Just as an example, my git repository would look like so:
└── git_repo_example
├── modules
│ ├── module_1
│ │ ├── main.tf
│ │ └── var.tf
│ └── module_2
│ ├── main.tf
│ └── var.tf
└── projects
├── project_1
│ ├── main.tf
│ ├── terraform.tfstate
│ └── vars.tf
└── project_2
├── main.tf
├── terraform.tfstate
└── vars.tf
7 directories, 10 files
My team wants to make our terraform state files gitlab-managed, so that the statefiles would be locked in case multiple people want to run or modify a single project at the same time.
All of the examples I can find for managing terraform via gitlab only seem to assume 1 tfstate file and project, but my repository has multiple. Breaking this up into multiple repositories would be difficult to manage since they all reference the same modules, and it seems that placing everything into one folder is against terraform best-practices.
How would one best go about managing one repository with multiple terraform projects / statefiles via gitlab?
I have a similar-ish directory structure that works well with GitLab managed state per project directory.
I'd recommend replacing local TF development with GitLab CI/CD pipelines, using the provided GitLab container image as it supports the GitLab backend by default.
I use environments (representing each project directory) to mange the pipeline (CI/CD variables are managed by environment). The TF statefile is named according to the TF_ADDRESS variable:
image: registry.gitlab.com/gitlab-org/terraform-images/stable:latest
variables:
TF_ROOT: ${CI_PROJECT_DIR}/${ENVIRONMENT}
TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/${ENVIRONMENT}
Here a build job is defined to create the TF plan and run only when the development directory is modified and merged to the default branch. An identical job for the production directory is also defined. Each environment references a unique TF state file managed by GitLab:
.plan:
stage: build
environment:
name: $ENVIRONMENT
script:
- gitlab-terraform plan
- gitlab-terraform plan-json
cache:
policy: pull # don't update the cache
artifacts:
name: plan
paths:
- ${TF_ROOT}/plan.cache
reports:
terraform: ${TF_ROOT}/plan.json
Development Build Terraform Plan:
extends: .plan
variables:
ENVIRONMENT: development
rules:
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
changes:
- "*"
- "development/**/*"
Production Build Terraform Plan:
extends: .plan
variables:
ENVIRONMENT: production
rules:
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
changes:
- "*"
- "production/**/*"
I have exactly the same kind of terraform scripts repository, with a "run" script at the top, which will do, for each application, a
cd modules/modulesx
terraform init -backend-config=backend.tf -reconfigure
With backend.tf (here for Azure):
container-name = "tfbackend"
key = "aStorageAccount/aFileShare/path/to/modulex.tfstate"
resource_group_name = "xxx"
That does create a modules/modulex/.terraform/terraform.tfstate
However, this file is local and not versioned nor "locked".
Related
I'm new to using GitHub Actions and Azure. I have a Blazor Server app that I'm trying to deploy, but my build has failed because the default Actions workflow doesn't recognize my file structure when it tries to dotnet build since I used JetBrains Rider. The fix to this is just to step one directory forward, but I'm unsure of the best approach to rewriting my workflow.
name: Build and deploy ASP.Net Core app to Azure Web App - quantumblink
on:
push:
branches:
- master
workflow_dispatch:
jobs:
build:
runs-on: windows-latest
steps:
- uses: actions/checkout#v2
- name: Set up .NET Core
env:
PROJECT_PATH: ./QuantumBlinkSite
uses: actions/setup-dotnet#v1
with:
dotnet-version: '6.0.x'
include-prerelease: true
- name: Build with dotnet
run: dotnet build --configuration Release
- name: dotnet publish
run: dotnet publish -c Release -o $PROJECT_PATH
- name: Upload artifact for deployment job
uses: actions/upload-artifact#v2
with:
name: .net-app
path: PROJECT_PATH
deploy:
runs-on: windows-latest
needs: build
environment:
name: 'Production'
url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
steps:
- name: Download artifact from build job
uses: actions/download-artifact#v2
with:
name: .net-app
- name: Deploy to Azure Web App
id: deploy-to-webapp
uses: azure/webapps-deploy#v2
with:
app-name: 'quantumblink'
slot-name: 'Production'
publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_9C448CC12BC94139931D6147F846D187 }}
package: .
I did some googling and it seemed that setting an environment variable for PROJECT_PATH would work, but I guess not.
My project structure is:
QuantumBlinkSite
QuantumBlinkSite
├── Data
├── Pages
├── Properties
├── Shared
├── bin
│ └── Debug
│ └── net6.0
├── obj
│ └── Debug
│ └── net6.0
│ ├── ref
│ ├── refint
│ ├── scopedcss
│ │ ├── Pages
│ │ ├── Shared
│ │ ├── bundle
│ │ └── projectbundle
│ └── staticwebassets
└── wwwroot
How should I go about best specifying the correct directory?
I am trying to make a shared pipeline repository, from where I am running a Dangerfile. The cool thing here should be that each repo could simply include the shared-pipeline repo's Dangerfile and .gitlab-ci.yml-file and then get all the cool stuff from it. My problem is, from repo1 I am trying to use include to inherit the Dangerfile from repository shared-pipeline. However, it is only possible to include .yaml files. I can include .gitlab-ci.yml, but how do I include external files such as the Dangerfile?
├── shared-pipeline
│ ├── Dangerfile
│ └── .gitlab-ci.yml
├── repo1
│ └── .gitlab-ci.yml
├── repo2
│ └── .gitlab-ci.yml
└── repo3
└── .gitlab-ci.yml
This is what I have so far:
include:
- project: 'myproject/shared-pipeline'
file: '.gitlab-ci.yml'
This is what I was trying:
include:
- project: 'myproject/shared-pipeline'
file: '.gitlab-ci.yml'
- project: 'myproject/shared-pipeline'
file: 'Dangerfile' # Syntax error here as this is no yml file
you can not include other files than yml files. GitLab will merge your included yml files to one big file and will execute it on the runners.
This will just fetch the content of the file and merge it. If you do want to use a file from your shared pipeline, you do have multiple options:
put it in a shared docker image, which will be used by your action, this way everyone will get the same dangerfile with the docker image executed in the job.
fetch the docker image via API in a pre step and make it available to your job with the artifact directive
you could also put the file in a separate docker image, and use the artifact directive in an earlier step to hand it over.
... and most likely many more
... but to be clear again, you can not use the include directive to include any kind of file into your pipeline.
My file structure consits of 2 main directories, resources and src, resources has images in a subdirectory, and various json files. src has many nested directories with .ts files in each:
├── package.json
├── package-lock.json
├── README.md
│
├── .docker
│ ├── Dockerfile
│ └── aBashScript.sh
│
├── resources
│ ├── data.json
│ └── images
│ └── manyimages.png
│
├── src
│ ├── subdirectory1
│ └── NestedDirectories
│
├── .gitlab-ci.yml
├── tsconfig.eslint.json
├── tsconfig.json
├── eslintrc.json
└── prettierrc.json
My gitlab-ci.yml has two stages, build and deploy
What I want:
1- If it's a commit on branches "main" or "dev" and If anything that affects the actual project changes, run build.
That is anything under resources, or src (and their nested directories), the Dockerfile, package.json and package-lock.json
I'd be content with "any .ts file changed" too, since all other criteria is usually only when this happens.
2- If build ran and it's a commit on the default branch ("main") then run the deploy stage.
Also for clarification when I say there's a commit on branch X, I mean as in an accepted merge request, or well an actual change on that branch. At some point in my tinkering it was running on (non accepted) merge requests, but I forgot what I changed to fix that.
What happens:
1- If I specify the changes rule on build then it never runs, however even if build doesn't run deploy always runs (if on branch "main")
.gitlab-ci.yml
variables:
IMAGE_TAG: project
stages:
- build
- deploy
build_image:
stage: build
image: docker:20.10.16
services:
- docker:20.10.16-dind
variables:
DOCKER_TLS_CERTDIR: "/certs"
before_script:
- echo $REGISTRY_PASS | docker login -u $REGISTRY_USER --password-stdin
script:
- |
if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
tag="latest"
echo "Running on default branch '$CI_DEFAULT_BRANCH': tag = '$tag'"
else
tag="$CI_COMMIT_REF_SLUG"
echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag"
fi
- docker build -f .docker/Dockerfile -t $REPO_NAME:$IMAGE_TAG-$tag .
- docker push $REPO_NAME:$IMAGE_TAG-$tag
rules:
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH == "dev"'
changes:
- \*.ts
- \*.json
- Dockerfile
deploy:
stage: deploy
before_script:
- chmod SSH_KEY
script:
- ssh -o StrictHostKeyChecking=no -i $SSH_KEY $VPS "
echo $REGISTRY_PASS | docker login -u $REGISTRY_USER --password-stdin &&
cd project &&
docker-compose pull &&
docker-compose up -d"
rules:
- if: '$CI_COMMIT_BRANCH == "main"'
This is the most basic one I could cobble up, basically excluding just the readme, but the build stage doesn't run (deploy does run even if build didn't)
Normally this is something I'd be able to "brute force" figure out myself, but to avoid uselessly modifying my files to test the changes rule, I've only been able to test this when making actual modifications to the project.
There seems to be a lot of examples from questions and tutorials out there, but I think something is off with my file structure as I've had no luck copying their changes rule
The changes: entries are glob patterns, not regex. So in order for you to match .ts files in any directory, you'll need to use "**/*.ts" not *.ts (which would only match files in the root).
changes:
- "**/*.ts"
- "**/*.json"
# ...
If build ran and it's a commit on the default branch ("main") then run the deploy stage.
To get this effect, you'll want your deploy job to share some of the rules of your build job.
deploy:
rules:
- if: "$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
changes:
- Dockerfile
- "**/*.ts"
- "**/*.json"
Or a little fancier way that reduces code duplication:
rules:
- if: "$CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH"
when: never # only deploy on default branch
- !reference [build_image, rules]
I have a project structure like:
.
├── app
│ ├── BUILD
│ ├── entry.py
│ ├── forms.py
│ ├── __init__.py
│ ├── jinja_custom_filter.py
│ ├── models.py
│ ├── __pycache__
│ ├── static
│ ├── templates
│ ├── utils.py
│ └── views.py
├── app.db
├── app.yaml
├── BUILD
├── cloudbuild.yaml
├── config.py
├── __init__.py
├── LICENSE
├── manage.py
├── requirements.txt
├── run.py
└── WORKSPACE
4 directories, 20 files
Project uses flask, sqlalchemy (see further below)
How does one deploy using google cloud builder to appengine using non-containerized deployment option? just artifact?
Here is my cloudbuild.yaml?:
# In this directory, run the following command to build this builder.
# $ gcloud builds submit
steps:
# Fetch source.
#- name: "docker.io/library/python:3.6.8"
# args: ['pip', 'install', '-t', '/workspace/lib', '-r', '/workspace/requirements.txt']
#- name: 'gcr.io/cloud-builders/git'
# args: ['clone', '--single-branch', '--branch=develop', 'https://github.com/codecakes/<myproject>_gae.git', '<myproject>_gae']
# Build the Bazel builder and output the version we built with.
#- name: 'gcr.io/cloud-builders/docker'
# args: ['build', '--tag=gcr.io/$PROJECT_ID/deploy:latest', '.']
# Build the targets.
#- name: 'gcr.io/$PROJECT_ID/bazel'
- name: 'gcr.io/cloud-builders/bazel'
args: ['build', '--spawn_strategy=standalone', '//app:entry', '--copt', '--force_python=PY3', '--color=yes', '--curses=yes', '--jobs=10', '--loading_phase_threads=HOST_CPUS', '--aspects=#bazel_tools//tools/python:srcs_version.bzl%find_requirements', '--output_groups=pyversioninfo', '--verbose_failures']
dir: '.'
- name: 'gcr.io/cloud-builders/bazel'
# args: ['run', '--spawn_strategy=standalone', '//:run', '--copt', '--verbose_failures=true', '--show_timestamps=true', '--python_version=PY3', '--build_python_zip', '--sandbox_debug', '--color=yes', '--curses=yes', '--jobs=10', '--loading_phase_threads=HOST_CPUS', '--aspects=#bazel_tools//tools/python:srcs_version.bzl%find_requirements', '--output_groups=pyversioninfo']
args: ['build', '--spawn_strategy=standalone', ':run', '--copt', '--aspects=#bazel_tools//tools/python:srcs_version.bzl%find_requirements', '--verbose_failures=true', '--show_timestamps=true', '--python_version=PY3', '--build_python_zip', '--sandbox_debug', '--color=yes', '--curses=yes', '--jobs=10', '--loading_phase_threads=HOST_CPUS']
dir: '.'
artifacts:
objects:
location: 'gs://<myproject>/'
paths: ['cloudbuild.yaml']
#images: ['gcr.io/$PROJECT_ID/deploy:latest']
I then do
sudo gcloud builds submit --config cloudbuild.yaml ./
which gives me
ID CREATE_TIME DURATION SOURCE IMAGES STATUS
d4dfd7dd-0f77-49d1-ac4c-4e3a1c84e3ea 2019-05-04T07:52:13+00:00 1M32S gs://<myproject>_cloudbuild/source/1556956326.46-3f4abd9a558440d8ba669b3d55248de6.tgz - SUCCESS
then i do
sudo gcloud app deploy app.yaml --user-output-enabled --account=<myemail>
which gives me:
Updating service [default] (this may take several minutes)...failed.
ERROR: (gcloud.app.deploy) Error Response: [3] Docker image asia.gcr.io/<myproject>/appengine/default.20190502t044929:latest was either not found, or is not in Docker V2 format. Please visit https://cloud.google.com/container-registry/docs/ui
My workspace file is:
load("#bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
load("#bazel_tools//tools/build_defs/repo:git.bzl", "git_repository")
# Use the git repository
git_repository(
name = "bazel_for_gcloud_python",
remote = "https://github.com/weisi/bazel_for_gcloud_python.git",
branch="master",
)
# https://github.com/bazelbuild/rules_python
git_repository(
name = "io_bazel_rules_python",
remote = "https://github.com/bazelbuild/rules_python.git",
# NOT VALID! Replace this with a Git commit SHA.
branch= "master",
)
# Only needed for PIP support:
load("#io_bazel_rules_python//python:pip.bzl", "pip_repositories")
pip_repositories()
load("#io_bazel_rules_python//python:pip.bzl", "pip_import")
# This rule translates the specified requirements.txt into
# #my_deps//:requirements.bzl, which itself exposes a pip_install method.
pip_import(
name = "my_deps",
requirements = "//:requirements.txt",
)
# Load the pip_install symbol for my_deps, and create the dependencies'
# repositories.
load("#my_deps//:requirements.bzl", "pip_install")
pip_install()
And app.yaml:
runtime: custom
#vm: true
env: flex
entrypoint: gunicorn -b :$PORT run:app
runtime_config:
# You can also specify 2 for Python 2.7
python_version: 3
handlers:
- url: /$
secure: always
script: auto
- url: /.*$
static_dir: app/static
secure: always
# This sample incurs costs to run on the App Engine flexible environment.
# The settings below are to reduce costs during testing and are not appropriate
# for production use. For more information, see:
# https://cloud.google.com/appengine/docs/flexible/python/configuring-your-app-with-app-yaml
manual_scaling:
instances: 1
resources:
cpu: 1
memory_gb: 0.5
disk_size_gb: 10
packages
alembic==0.8.4
Babel==2.2.0
blinker==1.4
coverage==4.0.3
decorator==4.0.6
defusedxml==0.4.1
Flask==0.10.1
Flask-Babel==0.9
Flask-Login==0.3.2
Flask-Mail==0.9.1
Flask-Migrate==1.7.0
Flask-OpenID==1.2.5
flask-paginate==0.4.1
Flask-Script==2.0.5
Flask-SQLAlchemy==2.1
Flask-WhooshAlchemy==0.56
Flask-WTF==0.12
flipflop==1.0
future==0.15.2
guess-language==0.2
gunicorn==19.9.0
itsdangerous==0.24
Jinja2==2.8
Mako==1.0.3
MarkupSafe==0.23
pbr==1.8.1
pefile==2016.3.28
PyInstaller==3.2
python-editor==0.5
python3-openid==3.0.9
pytz==2015.7
six==1.10.0
speaklater==1.3
SQLAlchemy==1.0.11
sqlalchemy-migrate==0.10.0
sqlparse==0.1.18
Tempita==0.5.2
Werkzeug==0.11.3
Whoosh==2.7.0
WTForms==2.1
As I understand after talking to google cloud developers, you have to use dockerfile to allow google cloud build a it builds using containers to push your image to app engine.
See my own work around
I am trying to write a very flexible playbook that targets hosts based on environment they are in. I am using as many variables as possible, so the playbook can be reused for other projects/environments with minimal changes.
I have a single application.yml
---
- name: Prepare app-server for "The app"
hosts: "{{'env'}}_super_app"
vars:
vars_files:
- "environments/{{env}}.yml"
sudo: yes
tasks:
- command: echo {{env}}
roles:
- common
- nginx
- php5-fpm
- nodejs
- newrelic
- users
- composer
- name: Install and configure mysql for "The super app"
hosts:
- "{{env}}_super_db"
vars:
vars_files:
- "environments/{{env}}.yml"
sudo: yes
roles:
- common
- mysql
- newrelic
Here is the playbook directory structure:
├── environments
│ ├── prod.yml << environment specific vars
│ ├── stag.yml << environment specific vars
│ └── uat.yml << environment specific vars
├── roles
│ ├── common
│ ├── composer
│ ├── mysql
│ ├── newrelic
│ ├── nginx
│ ├── nodejs
│ ├── php5-fpm
│ └── users
├── users
│ └── testo.yml
├── prod << inventory file for production
├── README.md
├── application.yml << application playbook
├── stag << inventory file for staging
├── uat << inventory file for uat
Here are the contents of the uat inventory file:
[uat_super_app]
10.10.10.4
[uat_super_db]
10.10.10.5
When I run my playbook, I pass the environment as an extra variable:
ansible-playbook -K -i uat application.yml -e="env=uat" --check
The idea being:
If {{env}} is set to uat, then the environments/uat.yml vars will be used, AND hosts [uat_super_app] will be targeted based on {{env}}_super_app.
If I or anyone makes a mistake and tries to run the uat vars against a production inventory, the hosts will not match, and ansible will not run the playbook.
ansible-playbook -K -i prod application.yml -e="env=uat" --check
This playbook works when I do not use variables in hosts targeting.
The problem is that no hosts match either way:
ansible-playbook -K -i uat application.yml -e="env=uat" --check -vvvv
SUDO password:
PLAY [Prepare app-server for "The app"] *******************************
skipping: no hosts matched
PLAY [Install and configure mysql for "The app"] **********************
skipping: no hosts matched
PLAY RECAP ********************************************************************
hosts: "{{'env'}}_super_app"
That looks like you are using the string env, not the variable, which evaluates to env_super_app. I think you meant:
hosts: "{{ env }}_super_app"
Thanks udondan, but that didn't work.
The solution was to pass the vars in a similar way that the playbook expects to see them.
If I were specifying the env in the playbook I would have:
---
- name: Prepare app-server for "The app"
hosts: uat_super_app
vars:
- env: uat
So the correct way of passing the variable is:
ansible-playbook -K -i uat application.yml -e='vars: env=uat'
To test this I used the --list-hosts option:
ansible-playbook -K -i uat application.yml -e='vars: env=uat' --list-hosts
playbook: application.yml
play #1 (Prepare app-server for "The super app"): host count=1
10.10.10.4
play #2 (Install and configure mysql for "The super app"): host count=1
10.10.10.5