Happy Friday, folks! The spin team has been hard at work adding our Terraform Integration Named Profiles feature that integrates with Fiat for Authz. Now our customers have the ability to add more guardrails for their build, provision, and deploy experience. This helps to break down silos between teams as it’s adding a level of confidence for DevOps and SecOps.
We just wrapped up that work and created a little demo video show below:
Armory Spinnaker’s Terraform Integration integrates your infrastructure-as-code Terraform workflow into your SDLC. Armory’s Terraform Integration interacts with a source repository you specify to deploy your infrastructure as part of a Spinnaker pipeline.
Once you have installed Armory Spinnaker 2.20, then configured and enabled the terraform integration, the below instructions will walk you through how to get profiles configured.
Profiles
A profile gives users the ability to reference certain kinds of external sources, such as a private remote repository, when creating pipelines. The supported credentials are described in Types of credentials.
Types of credentials
The Terraform integration supports multiple types of credentials for Profiles to handle the various use cases that you can use the Terraform integration for:
- AWS
- SSH
- Static
If you don’t see a credential that suits your use case, let us know!
For information about how to configure a Profile, see Configuring a profile.
AWS
Use the aws
credential type to provide authentication to AWS. There are two methods you can use to provide authentication – by defining a static key pair or a role that should be assumed before a Terraform action is executed.
For defining a static key pair, supply an accessKeyId
and a secretAccessKey
:
- name: devops # Unique name for the profile. Shows up in Deck.
variables:
- kind: aws # Type of credential
options:
accessKeyId: AKIAIOWQXTLW36DV7IEA
secretAccessKey: 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
For assuming a role instead of defining a static set of credentials, supply the ARN of the role to assume:
- name: devops # Unique name for the profile. Shows up in Deck.
variables:
- kind: aws # Type of credential
options:
assumeRole: arn:aws:iam::012345567:role/roleAssume
When assuming a role, if accessKeyId
and secretAccessKey
are supplied, the Terraform integration uses these credentials to assume the role. Otherwise, the environment gets used for authentication, such as a machine role or a shared credentials file.
SSH Key
Use the git-ssh
credential kind to provide authentication to private Git repositories used as modules within your Terraform actions. The supplied SSH key will be available to Terraform for the duration of your execution, allowing it to fetch any modules it needs:
- name: pixel-git # Unique name for the profile. Shows up in Deck.
variables:
- kind: git-ssh # Type of credential
options:
sshPrivateKey: encrypted:vault!e:<secret engine>!p:<path to secret>!k:<key>!b:<is base64 encoded?>
Static
Use the static
credential kind to provide any arbitrary key/value pair that isn’t supported by any of the other credential kinds. For example, if you want all users of the devops
profile to execute against the AWS_REGION=us-west-2
, use the following static
credential configuration.
- name: devops # Unique name for the profile. Shows up in Deck.
variables:
- kind: static # Type of credential
options:
name: AWS_REGION
value: us-west-2
Configuring a Profile
Configure profiles that users can select when creating a Terraform Integration stage:
- In the
.hal/default/profiles
directory, create or editterraformer-local.yml
. - Add the values for the profile(s) you want to add under the
profiles
section. The following example adds a profile namedpixel-git
for an SSH key secured in Vault.- name: pixel-git # Unique profile name displayed in Deck variables: - kind: git-ssh options: sshPrivateKey: encrypted:vault!e:<secret engine>!p:<path to secret>!k:<key>!b:<is base64 encoded?>
When a user creates or edits a Terraform Integration stage in Deck, they can select the profile
pixel-git
from a dropdown.Keep the following in mind when adding profiles:
- You can add multiple profiles under the
profiles
section. - Do not commit plain text secrets to
terraformer-local.yml
. Instead, use a secret store: Vault, an encrypted S3 bucket, or an encrypted GCS bucket. - For SSH keys, one option parameter at a time is supported for each Profile. This means that you can use a private key file (
sshPrivateKeyFilePath
) or the key (sshPrivateKey
) as the option. To use the key file path, usesshPrivateKeyFilePath
for the option and provide the path to the key file. The path can also be encrypted using a secret store such as Vault. The followingoption
example usessshPrivateKeyFilePath
:options: sshPrivateKeyFilePath: encryptedFile:<secret_store>!e:...
For more information, see the documentation for your secret store.
- You can add multiple profiles under the
- Save the file.
- Apply your changes:
hal deploy apply
In Summary, now your organization has the ability to add more guardrails for your build, provision, and deploy experience. This helps to break down silos between teams as it’s adding a level of confidence for DevOps and SecOps.