Announcing Terraform Integration Named Profiles
Jun 26, 2020 by Kathryn Lewis
Happy Friday, folks! The spin team has been hard at work adding our Terraform Integration Named Profiles feature that integrates with Fiat for Authz. Now our customers have the ability to add more guardrails for their build, provision, and deploy experience. This helps to break down silos between teams as it’s adding a level of confidence for DevOps and SecOps.
We just wrapped up that work and created a little demo video show below:
Armory Spinnaker’s Terraform Integration integrates your infrastructure-as-code Terraform workflow into your SDLC. Armory’s Terraform Integration interacts with a source repository you specify to deploy your infrastructure as part of a Spinnaker pipeline.
Once you have installed Armory Spinnaker 2.20, then configured and enabled the terraform integration, the below instructions will walk you through how to get profiles configured.
A profile gives users the ability to reference certain kinds of external sources, such as a private remote repository, when creating pipelines. The supported credentials are described in Types of credentials.
Types of credentials
The Terraform integration supports multiple types of credentials for Profiles to handle the various use cases that you can use the Terraform integration for:
If you don’t see a credential that suits your use case, let us know!
For information about how to configure a Profile, see Configuring a profile.
aws credential type to provide authentication to AWS. There are two methods you can use to provide authentication – by defining a static key pair or a role that should be assumed before a Terraform action is executed.
For defining a static key pair, supply an
accessKeyId and a
- name: devops # Unique name for the profile. Shows up in Deck. variables: - kind: aws # Type of credential options: accessKeyId: AKIAIOWQXTLW36DV7IEA secretAccessKey: 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
For assuming a role instead of defining a static set of credentials, supply the ARN of the role to assume:
- name: devops # Unique name for the profile. Shows up in Deck. variables: - kind: aws # Type of credential options: assumeRole: arn:aws:iam::012345567:role/roleAssume
When assuming a role, if
secretAccessKey are supplied, the Terraform integration uses these credentials to assume the role. Otherwise, the environment gets used for authentication, such as a machine role or a shared credentials file.
git-ssh credential kind to provide authentication to private Git repositories used as modules within your Terraform actions. The supplied SSH key will be available to Terraform for the duration of your execution, allowing it to fetch any modules it needs:
- name: pixel-git # Unique name for the profile. Shows up in Deck. variables: - kind: git-ssh # Type of credential options: sshPrivateKey: encrypted:vault!e:<secret engine>!p:<path to secret>!k:<key>!b:<is base64 encoded?>
static credential kind to provide any arbitrary key/value pair that isn’t supported by any of the other credential kinds. For example, if you want all users of the
devops profile to execute against the
AWS_REGION=us-west-2, use the following
static credential configuration.
- name: devops # Unique name for the profile. Shows up in Deck. variables: - kind: static # Type of credential options: name: AWS_REGION value: us-west-2
Configuring a Profile
Configure profiles that users can select when creating a Terraform Integration stage:
- In the
.hal/default/profilesdirectory, create or edit
- Add the values for the profile(s) you want to add under the
profilessection. The following example adds a profile named
pixel-gitfor an SSH key secured in Vault.
- name: pixel-git # Unique profile name displayed in Deck variables: - kind: git-ssh options: sshPrivateKey: encrypted:vault!e:<secret engine>!p:<path to secret>!k:<key>!b:<is base64 encoded?>
When a user creates or edits a Terraform Integration stage in Deck, they can select the profile
pixel-gitfrom a dropdown.
Keep the following in mind when adding profiles:
- You can add multiple profiles under the
- Do not commit plain text secrets to
terraformer-local.yml. Instead, use a secret store: Vault, an encrypted S3 bucket, or an encrypted GCS bucket.
- For SSH keys, one option parameter at a time is supported for each Profile. This means that you can use a private key file (
sshPrivateKeyFilePath) or the key (
sshPrivateKey) as the option. To use the key file path, use
sshPrivateKeyFilePathfor the option and provide the path to the key file. The path can also be encrypted using a secret store such as Vault. The following
options: sshPrivateKeyFilePath: encryptedFile:<secret_store>!e:...
For more information, see the documentation for your secret store.
- You can add multiple profiles under the
- Save the file.
- Apply your changes:
hal deploy apply
In Summary, now your organization has the ability to add more guardrails for your build, provision, and deploy experience. This helps to break down silos between teams as it’s adding a level of confidence for DevOps and SecOps.