CI Pipeline for Terraform
KubeRocketCI ensures the implemented Terraform support by adding a separate component type called Infrastructure. The Infrastructure codebase type allows to work with Terraform code that is processed by means of stages in the Code-Review and Build pipelines.
Pipeline Stages for Terraform​
Under the hood, Infrastructure codebase type, namely Terraform, looks quite similar to other codebase types. The distinguishing characteristic of the Infrastructure codebase type is that there is a stage called terraform-check in both of Code Review and Build pipelines. This stage runs the pre-commit activities which in their turn run the following commands and tools:
-
Terraform fmt - the first step of the stage is basically the
terraform fmtcommand. Theterraform fmtcommand automatically updates the formatting of Terraform configuration files to follow the standard conventions and make the code more readable and consistent. -
Lock provider versions - locks the versions of the Terraform providers used in the project. This ensures that the project uses specific versions of the providers and prevents unexpected changes from impacting the infrastructure due to newer provider versions.
-
Terraform validate - checks the syntax and validity of the Terraform configuration files. It scans the configuration files for all possible issues.
-
Terraform docs - generates human-readable documentation for the Terraform project.
-
Tflint - additional validation step using the
tflintlinter to provide more in-depth checks in addition to what theterraform validatecommand does. -
Checkov - runs the
checkovcommand against the Terraform codebase to identify any security misconfigurations or compliance issues. -
Tfsec - another security-focused validation step using the
tfseccommand. Tfsec is a security scanner for Terraform templates that detects potential security issues and insecure configurations in the Terraform code.
The commands and their attributes are displayed in the .pre-commit-config.yaml file.