-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathazure-pipelines.yml
138 lines (123 loc) · 5.9 KB
/
azure-pipelines.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# Infracost runs on pull requests and posts PR comments.
# If you use Infracost Cloud, Infracost also runs on main/master branch pushes so the dashboard is updated.
# The Azure Pipelines docs (https://docs.microsoft.com/en-us/azure/devops/pipelines/process/tasks) describe other trigger options.
pr:
- '*'
trigger:
branches:
include:
- main
- master
variables:
# If you use private modules you'll need this env variable to use
# the same ssh-agent socket value across all steps.
- name: SSH_AUTH_SOCK
value: /tmp/ssh_agent.sock
# If you store Terraform variables or modules in a 3rd party such as (e.g. TFC or Spacelift),
# specify the following so Infracost can automatically retrieve them.
# See https://www.infracost.io/docs/features/terraform_modules/#registry-modules for details.
# - name: INFRACOST_TERRAFORM_CLOUD_TOKEN
# value: $(tfcToken)
# - name: INFRACOST_TERRAFORM_CLOUD_HOST
# value: app.terraform.io
jobs:
# Run Infracost on pull requests
- job: infracost_pull_request_checks
condition: and(succeeded(), eq(variables['Build.Reason'], 'PullRequest'))
displayName: Run Infracost on pull requests
pool:
vmImage: ubuntu-latest # This pipeline works on windows-latest too
steps:
# If you use private git SSH modules, add a base 64 encoded secret
# called gitSshKeyBase64 with your private key, so Infracost can access
# private repositories (similar to how Terraform/Terragrunt does).
# - bash: |
# ssh-agent -a $(SSH_AUTH_SOCK)
# mkdir -p ~/.ssh
# echo "$(echo $GIT_SSH_KEY_BASE_64 | base64 -d)" | tr -d '\r' | ssh-add -
# # Update this to github.com, gitlab.com, bitbucket.org, ssh.dev.azure.com or your source control server's domain
# ssh-keyscan github.com >> ~/.ssh/known_hosts
# displayName: Add GIT_SSH_KEY
# env:
# GIT_SSH_KEY_BASE_64: $(gitSshKeyBase64)
# Install the Infracost CLI, see https://github.com/infracost/infracost-azure-devops#infracostsetup
- task: InfracostSetup@2
displayName: Setup Infracost
inputs:
apiKey: $(infracostApiKey)
# Clone the base branch of the pull request (e.g. main/master) into a temp directory.
- bash: |
REPO_URL=$(Build.Repository.Uri)
REPO_URL_WITH_TOKEN=${REPO_URL/https:\/\//https:\/\/x-access-token:$(githubToken)@}
git clone $REPO_URL_WITH_TOKEN --branch=$(System.PullRequest.TargetBranchName) --single-branch /tmp/base
displayName: Checkout base branch
# Generate an Infracost cost estimate baseline from the comparison branch, so that Infracost can compare the cost difference.
- bash: |
cd /tmp/base
infracost breakdown --path=. \
--format=json \
--out-file=/tmp/infracost-base.json
displayName: Generate Infracost cost estimate baseline
# Generate an Infracost diff and save it to a JSON file.
- bash: |
cd -
infracost diff --path=. \
--format=json \
--compare-to=/tmp/infracost-base.json \
--out-file=/tmp/infracost.json
displayName: Generate Infracost diff
# Add a cost estimate comment to a Azure Repos pull request.
- bash: |
infracost comment github \
--path=/tmp/infracost.json \
--github-token=$(githubToken)\
--pull-request=$(System.PullRequest.PullRequestNumber) \
--repo=$(Build.Repository.Name) \
--behavior=update
displayName: Post PR comment
# The following job is needed when using Infracost Cloud
- job: infracost_cloud_update
displayName: Update Infracost Cloud
condition: and(succeeded(), in(variables['Build.Reason'], 'IndividualCI', 'BatchedCI'))
pool:
vmImage: ubuntu-latest # This pipeline works on windows-latest too
steps:
# If you use private git SSH modules, add a base 64 encoded secret
# called gitSshKeyBase64 with your private key, so Infracost can access
# private repositories (similar to how Terraform/Terragrunt does).
# - bash: |
# ssh-agent -a $(SSH_AUTH_SOCK)
# mkdir -p ~/.ssh
# echo "$(echo $GIT_SSH_KEY_BASE_64 | base64 -d)" | tr -d '\r' | ssh-add -
# # Update this to github.com, gitlab.com, bitbucket.org, ssh.dev.azure.com or your source control server's domain
# ssh-keyscan github.com >> ~/.ssh/known_hosts
# displayName: Add GIT_SSH_KEY
# env:
# GIT_SSH_KEY_BASE_64: $(gitSshKeyBase64)
# Install the Infracost CLI, see https://github.com/infracost/infracost-azure-devops#infracostsetup
- task: InfracostSetup@2
displayName: Setup Infracost
inputs:
apiKey: $(infracostApiKey)
- bash: |
PATTERN1="Merge pull request #([0-9]+) from"
PATTERN2=".* \(#([0-9]+)\)"
if [[ "$(Build.SourceVersionMessage)" =~ $PATTERN1 || "$(Build.SourceVersionMessage)" =~ $PATTERN2 ]]; then
PR_ID=${BASH_REMATCH[1]}
echo "Updating status of $PR_ID"
curl \
--request POST \
--header "Content-Type: application/json" \
--header "X-API-Key: $(infracostApiKey)" \
--data "{ \"query\": \"mutation {updatePullRequestStatus( url: \\\"$(Build.Repository.Uri)/pulls/${PR_ID}\\\", status: MERGED )}\" }" \
"https://dashboard.api.infracost.io/graphql";
else
echo "Nothing to do as the commit message did not contain a merged PR ID."
fi
displayName: 'Update PR status in Infracost Cloud'
- bash: |
infracost breakdown --path=. \
--format=json \
--out-file=/tmp/infracost.json
infracost upload --path=/tmp/infracost.json || echo "Always pass main branch runs even if there are policy failures"
displayName: 'Run Infracost on default branch and update Infracost Cloud'