Announcing Terraform Integration Named Profiles

Happy Friday, folks! The spin team has been hard at work adding our Terraform Integration Named Profiles feature that integrates with Fiat for Authz. Now our customers have the ability to add more guardrails for their build, provision, and deploy experience. This helps to break down silos between teams as it’s adding a level of confidence for DevOps and SecOps.

We just wrapped up that work and created a little demo video show below:

Armory Spinnaker’s Terraform Integration integrates your infrastructure-as-code Terraform workflow into your SDLC. Armory’s Terraform Integration interacts with a source repository you specify to deploy your infrastructure as part of a Spinnaker pipeline.

Once you have installed Armory Spinnaker 2.20, then configured and enabled the terraform integration, the below instructions will walk you through how to get profiles configured.

Profiles

A profile gives users the ability to reference certain kinds of external sources, such as a private remote repository, when creating pipelines. The supported credentials are described in Types of credentials.

Types of credentials

The Terraform integration supports multiple types of credentials for Profiles to handle the various use cases that you can use the Terraform integration for:

• AWS
• SSH
• Static

If you don’t see a credential that suits your use case, let us know!

For information about how to configure a Profile, see Configuring a profile.

AWS

Use the aws credential type to provide authentication to AWS. There are two methods you can use to provide authentication – by defining a static key pair or a role that should be assumed before a Terraform action is executed.

For defining a static key pair, supply an accessKeyId and a secretAccessKey:

- name: devops # Unique name for the profile. Shows up in Deck.
  variables:
  - kind: aws # Type of credential 
    options:
      accessKeyId: AKIAIOWQXTLW36DV7IEA
      secretAccessKey: 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

For assuming a role instead of defining a static set of credentials, supply the ARN of the role to assume:

- name: devops # Unique name for the profile. Shows up in Deck.
  variables:
  - kind: aws # Type of credential 
    options:
      assumeRole: arn:aws:iam::012345567:role/roleAssume

When assuming a role, if accessKeyId and secretAccessKey are supplied, the Terraform integration uses these credentials to assume the role. Otherwise, the environment gets used for authentication, such as a machine role or a shared credentials file.

SSH Key

Use the git-ssh credential kind to provide authentication to private Git repositories used as modules within your Terraform actions. The supplied SSH key will be available to Terraform for the duration of your execution, allowing it to fetch any modules it needs:

- name: pixel-git # Unique name for the profile. Shows up in Deck.
  variables:
  - kind: git-ssh  # Type of credential 
    options:
    sshPrivateKey: encrypted:vault!e:<secret engine>!p:<path to secret>!k:<key>!b:<is base64 encoded?> 

Static

Use the static credential kind to provide any arbitrary key/value pair that isn’t supported by any of the other credential kinds. For example, if you want all users of the devops profile to execute against the AWS_REGION=us-west-2, use the following static credential configuration.

- name: devops # Unique name for the profile. Shows up in Deck.
  variables:
  - kind: static # Type of credential 
    options:
      name: AWS_REGION
      value: us-west-2

Configuring a Profile

Configure profiles that users can select when creating a Terraform Integration stage:

1. In the .hal/default/profiles directory, create or edit terraformer-local.yml.
2. Add the values for the profile(s) you want to add under the profiles section. The following example adds a profile named pixel-git for an SSH key secured in Vault.

   - name: pixel-git # Unique profile name displayed in Deck
       variables:
       - kind: git-ssh 
         options:
         sshPrivateKey: encrypted:vault!e:<secret engine>!p:<path to secret>!k:<key>!b:<is base64 encoded?> 
   

   When a user creates or edits a Terraform Integration stage in Deck, they can select the profile pixel-git from a dropdown.

   Keep the following in mind when adding profiles:

   • You can add multiple profiles under the profiles section.
   • Do not commit plain text secrets to terraformer-local.yml. Instead, use a secret store: Vault, an encrypted S3 bucket, or an encrypted GCS bucket.
   • For SSH keys, one option parameter at a time is supported for each Profile. This means that you can use a private key file (sshPrivateKeyFilePath) or the key (sshPrivateKey) as the option. To use the key file path, use sshPrivateKeyFilePath for the option and provide the path to the key file. The path can also be encrypted using a secret store such as Vault. The following option example uses sshPrivateKeyFilePath:

     options:
     sshPrivateKeyFilePath: encryptedFile:<secret_store>!e:...
     

     For more information, see the documentation for your secret store.

3. Save the file.
4. Apply your changes:

   hal deploy apply

In Summary, now your organization has the ability to add more guardrails for your build, provision, and deploy experience. This helps to break down silos between teams as it’s adding a level of confidence for DevOps and SecOps.

Next Steps

• Enabling the Terraform Integration Stage
• Submit feedback