Jun 26, 2020 by Kathryn Lewis
Happy Friday, folks! The spin team has been hard at work adding our Terraform Integration Named Profiles feature that integrates with Fiat for Authz. Now our customers have the ability to add more guardrails for their build, provision, and deploy experience. This helps to break down silos between teams as it’s adding a level of confidence for DevOps and SecOps.
We just wrapped up that work and created a little demo video show below:
Armory Spinnaker’s Terraform Integration integrates your infrastructure-as-code Terraform workflow into your SDLC. Armory’s Terraform Integration interacts with a source repository you specify to deploy your infrastructure as part of a Spinnaker pipeline.
Once you have installed Armory Spinnaker 2.20, then configured and enabled the terraform integration, the below instructions will walk you through how to get profiles configured.
A profile gives users the ability to reference certain kinds of external sources, such as a private remote repository, when creating pipelines. The supported credentials are described in Types of credentials.
The Terraform integration supports multiple types of credentials for Profiles to handle the various use cases that you can use the Terraform integration for:
If you don’t see a credential that suits your use case, let us know!
For information about how to configure a Profile, see Configuring a profile.
aws credential type to provide authentication to AWS. There are two methods you can use to provide authentication – by defining a static key pair or a role that should be assumed before a Terraform action is executed.
For defining a static key pair, supply an
accessKeyId and a
- name: devops # Unique name for the profile. Shows up in Deck. variables: - kind: aws # Type of credential options: accessKeyId: AKIAIOWQXTLW36DV7IEA secretAccessKey: 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
For assuming a role instead of defining a static set of credentials, supply the ARN of the role to assume:
- name: devops # Unique name for the profile. Shows up in Deck. variables: - kind: aws # Type of credential options: assumeRole: arn:aws:iam::012345567:role/roleAssume
When assuming a role, if
secretAccessKey are supplied, the Terraform integration uses these credentials to assume the role. Otherwise, the environment gets used for authentication, such as a machine role or a shared credentials file.
git-ssh credential kind to provide authentication to private Git repositories used as modules within your Terraform actions. The supplied SSH key will be available to Terraform for the duration of your execution, allowing it to fetch any modules it needs:
- name: pixel-git # Unique name for the profile. Shows up in Deck. variables: - kind: git-ssh # Type of credential options: sshPrivateKey: encrypted:vault!e:<secret engine>!p:<path to secret>!k:<key>!b:<is base64 encoded?>
static credential kind to provide any arbitrary key/value pair that isn’t supported by any of the other credential kinds. For example, if you want all users of the
devops profile to execute against the
AWS_REGION=us-west-2, use the following
static credential configuration.
- name: devops # Unique name for the profile. Shows up in Deck. variables: - kind: static # Type of credential options: name: AWS_REGION value: us-west-2
Configure profiles that users can select when creating a Terraform Integration stage:
.hal/default/profilesdirectory, create or edit
profilessection. The following example adds a profile named
pixel-gitfor an SSH key secured in Vault.
- name: pixel-git # Unique profile name displayed in Deck variables: - kind: git-ssh options: sshPrivateKey: encrypted:vault!e:<secret engine>!p:<path to secret>!k:<key>!b:<is base64 encoded?>
When a user creates or edits a Terraform Integration stage in Deck, they can select the profile
pixel-git from a dropdown.
Keep the following in mind when adding profiles:
terraformer-local.yml. Instead, use a secret store: Vault, an encrypted S3 bucket, or an encrypted GCS bucket.
sshPrivateKeyFilePath) or the key (
sshPrivateKey) as the option. To use the key file path, use
sshPrivateKeyFilePathfor the option and provide the path to the key file. The path can also be encrypted using a secret store such as Vault. The following
options: sshPrivateKeyFilePath: encryptedFile:<secret_store>!e:...
For more information, see the documentation for your secret store.
hal deploy apply
In Summary, now your organization has the ability to add more guardrails for your build, provision, and deploy experience. This helps to break down silos between teams as it’s adding a level of confidence for DevOps and SecOps.
Spinnaker is the most powerful continuous delivery tool on the market. DevOps engineers and developers recognize this power and are looking to use Spinnaker as a foundational tool in their Continuous Integration and Continuous Delivery (CI/CD) process for hybrid and multi-cloud deployments. Such a powerful, expansive open source tool needs expertise within your organization to […]
Read more →
Today, Armory is excited to announce the availability of the GitHub Action for Armory Continuous Deployment-as-a-Service. GitHub is where developers shape the future of software. After a developer writes and tests their code in GitHub, it must be deployed. Armory’s GitHub Action for Continuous Deployment-as-a-Service extends the best-in-class deployment capabilities to Kubernetes. CD-as-a-Service enables declarative […]
Read more →
Call me Pollyanna, but what a great time to be a Platform or DevOps engineer. If you’re working in a public company, the S&P is off ~20% year over year, so the value of your RSUs has wilted. If you’re working in a private company, venture funding and M&A velocity are anemic, making expansion capital […]
Read more →