-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdeployments.tfdeploy.hcl
85 lines (72 loc) · 2 KB
/
deployments.tfdeploy.hcl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
locals {
name = "terraform-stacks-demo"
project = "Demo"
stack = "terraform-stacks-demo"
}
store "varset" "oidc_role_arn" {
id = "varset-vre8k5fyfNFogyDn"
category = "terraform"
}
identity_token "aws" {
audience = ["aws.workload.identity"]
}
deployment "development" {
inputs = {
name = "dev-${local.name}"
identity_token = identity_token.aws.jwt
regions = ["eu-central-1"]
role_arn = store.varset.oidc_role_arn.dev
tags = {
Environment = "development"
Stack = local.stack
Project = local.project
}
}
}
deployment "production" {
inputs = {
name = "prd-${local.name}"
identity_token = identity_token.aws.jwt
regions = ["eu-central-1", "eu-west-1"]
role_arn = store.varset.oidc_role_arn.prd
tags = {
Environment = "production"
Stack = local.stack
Project = local.project
}
}
}
orchestrate "auto_approve" "non_prd" {
check {
condition = context.plan.deployment != deployment.production
reason = "Plan is production."
}
}
orchestrate "auto_approve" "prd_no_modifications_or_destructions" {
check {
condition = context.plan.changes.change == 0
reason = "Plan is modifying ${context.plan.changes.change} resources."
}
check {
condition = context.plan.changes.remove == 0
reason = "Plan is destroying ${context.plan.changes.remove} resources."
}
check {
condition = context.plan.deployment == deployment.production
reason = "Plan is not production."
}
}
orchestrate "replan" "prod_for_errors" {
check {
condition = context.plan.deployment == deployment.production
reason = "Only automatically replan production deployments."
}
check {
condition = context.plan.applyable == false
reason = "Only automatically replan plans that were not applyable."
}
check {
condition = context.plan.replans < 2
reason = "Only automatically replan failed plans once."
}
}