Jun 26, 2020 by Kathryn Lewis
Happy Friday, folks! The spin team has been hard at work adding our Terraform Integration Named Profiles feature that integrates with Fiat for Authz. Now our customers have the ability to add more guardrails for their build, provision, and deploy experience. This helps to break down silos between teams as it’s adding a level of confidence for DevOps and SecOps.
We just wrapped up that work and created a little demo video show below:
Armory Spinnaker’s Terraform Integration integrates your infrastructure-as-code Terraform workflow into your SDLC. Armory’s Terraform Integration interacts with a source repository you specify to deploy your infrastructure as part of a Spinnaker pipeline.
Once you have installed Armory Spinnaker 2.20, then configured and enabled the terraform integration, the below instructions will walk you through how to get profiles configured.
A profile gives users the ability to reference certain kinds of external sources, such as a private remote repository, when creating pipelines. The supported credentials are described in Types of credentials.
The Terraform integration supports multiple types of credentials for Profiles to handle the various use cases that you can use the Terraform integration for:
If you don’t see a credential that suits your use case, let us know!
For information about how to configure a Profile, see Configuring a profile.
AWS
Use the aws
credential type to provide authentication to AWS. There are two methods you can use to provide authentication – by defining a static key pair or a role that should be assumed before a Terraform action is executed.
For defining a static key pair, supply an accessKeyId
and a secretAccessKey
:
- name: devops # Unique name for the profile. Shows up in Deck.
variables:
- kind: aws # Type of credential
options:
accessKeyId: AKIAIOWQXTLW36DV7IEA
secretAccessKey: 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
For assuming a role instead of defining a static set of credentials, supply the ARN of the role to assume:
- name: devops # Unique name for the profile. Shows up in Deck.
variables:
- kind: aws # Type of credential
options:
assumeRole: arn:aws:iam::012345567:role/roleAssume
When assuming a role, if accessKeyId
and secretAccessKey
are supplied, the Terraform integration uses these credentials to assume the role. Otherwise, the environment gets used for authentication, such as a machine role or a shared credentials file.
SSH Key
Use the git-ssh
credential kind to provide authentication to private Git repositories used as modules within your Terraform actions. The supplied SSH key will be available to Terraform for the duration of your execution, allowing it to fetch any modules it needs:
- name: pixel-git # Unique name for the profile. Shows up in Deck.
variables:
- kind: git-ssh # Type of credential
options:
sshPrivateKey: encrypted:vault!e:<secret engine>!p:<path to secret>!k:<key>!b:<is base64 encoded?>
Static
Use the static
credential kind to provide any arbitrary key/value pair that isn’t supported by any of the other credential kinds. For example, if you want all users of the devops
profile to execute against the AWS_REGION=us-west-2
, use the following static
credential configuration.
- name: devops # Unique name for the profile. Shows up in Deck.
variables:
- kind: static # Type of credential
options:
name: AWS_REGION
value: us-west-2
Configure profiles that users can select when creating a Terraform Integration stage:
.hal/default/profiles
directory, create or edit terraformer-local.yml
.profiles
section. The following example adds a profile named pixel-git
for an SSH key secured in Vault.
- name: pixel-git # Unique profile name displayed in Deck
variables:
- kind: git-ssh
options:
sshPrivateKey: encrypted:vault!e:<secret engine>!p:<path to secret>!k:<key>!b:<is base64 encoded?>
When a user creates or edits a Terraform Integration stage in Deck, they can select the profile pixel-git
from a dropdown.
Keep the following in mind when adding profiles:
profiles
section.terraformer-local.yml
. Instead, use a secret store: Vault, an encrypted S3 bucket, or an encrypted GCS bucket.sshPrivateKeyFilePath
) or the key (sshPrivateKey
) as the option. To use the key file path, use sshPrivateKeyFilePath
for the option and provide the path to the key file. The path can also be encrypted using a secret store such as Vault. The following option
example uses sshPrivateKeyFilePath
:
options:
sshPrivateKeyFilePath: encryptedFile:<secret_store>!e:...
For more information, see the documentation for your secret store.
hal deploy apply
In Summary, now your organization has the ability to add more guardrails for your build, provision, and deploy experience. This helps to break down silos between teams as it’s adding a level of confidence for DevOps and SecOps.
Software deployment processes differ across organizations, teams, and applications. The most basic, and perhaps the riskiest, is the “big bang deployment.” This strategy updates all nodes within the target environment simultaneously with the new software version. This deployment strategy causes many issues, including potential downtime or other issues while the update is in progress. It […]
Read more →
Multi-target deployments can feel tedious as you deploy the same code over and over to multiple clouds and environments — and none of them in the same way. With an automatic multi-target deployment tool, on the other hand, you do the work once and deliver your code everywhere it needs to be. Armory provides an […]
Read more →
KubeCon+CloudNativeCon EU is one of the world’s largest tech conferences. Here, users, developers, and companies who have and intend to adopt the Cloud Native standard of running applications with Kubernetes in their organizations come together for 5 days. From May 16-20, 2022, tech enthusiasts will congregate both virtually and in person in Valencia, Spain to […]
Read more →