.drone.yml

---

# this pipeline would handle dev and prod running separate AWS accounts,
# running infrastructure in multiple regions (would require adding steps for
# those regions)
#
# this pipeline also makes use of this drone extension:
# https://github.com/meltwater/drone-convert-pathschanged

kind: pipeline
type: docker
name: default

concurrency:
  limit: 1

trigger:
  branch:
  - master

volumes:
- name: dot-aws
  temp: {}

aws_credentials: &aws_credentials
  image: amazon/aws-cli:2.0.31
  volumes:
  - name: dot-aws
    path: /root/.aws
  commands:
  - aws configure --profile $TF_ENV-$TF_REGION set role_arn "arn:aws:iam::$AWS_ACCOUNT_ID:role/DroneTerraformContainerDays"
  - aws configure --profile $TF_ENV-$TF_REGION set region $TF_REGION
  - aws configure --profile $TF_ENV-$TF_REGION set credential_source Ec2InstanceMetadata
  - aws configure --profile $TF_ENV-$TF_REGION set external_id $ASSUME_ROLE_EXTERNAL_ID

terraform: &terraform
  image: alpine:3
  volumes:
  - name: dot-aws
    path: /root/.aws
  commands:
  - apk add bash curl git
  - git clone --branch v1.0.2 https://github.com/tfutils/tfenv.git /opt/tfenv
  - ln -s /opt/tfenv/bin/* /usr/local/bin
  - |-
    ROOT_DIR=$(pwd)
    for DIR in $(cat terraform_dirs | grep ^$TF_ENV/$TF_REGION); do
      echo "INFO  Changing to $DIR"
      cd $ROOT_DIR/$DIR
      tfenv install $(cat terraform.version)
      tfenv use $(cat terraform.version)
      terraform init
      if [ "$DRONE_BUILD_EVENT" == "pull_request" ]; then
        terraform plan
      elif [ "$DRONE_BUILD_EVENT" == "push" ]; then
        terraform apply -auto-approve
      fi
    done

steps:

- name: files_changed
  image: alpine:3
  commands:
  - apk add git
  - |-
    for DIR in $(git --no-pager diff --name-only $DRONE_COMMIT_BEFORE..$DRONE_COMMIT_AFTER | sed "s/^\\(\\.\\/\\)*\\(.*\\)/\\2/" | sed "s/^\\(.*\\)\\/.*/\\1/" | sort | uniq ); do
      for VERSION in $(find . -name terraform.version | sed "s/^\\(\\.\\/\\)*\\(.*\\)/\\2/" | sed "s/^\\(.*\\)\\/.*/\\1/" | sort | uniq); do
        case "$DIR" in
          "$VERSION"*)
            echo $VERSION >> terraform_dirs
            echo "INFO  Adding $VERSION to terrafom_dirs";;
        esac
      done
    done

- <<: *aws_credentials
  name: dev_eu-west-1_aws_credentials
  environment:
    ASSUME_ROLE_EXTERNAL_ID:
      from_secret: assume_role_external_id
    AWS_ACCOUNT_ID:
      from_secret: demo_account_id
    TF_ENV: dev
    TF_REGION: eu-west-1
  when:
    paths:
      include:
      - dev/eu-west-1/**

- <<: *aws_credentials
  name: prod_eu-west-1_aws_credentials
  environment:
    ASSUME_ROLE_EXTERNAL_ID:
      from_secret: assume_role_external_id
    AWS_ACCOUNT_ID:
      from_secret: prod_account_id
    TF_ENV: prod
    TF_REGION: eu-west-1
  when:
    paths:
      include:
      - prod/eu-west-1/**

- <<: *terraform
  name: dev_eu-west-1_terraform_${DRONE_BUILD_EVENT}
  environment:
    # workaround for https://github.com/terraform-providers/terraform-provider-aws/issues/5018
    AWS_METADATA_URL: http://localhost/not/existent/url
    # workaround for https://github.com/hashicorp/aws-sdk-go-base/issues/7
    AWS_SDK_LOAD_CONFIG: 1
    AWS_PROFILE: dev-eu-west-1
    TF_ENV: dev
    TF_REGION: eu-west-1
  when:
    paths:
      include:
      - dev/eu-west-1/**

- <<: *terraform
  name: prod_eu-west-1_terraform_${DRONE_BUILD_EVENT}
  environment:
    # workaround for https://github.com/terraform-providers/terraform-provider-aws/issues/5018
    AWS_METADATA_URL: http://localhost/not/existent/url
    # workaround for https://github.com/hashicorp/aws-sdk-go-base/issues/7
    AWS_SDK_LOAD_CONFIG: 1
    AWS_PROFILE: prod-eu-west-1
    TF_ENV: prod
    TF_REGION: eu-west-1
  when:
    paths:
      include:
      - prod/eu-west-1/**