- Simple Gitlab pipeline for a Terraform deployment to AWS
- The following environment variables will need to be generated:
- These enviornment variables are credentails to use for the respective AWS account in which the the resources will be deployed
- The credentials are generated from the AWS IAM service
- Instructions for credential generation are here
- The credentials give access to permitted AWS APIs
- It is recommended that credentials for the Pipeline are for this pipeline, not a given user
- format: Rewrites the Terraform configuration files to a canonical format and style
- tflint:
Terraform linter for detecting errors that cannot be detected by
terraform plan
- validate: Validates the configuration files in a directory, referring only to the configuration and not accessing any remote services such as remote state, provider APIs, etc.
- checkov: It scans cloud infrastructure provisioned using Terraform, Terraform plan, Cloudformation, AWS SAM, Kubernetes, Helm charts, Kustomize, Dockerfile, Serverless, Bicep, OpenAPI or ARM Templates and detects security and compliance misconfigurations using graph-based scanning.
- plan_apply: Creates an execution plan, which lets you preview the changes that Terraform plans to make to your infrastructure, in this pipeline what it plans to deploy to AWS
- apply: Executes the actions proposed in a Terraform plan, deploying the planned infrastructure to AWS
- plan_destroy: Creates an execution plan, which lets you preview the changes that Terraform plans to make to your infrastructure, in this pipeline what it plans to destroy in AWS
- destroy: Executes the actions proposed in a Terraform plan, destroying the planned infrastructure in AWS
The following stages are manual stages in the pipeline as a review of the apply and destroy plans are required before creation or destruction of resources; plans are stored off as temporary artefacts specifically for review, expiration of these artefacts can be configured as needed; destroy_plan is manual in order to plan to destroy what is applied:
- apply
- destroy_plan
- destroy