -}}
          vault.hashicorp.com/secret-volume-path-azure: "/home/myuser/.env"
          vault.hashicorp.com/agent-inject-secret-cloudflare: "argo/cloudflare"
          vault.hashicorp.com/agent-inject-template-cloudflare: |
            {{- with secret "argo/cloudflare" -}}
            export CLOUDFLARE_API_TOKEN={{.Data.data.api_token}}
            {{- end -}}
          vault.hashicorp.com/secret-volume-path-cloudflare: "/home/myuser/.env"
          vault.hashicorp.com/agent-inject-secret-pingdom: "argo/pingdom"
          vault.hashicorp.com/agent-inject-template-pingdom: |
            {{- with secret "argo/pingdom" -}}
            export TF_VAR_pingdom_user={{ .Data.data.username }}
            export TF_VAR_pingdom_password={{ .Data.data.password }}
            export TF_VAR_pingdom_api_key={{ .Data.data.api_key }}
            {{- end -}}
          vault.hashicorp.com/secret-volume-path-pingdom: "/home/myuser/.env"

    - name: approve
      suspend: {}

    - name: update
      dag:
        tasks:
          - name: plan
            template: plan
            outputs:
              artifacts:
                - name: terraform-plan
                  path: /home/myuser/
          - name: approve
            dependencies: [plan]
            template: approve
          - name: apply
            template: apply
            dependencies: [plan, approve]
            arguments:
              artifacts:
              - name: terraform-plan
                from: "{{tasks.plan.outputs.artifacts.terraform-plan}}"
	---
	apiVersion: argoproj.io/v1alpha1
	kind: WorkflowTemplate
	metadata:
	name: terraform
	namespace: argo
	spec:
	templates:
	- name: plan
	inputs:
	artifacts:
	- name: terraform
	path: /home/terraform
	git:
	repo: https://github.com/descrepes/terraform-argo-consul-templaterb-demo.git
	depth: 1
	serviceAccountName: argo
	script:
	imagePullPolicy: "Always"
	image: descrepes/terraform:0.12.9-demo-consul-templaterb
	env:
	- name: HOST_IP
	valueFrom:
	fieldRef:
	fieldPath: status.hostIP
	- name: CONSUL_HTTP_ADDR
	value: http://$(HOST_IP):8500
	command: ["sh"]
	source: \|
	consul-templaterb -t /home/terraform/01-providers.tf.erb:/home/myuser/01-providers.tf -t /home/terraform/10-clients.tf.erb:/home/myuser/10-clients.tf -o
	if [ $? -ne 0 ];then
	echo "Consul-Templaterb error !"
	exit $?
	fi
	if [ ! -f "/home/myuser/01-providers.tf" ]; then
	echo "/home/myuser/01-providers.tf does not exist !"
	exit 2
	fi
	export VAULT_ADDR="https://vault.default:8200"
	export VAULT_SKIP_VERIFY="true"
	export VAULT_TOKEN=$(cat /vault/secrets/token)
	source /home/myuser/.env/azure
	source /home/myuser/.env/cloudflare
	source /home/myuser/.env/pingdom
	cp -r /home/terraform/manifests /home/myuser/
	/bin/terraform init -input=false /home/myuser
	/bin/terraform plan -parallelism=2 -input=false -no-color -out=/home/myuser/tfclientsplan /home/myuser >> /tmp/terraform-change.log
	outputs:
	artifacts:
	- name: terraform-plan
	path: /home/myuser/
	archive:
	none: {}
	- name: terraform-log
	path: /tmp/terraform-change.log
	archive:
	none: {}
	metadata:
	annotations:
	vault.hashicorp.com/agent-inject: "true"
	vault.hashicorp.com/role: "terraform"
	vault.hashicorp.com/agent-inject-token: "true"
	vault.hashicorp.com/tls-skip-verify: "true"
	vault.hashicorp.com/agent-inject-secret-azure: "argo/azure"
	vault.hashicorp.com/agent-inject-template-azure: \|
	{{- with secret "argo/azure" -}}
	{{ range $k, $v := .Data.data }}
	export ARM_{{ $k }}={{ $v }}
	{{ end }}
	{{- end -}}
	vault.hashicorp.com/secret-volume-path-azure: "/home/myuser/.env"
	vault.hashicorp.com/agent-inject-secret-cloudflare: "argo/cloudflare"
	vault.hashicorp.com/agent-inject-template-cloudflare: \|
	{{- with secret "argo/cloudflare" -}}
	export CLOUDFLARE_API_TOKEN={{.Data.data.api_token}}
	export TF_VAR_cloudflare_zone_id={{.Data.data.zone_id}}
	{{- end -}}
	vault.hashicorp.com/secret-volume-path-cloudflare: "/home/myuser/.env"
	vault.hashicorp.com/agent-inject-secret-pingdom: "argo/pingdom"
	vault.hashicorp.com/agent-inject-template-pingdom: \|
	{{- with secret "argo/pingdom" -}}
	export TF_VAR_pingdom_user={{ .Data.data.username }}
	export TF_VAR_pingdom_password={{ .Data.data.password }}
	export TF_VAR_pingdom_api_key={{ .Data.data.api_key }}
	{{- end -}}
	vault.hashicorp.com/secret-volume-path-pingdom: "/home/myuser/.env"

	- name: apply
	inputs:
	artifacts:
	- name: terraform-plan
	path: /home/terraform
	serviceAccountName: argo
	script:
	imagePullPolicy: "Always"
	image: descrepes/terraform:0.12.9-demo-consul-templaterb
	env:
	- name: HOST_IP
	valueFrom:
	fieldRef:
	fieldPath: status.hostIP
	- name: CONSUL_HTTP_ADDR
	value: http://$(HOST_IP):8500
	command: ["sh"]
	source: \|
	export VAULT_ADDR="https://vault.default:8200"
	export VAULT_SKIP_VERIFY="true"
	export VAULT_TOKEN=$(cat /vault/secrets/token)
	source /home/myuser/.env/azure
	source /home/myuser/.env/cloudflare
	source /home/myuser/.env/pingdom
	/bin/terraform apply -input=false -parallelism=2 -no-color /home/terraform/tfclientsplan
	metadata:
	annotations:
	vault.hashicorp.com/agent-inject: "true"
	vault.hashicorp.com/role: "terraform"
	vault.hashicorp.com/agent-inject-token: "true"
	vault.hashicorp.com/tls-skip-verify: "true"
	vault.hashicorp.com/agent-inject-secret-azure: "argo/azure"
	vault.hashicorp.com/agent-inject-template-azure: \|
	{{- with secret "argo/azure" -}}
	{{ range $k, $v := .Data.data }}
	export ARM_{{ $k }}={{ $v }}
	{{ end }}
	{{- end -}}
	vault.hashicorp.com/secret-volume-path-azure: "/home/myuser/.env"
	vault.hashicorp.com/agent-inject-secret-cloudflare: "argo/cloudflare"
	vault.hashicorp.com/agent-inject-template-cloudflare: \|
	{{- with secret "argo/cloudflare" -}}
	export CLOUDFLARE_API_TOKEN={{.Data.data.api_token}}
	{{- end -}}
	vault.hashicorp.com/secret-volume-path-cloudflare: "/home/myuser/.env"
	vault.hashicorp.com/agent-inject-secret-pingdom: "argo/pingdom"
	vault.hashicorp.com/agent-inject-template-pingdom: \|
	{{- with secret "argo/pingdom" -}}
	export TF_VAR_pingdom_user={{ .Data.data.username }}
	export TF_VAR_pingdom_password={{ .Data.data.password }}
	export TF_VAR_pingdom_api_key={{ .Data.data.api_key }}
	{{- end -}}
	vault.hashicorp.com/secret-volume-path-pingdom: "/home/myuser/.env"

	- name: approve
	suspend: {}

	- name: update
	dag:
	tasks:
	- name: plan
	template: plan
	outputs:
	artifacts:
	- name: terraform-plan
	path: /home/myuser/
	- name: approve
	dependencies: [plan]
	template: approve
	- name: apply
	template: apply
	dependencies: [plan, approve]
	arguments:
	artifacts:
	- name: terraform-plan
	from: "{{tasks.plan.outputs.artifacts.terraform-plan}}"