docker-terraform-and-jenkins

Fun with Docker, Terraform, Jenkins and Artifactory.

Prerequisites

• Google Cloud
  • Service Account
  • 2x VMs
    • 1 VM with Jenkins and Docker
    • 1 VM with Artifactory
  • 2x Storage buckets
    • 1 should be named terraform-state and be configured to vend items only to authorized accounts
    • 1 should be named sa-credentials and be configured to vend items only to authorized accounts
• Jenkins
  • Installation
  • Add plugins
    • // TODO
  • Configure plugins
    • // TODO
• Docker
  • Installation
  • Images
    • cloud-sdk
    • terraform
• Artifactory
  • Installation
  • Configure a local Generic repo named terraform-state

Setup for GKE

Sensitive configuration

Upload your sensitive configuration to a pre-configured Google Cloud storage buckets.

To create each bucket you could use the cloud-sdk Docker image or have directly installed the SDK on your workstation. (It's strongly recommended to append a unique suffix to each bucket name to avoid name collisions/conflicts).

gsutil mb -l {location} gs://terraform-vars-{suffix}
gsutil mb -l {location} gs://terraform-secrets-{suffix}
gsutil mb -l {location} gs://sa-credentials-{suffix}

Replace {location} above with a region (e.g., us-west1). Also replace {suffix} with a unique string.

Then configure buckets for version control

gsutil versioning set on gs://terraform-vars-{suffix}
gsutil versioning set on gs://terraform-secrets-{suffix}
gsutil versioning set on gs://sa-credentials-{suffix}

Replace {suffix} above with same string you defined when you created the bucket

Now let's upload a couple files. Place yourself into the module directory.

cd terraform/clusters/gke

terraform.tfvars

Copy the sample terraform.tfvars.sample to terraform.tfvars. (Amend the value for each key in the new file as required and make sure that the end of this file contains a single newline).

Upload the file

gsutil cp terraform.tfvars gs://terraform-vars-{suffix}/clusters/gke/terraform.tfvars

Replace {suffix} above with same string you defined when you created the bucket

backend.tf

Copy the sample backend.tf.sample to backend.tf. (Amend the value for each key in the new file as required).

It's unfortunate that we can't use variables, see this issue.

Upload the file

gsutil cp backend.tf gs://terraform-vars-{suffix}/clusters/gke/backend.tf

Replace {suffix} above with same string you defined when you created the bucket

gcp-service-account.json

You'll need to upload a copy of the service account key (in json format). The file should be named gcp-service-account.json.

gsutil cp gcp-service-account.json gs://sa-credentials-{suffix}/gcp-service-account.json

Replace {suffix} above with same string you defined when you created the bucket

Jenkins

Login to the Jenkins instance via your favorite browser.

You'll need to create pipelines based upon Jenkinsfile you will find in the ci/gke directory.

// TODO

Setup for TKGI

Sensitive configuration

Upload your sensitive configuration to a pre-configured Amazon S3 storage buckets.

To create each bucket you could use the aws-cli Docker image or have directly installed the CLI on your workstation. (It's strongly recommended to append a unique suffix to each bucket name to avoid name collisions/conflicts).

aws s3 mb s3://terraform-vars-{suffix}
aws s3 mb s3://terraform-secrets-{suffix}
aws s3 mb s3://terraform-state-{suffix}

Replace {suffix} with a unique string.

Then configure buckets for version control

aws s3api put-bucket-versioning --bucket terraform-vars-{suffix} --versioning-configuration Status=Enabled
aws s3api put-bucket-versioning --bucket terraform-secrets-{suffix} --versioning-configuration Status=Enabled
aws s3api put-bucket-versioning --bucket terraform-state-{suffix} --versioning-configuration Status=Enabled

Replace {suffix} above with same string you defined when you created the bucket

Then configure buckets for server-side encryption

aws s3api put-bucket-encryption \
    --bucket terraform-vars-{suffix} \
    --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'

aws s3api put-bucket-encryption \
    --bucket terraform-secrets-{suffix} \
    --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'

aws s3api put-bucket-encryption \
    --bucket terraform-state-{suffix} \
    --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'

// TODO Add bucket policy that allows for authenticated IAM user to list and write bucket objects

Now let's upload a couple files. Place yourself into the module directory.

cd terraform/clusters/tkgi

terraform.tfvars

Copy the sample terraform.tfvars.sample to terraform.tfvars. (Amend the value for each key in the new file as required and make sure that the end of this file contains a single newline).

Upload the file

aws s3 cp terraform.tfvars s3://terraform-vars-{suffix}/clusters/tkgi/terraform.tfvars

Replace {suffix} above with same string you defined when you created the bucket

backend.tf

Copy the sample backend.tf.sample to backend.tf. (Amend the value for each key in the new file as required).

It's unfortunate that we can't use variables, see this issue.

Upload the file

aws s3 cp backend.tf s3://terraform-vars-{suffix}/clusters/tkgi/backend.tf

Replace {suffix} above with same string you defined when you created the bucket

Jenkins

Login to the Jenkins instance via your favorite browser.

You'll need to create pipelines based upon Jenkinsfile you will find in the ci/tkgi directory.

// TODO