From 0551803ec504d1851387dc1c343e8012da2f2fd1 Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Fri, 22 Dec 2023 16:51:59 +0100 Subject: [PATCH 01/25] Remove need for token --- devops.tf | 38 ++++++++++++++++++++++++++++++- java/build-artifact.yaml.template | 17 ++++---------- java/build-repo.yaml.template | 17 ++++---------- java/java-datasources.tf | 4 ---- variables.tf | 16 ------------- vault.tf | 29 ----------------------- 6 files changed, 45 insertions(+), 76 deletions(-) diff --git a/devops.tf b/devops.tf index 69d01e2..cb6d203 100644 --- a/devops.tf +++ b/devops.tf @@ -177,12 +177,48 @@ resource "oci_devops_build_pipeline_stage" "art_build_pipeline_stage" { count = local.use-artifact ? 1 : 0 } +# image artifact +resource "oci_devops_deploy_artifact" "container_image_artifact" { + argument_substitution_mode = "NONE" + deploy_artifact_type = "OCIR" + project_id = local.project_id + display_name = "Container image" + + deploy_artifact_source { + image_uri = local.image-latest-tag + } +} + + +# push image to container registry +resource "oci_devops_build_pipeline_stage" "push_image_to_container_registry" { + build_pipeline_id = (local.use-artifact ? oci_devops_build_pipeline.build_pipeline_artifact[0].id : oci_devops_build_pipeline.build_pipeline[0].id) + build_pipeline_stage_predecessor_collection { + items { + id = (local.use-repository ? oci_devops_build_pipeline_stage.repo_build_pipeline_stage[0].id : oci_devops_build_pipeline_stage.art_build_pipeline_stage[0].id) + } + } + build_pipeline_stage_type = "DELIVER_ARTIFACT" + + deploy_pipeline_id = oci_devops_deploy_pipeline.deploy_pipeline.id + description = "Push image to container registry" + display_name = "Push image to container registry" + + deliver_artifact_collection { + items { + artifact_id = oci_devops_deploy_artifact.container_image_artifact.id + artifact_name = "application_image" + } + } + is_pass_all_parameters_enabled = false +} + # artifact or source case: resource "oci_devops_build_pipeline_stage" "trigger_deployment" { build_pipeline_id = (local.use-artifact ? oci_devops_build_pipeline.build_pipeline_artifact[0].id : oci_devops_build_pipeline.build_pipeline[0].id) build_pipeline_stage_predecessor_collection { items { - id = (local.use-repository ? oci_devops_build_pipeline_stage.repo_build_pipeline_stage[0].id : oci_devops_build_pipeline_stage.art_build_pipeline_stage[0].id) + id = oci_devops_build_pipeline_stage.push_image_to_container_registry.id } } build_pipeline_stage_type = "TRIGGER_DEPLOYMENT_PIPELINE" diff --git a/java/build-artifact.yaml.template b/java/build-artifact.yaml.template index 4bd11ed..dc25aff 100644 --- a/java/build-artifact.yaml.template +++ b/java/build-artifact.yaml.template @@ -7,7 +7,6 @@ timeoutInSeconds: 10000 shell: bash env: vaultVariables: - OCI_TOKEN : "${oci_token}" DB_USER_PASSWORD : "${db_user_password}" WALLET_PASSWORD : "${wallet_password}" inputArtifacts: @@ -41,15 +40,7 @@ steps: failImmediatelyOnError: true command: | docker build . --file Dockerfile --tag ${image_remote_tag}:${image_tag}-$${artifact_version} --tag ${image_latest_tag} - - type: Command - name: Login to repo - timeoutInSeconds: 900 - failImmediatelyOnError: true - command: | - echo $${OCI_TOKEN} | docker login ${container_registry_repo} --username ${login} --password-stdin - - type: Command - name: Push image - timeoutInSeconds: 600 - failImmediatelyOnError: true - command: | - docker push ${image_remote_tag} --all-tags +outputArtifacts: + - name: application_image + type: DOCKER_IMAGE + location: ${image_latest_tag} \ No newline at end of file diff --git a/java/build-repo.yaml.template b/java/build-repo.yaml.template index d84d9f9..7635a54 100644 --- a/java/build-repo.yaml.template +++ b/java/build-repo.yaml.template @@ -10,7 +10,6 @@ env: variables: JAVA_HOME : "/usr/java/latest" vaultVariables: - OCI_TOKEN : "${oci_token}" DB_USER_PASSWORD : "${db_user_password}" WALLET_PASSWORD : "${wallet_password}" steps: @@ -70,15 +69,7 @@ steps: export commit=$(git rev-list --all --max-count=1 --abbrev-commit) cd $${OCI_WORKSPACE_DIR}/${config_repo_name} docker build . --file Dockerfile --tag ${image_remote_tag}:${image_tag}-$commit --tag ${image_latest_tag} - - type: Command - name: Login to repo - timeoutInSeconds: 900 - failImmediatelyOnError: true - command: | - echo $${OCI_TOKEN} | docker login ${container_registry_repo} --username ${login} --password-stdin - - type: Command - name: Push image - timeoutInSeconds: 600 - failImmediatelyOnError: true - command: | - docker push ${image_remote_tag} --all-tags \ No newline at end of file +outputArtifacts: + - name: application_image + type: DOCKER_IMAGE + location: ${image_latest_tag} \ No newline at end of file diff --git a/java/java-datasources.tf b/java/java-datasources.tf index 44c7f3e..257fe83 100644 --- a/java/java-datasources.tf +++ b/java/java-datasources.tf @@ -41,9 +41,6 @@ data "template_file" "catalina_sh" { # build spec file data "template_file" "oci_build_config" { - depends_on = [ - oci_vault_secret.auth_token_secret - ] template = "${(local.use-repository ? file("${path.module}/build-repo.yaml.template") : file("${path.module}/build-artifact.yaml.template"))}" vars = { image_remote_tag = "${local.image-remote-tag}" @@ -55,7 +52,6 @@ data "template_file" "oci_build_config" { artifact_location = var.artifact_location artifact_path = (local.use-artifact ? data.oci_artifacts_generic_artifact.app_artifact[0].artifact_path : "") artifact_version = (local.use-artifact ? data.oci_artifacts_generic_artifact.app_artifact[0].version : "") - oci_token = local.auth_token_secret repo_name = (local.use-repository ? data.oci_devops_repository.devops_repository[0].name : "") config_repo_name = local.config_repo_name artifactId = (local.use-artifact ? var.artifact_id : "") diff --git a/variables.tf b/variables.tf index 939311b..77e2333 100644 --- a/variables.tf +++ b/variables.tf @@ -400,18 +400,6 @@ variable "is_free_tier" { default = false } -variable "use_existing_token" { - type = bool - description = "Create authentication token for current user" - default = false -} - -variable "current_user_token" { - type = string - default = "" - sensitive = true -} - locals { # application name with branch application_name = (var.branch == "" ? var.application_name : "${var.application_name}-${var.branch}") @@ -425,10 +413,6 @@ locals { login = "${data.oci_identity_tenancy.tenancy.name}/${local.service-username}" # login, namespace + username (Container Registry) login_container = "${local.namespace}/${local.service-username}" - # authentication token - app_auth_token = var.use_existing_token ? var.current_user_token : oci_identity_auth_token.auth_token[0].token - # Authentication token secret - auth_token_secret = oci_vault_secret.auth_token_secret.id # Container registry url container-registry-repo = "${local.region_key}.ocir.io" # image name diff --git a/vault.tf b/vault.tf index a0e85ce..ec69eda 100644 --- a/vault.tf +++ b/vault.tf @@ -20,35 +20,6 @@ resource "oci_kms_key" "app_key" { } -# Create an authentication token for user to connect to repositories -resource "oci_identity_auth_token" "auth_token" { -# provider = oci.home-provider - description = "Authentication token for ${local.application_name}" - user_id = var.current_user_ocid - count = (var.use_existing_token ? 0 : 1) -} - -# Secret containing the authentication token -resource "oci_vault_secret" "auth_token_secret" { - depends_on = [ - oci_kms_vault.app_vault, - oci_kms_key.app_key - ] - #Required - compartment_id = var.use_existing_vault ? var.vault_compartment_id : var.compartment_id - secret_content { - #Required - content_type = "BASE64" - - #Optional - content = base64encode(local.app_auth_token) - name = "auth_token_content_${formatdate("MMDDhhmm", timestamp())}" - } - secret_name ="auth_token_secret_${formatdate("MMDDhhmm", timestamp())}" - vault_id = var.use_existing_vault ? var.vault_id : oci_kms_vault.app_vault[0].id - key_id = var.use_existing_vault ? var.key_id : oci_kms_key.app_key[0].id -} - # Secret containing the db user's password resource "oci_vault_secret" "db_user_password" { depends_on = [ From 5b4b193b933f6aca97e1fc35d838111382e0ce04 Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Fri, 22 Dec 2023 18:05:28 +0100 Subject: [PATCH 02/25] Git using ssh instead of https --- config-repo.tf | 40 +++++++++++++++++++++++++++++++++++++++- datasources.tf | 14 ++++++++++---- ssh_config.template | 3 +++ variables.tf | 3 --- 4 files changed, 52 insertions(+), 8 deletions(-) create mode 100644 ssh_config.template diff --git a/config-repo.tf b/config-repo.tf index 4ed7b3b..31e4a90 100644 --- a/config-repo.tf +++ b/config-repo.tf @@ -16,6 +16,29 @@ resource "oci_devops_repository" "config_repo" { count = (local.use-image ? 0 : 1) } +resource "tls_private_key" "rsa_api_key" { + algorithm = "RSA" + rsa_bits = 4096 +} + +resource "oci_identity_api_key" "user_api_key" { + #Required + key_value = tls_private_key.rsa_api_key.public_key_pem + user_id = var.current_user_ocid +} + +resource "local_file" "api_private_key" { + depends_on = [ tls_private_key.rsa_api_key ] + filename = "${path.module}/private-key.pem" + content = tls_private_key.rsa_api_key.private_key_pem +} + +resource "local_file" "ssh_config" { + filename = "${path.module}/ssh_config" + content = data.template_file.ssh_config.rendered +} + + # creates necessary files to configure Docker image # creates the Dockerfile resource "local_file" "dockerfile" { @@ -71,12 +94,27 @@ resource "null_resource" "create_config_repo" { local_file.wallet, local_file.self_signed_certificate, local_file.oci_build_config, + local_fine.ssh_config, random_password.wallet_password ] + # copy private key + provisioner "local-exec" { + command = "cp private-key.pem ~/ssh/private-key.pem" + on_failure = fail + working_dir = "${path.module}" + } + + # copy ssh-config + provisioner "local-exec" { + command = "cp ssh_config ~/.ssh/config" + on_failure = fail + working_dir = "${path.module}" + } + # clone new repository provisioner "local-exec" { - command = "git clone ${local.config_repo_url}" + command = "git clone ${oci_devops_repository.config_repo[0].http_url}" on_failure = fail working_dir = "${path.module}" } diff --git a/datasources.tf b/datasources.tf index e51c078..6fccb90 100644 --- a/datasources.tf +++ b/datasources.tf @@ -59,12 +59,8 @@ data "oci_artifacts_generic_artifact" "app_artifact" { # build spec file data "template_file" "oci_deploy_config" { - depends_on = [ - oci_vault_secret.auth_token_secret - ] template = "${file("${path.module}/deploy.yaml.template")}" vars = { - oci_token = local.auth_token_secret config_repo_url = local.config_repo_url config_repo_name = local.config_repo_name artifact_ocid = oci_generic_artifacts_content_artifact_by_path.update_container_instance_script.id @@ -89,6 +85,16 @@ data "template_file" "deploy_script" { count = var.nb_copies } +data "template_file" "ssh_config" { + depends_on = [ + local_file.api_private_key + ] + template = "${file("${path.module}/ssh_config.template")}" + vars = { + "user" = local.login + } +} + data "oci_identity_api_keys" "dbconnection_api_key" { user_id = var.current_user_ocid } diff --git a/ssh_config.template b/ssh_config.template new file mode 100644 index 0000000..adbee20 --- /dev/null +++ b/ssh_config.template @@ -0,0 +1,3 @@ +Host devops.scmservice.*.oci.oraclecloud.com + User ${user} + IdentityFile ./private-key.pem \ No newline at end of file diff --git a/variables.tf b/variables.tf index 77e2333..70cf504 100644 --- a/variables.tf +++ b/variables.tf @@ -452,9 +452,6 @@ locals { # : data.oci_identity_api_keys.dbconnection_api_key.api_keys[0].key_value # ) config_repo_name = "${local.application_name}-config" - config_repo_url = (local.use-image - ? "" - : replace(oci_devops_repository.config_repo[0].http_url, "https://", "https://${urlencode(local.login)}:${urlencode(local.app_auth_token)}@")) # database OCID database_ocid = (var.use_existing_database ? var.autonomous_database : oci_database_autonomous_database.database[0].id) # database username From 7214e0e5a60862e2728a09f64822a53bd20e51bd Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Fri, 22 Dec 2023 18:17:24 +0100 Subject: [PATCH 03/25] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a91c6f5..956c945 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -17,7 +17,7 @@ on: - dotnet jobs: call-workflow-passing-data: - uses: oracle-quickstart/appstack/.github/workflows/build.yml@main + uses: fmeheust/appstack/.github/workflows/build.yml@main with: branch: ${{ github.event.inputs.branch }} type: ${{ github.event.inputs.type }} From 38cec47f91e21436604baff1e06072a498b8c546 Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Fri, 22 Dec 2023 18:17:43 +0100 Subject: [PATCH 04/25] Update on-push.yml --- .github/workflows/on-push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/on-push.yml b/.github/workflows/on-push.yml index 7d444ae..8df4ea9 100644 --- a/.github/workflows/on-push.yml +++ b/.github/workflows/on-push.yml @@ -2,7 +2,7 @@ name: 'Build on push' on: push jobs: call-workflow-passing-data: - uses: oracle-quickstart/appstack/.github/workflows/build.yml@main + uses: fmeheust/appstack/.github/workflows/build.yml@main with: branch: ${{github.ref_name}} type: 'java' From 110c4a9fbf60f4311c5c80d108d45c7bbb5802da Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Fri, 22 Dec 2023 18:22:02 +0100 Subject: [PATCH 05/25] Updated user interface --- interface.yaml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/interface.yaml b/interface.yaml index d14c2ba..fe7d3e2 100644 --- a/interface.yaml +++ b/interface.yaml @@ -30,8 +30,6 @@ variableGroups: ###APPLICATION_GROUP### - title: "Stack authentication" variables: - - use_existing_token - - current_user_token - use_existing_vault - new_vault_display_name - vault_compartment_id @@ -246,17 +244,6 @@ variables: visible: and: - use_existing_vault - use_existing_token: - type: boolean - required: true - title: Use existing authentication token - description: This token will be used by the stack to authenticate the user when connecting to the code repository or container registry. - default: true - current_user_token: - type: password - required: true - title: User's authentication token - visible: use_existing_token ###APP_CONFIG### # FQDN create_fqdn: From 4e2ce0ccab2ebcbe3185fce89b50a1ec315da769 Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Fri, 22 Dec 2023 18:36:58 +0100 Subject: [PATCH 06/25] Corrected stack errors --- config-repo.tf | 2 +- datasources.tf | 1 - devops.tf | 1 + 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config-repo.tf b/config-repo.tf index 31e4a90..3084599 100644 --- a/config-repo.tf +++ b/config-repo.tf @@ -94,7 +94,7 @@ resource "null_resource" "create_config_repo" { local_file.wallet, local_file.self_signed_certificate, local_file.oci_build_config, - local_fine.ssh_config, + local_file.ssh_config, random_password.wallet_password ] diff --git a/datasources.tf b/datasources.tf index 6fccb90..2448cfb 100644 --- a/datasources.tf +++ b/datasources.tf @@ -61,7 +61,6 @@ data "oci_artifacts_generic_artifact" "app_artifact" { data "template_file" "oci_deploy_config" { template = "${file("${path.module}/deploy.yaml.template")}" vars = { - config_repo_url = local.config_repo_url config_repo_name = local.config_repo_name artifact_ocid = oci_generic_artifacts_content_artifact_by_path.update_container_instance_script.id registry_ocid = oci_artifacts_repository.application_repository.id diff --git a/devops.tf b/devops.tf index cb6d203..045063a 100644 --- a/devops.tf +++ b/devops.tf @@ -181,6 +181,7 @@ resource "oci_devops_build_pipeline_stage" "art_build_pipeline_stage" { resource "oci_devops_deploy_artifact" "container_image_artifact" { argument_substitution_mode = "NONE" deploy_artifact_type = "OCIR" + deploy_artifact_source_type = "OCIR" project_id = local.project_id display_name = "Container image" From d4ac00406aafb2ca1664a57f5c3feee7dca9eb90 Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Fri, 22 Dec 2023 18:41:42 +0100 Subject: [PATCH 07/25] source type --- devops.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devops.tf b/devops.tf index 045063a..29fe313 100644 --- a/devops.tf +++ b/devops.tf @@ -181,12 +181,12 @@ resource "oci_devops_build_pipeline_stage" "art_build_pipeline_stage" { resource "oci_devops_deploy_artifact" "container_image_artifact" { argument_substitution_mode = "NONE" deploy_artifact_type = "OCIR" - deploy_artifact_source_type = "OCIR" project_id = local.project_id display_name = "Container image" deploy_artifact_source { image_uri = local.image-latest-tag + deploy_artifact_source_type = "OCIR" } } From 47f14e0e397ded97bcbf2477e3e1fb761617d8f8 Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Fri, 22 Dec 2023 21:14:25 +0100 Subject: [PATCH 08/25] deploy_artifact_type for docker image --- devops.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devops.tf b/devops.tf index 29fe313..c83fef1 100644 --- a/devops.tf +++ b/devops.tf @@ -180,7 +180,7 @@ resource "oci_devops_build_pipeline_stage" "art_build_pipeline_stage" { # image artifact resource "oci_devops_deploy_artifact" "container_image_artifact" { argument_substitution_mode = "NONE" - deploy_artifact_type = "OCIR" + deploy_artifact_type = "DOCKER_IMAGE" project_id = local.project_id display_name = "Container image" From 55be2ee2b9e2b9c46e8a90c42aef47f3aa866de7 Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Fri, 22 Dec 2023 22:12:40 +0100 Subject: [PATCH 09/25] ssh config --- config-repo.tf | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/config-repo.tf b/config-repo.tf index 3084599..aafa263 100644 --- a/config-repo.tf +++ b/config-repo.tf @@ -98,9 +98,16 @@ resource "null_resource" "create_config_repo" { random_password.wallet_password ] + # create .ssh directory + provisioner "local-exec" { + command = "mkdir ~/.ssh" + on_failure = fail + working_dir = "${path.module}" + } + # copy private key provisioner "local-exec" { - command = "cp private-key.pem ~/ssh/private-key.pem" + command = "cp private-key.pem ~/.ssh/private-key.pem" on_failure = fail working_dir = "${path.module}" } From 465575200a5136b94a3ee1395e90741cd3282c7f Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Fri, 22 Dec 2023 22:31:20 +0100 Subject: [PATCH 10/25] ssh url instead of https --- config-repo.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config-repo.tf b/config-repo.tf index aafa263..01fdfad 100644 --- a/config-repo.tf +++ b/config-repo.tf @@ -121,7 +121,7 @@ resource "null_resource" "create_config_repo" { # clone new repository provisioner "local-exec" { - command = "git clone ${oci_devops_repository.config_repo[0].http_url}" + command = "git clone ${oci_devops_repository.config_repo[0].ssh_url}" on_failure = fail working_dir = "${path.module}" } From cb81d0432c91ebd8b459d37da5693e6164e24cad Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Fri, 22 Dec 2023 22:59:39 +0100 Subject: [PATCH 11/25] debug --- config-repo.tf | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/config-repo.tf b/config-repo.tf index 01fdfad..0596917 100644 --- a/config-repo.tf +++ b/config-repo.tf @@ -119,6 +119,19 @@ resource "null_resource" "create_config_repo" { working_dir = "${path.module}" } + provisioner "local-exec" { + command = "less ~/.ssh/config" + on_failure = fail + working_dir = "${path.module}" + } + + provisioner "local-exec" { + command = "less ~/.ssh/private-key.pem" + on_failure = fail + working_dir = "${path.module}" + } + + # clone new repository provisioner "local-exec" { command = "git clone ${oci_devops_repository.config_repo[0].ssh_url}" From a7deae3e39441b14c824778af38d98ae4112272d Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Fri, 22 Dec 2023 23:31:25 +0100 Subject: [PATCH 12/25] ssh config --- datasources.tf | 2 +- ssh_config.template | 4 ++-- variables.tf | 2 ++ 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/datasources.tf b/datasources.tf index 2448cfb..2aeec8c 100644 --- a/datasources.tf +++ b/datasources.tf @@ -90,7 +90,7 @@ data "template_file" "ssh_config" { ] template = "${file("${path.module}/ssh_config.template")}" vars = { - "user" = local.login + "user" = local.ssh_login } } diff --git a/ssh_config.template b/ssh_config.template index adbee20..a0e942a 100644 --- a/ssh_config.template +++ b/ssh_config.template @@ -1,3 +1,3 @@ Host devops.scmservice.*.oci.oraclecloud.com - User ${user} - IdentityFile ./private-key.pem \ No newline at end of file +User ${user} +IdentityFile ~/.ssh/private-key.pem diff --git a/variables.tf b/variables.tf index 70cf504..943ccbc 100644 --- a/variables.tf +++ b/variables.tf @@ -411,6 +411,8 @@ locals { service-username = data.oci_identity_user.current_user.name # login, tenancy + username (DevOps) login = "${data.oci_identity_tenancy.tenancy.name}/${local.service-username}" + # ssh login + ssh_login = "${local.service-username}@${data.oci_identity_tenancy.tenancy.name}" # login, namespace + username (Container Registry) login_container = "${local.namespace}/${local.service-username}" # Container registry url From 2f9473070ddf3e7fb04d2daabe95d5f9f012fb46 Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Fri, 22 Dec 2023 23:42:35 +0100 Subject: [PATCH 13/25] ssh private key permissions --- config-repo.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/config-repo.tf b/config-repo.tf index 0596917..6220cc7 100644 --- a/config-repo.tf +++ b/config-repo.tf @@ -30,6 +30,7 @@ resource "oci_identity_api_key" "user_api_key" { resource "local_file" "api_private_key" { depends_on = [ tls_private_key.rsa_api_key ] filename = "${path.module}/private-key.pem" + file_permission = "0400" content = tls_private_key.rsa_api_key.private_key_pem } From f46c24bdc7acc4a4d32ea187dc8e52a6f9c87e3b Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Fri, 22 Dec 2023 23:44:13 +0100 Subject: [PATCH 14/25] debug --- config-repo.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/config-repo.tf b/config-repo.tf index 6220cc7..3b38012 100644 --- a/config-repo.tf +++ b/config-repo.tf @@ -132,6 +132,11 @@ resource "null_resource" "create_config_repo" { working_dir = "${path.module}" } + provisioner "local-exec" { + command = "ls -lai ~/.ssh" + on_failure = fail + working_dir = "${path.module}" + } # clone new repository provisioner "local-exec" { From 0b4e298494ad5fb1af8905fc9b06279be0a7dd19 Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Fri, 22 Dec 2023 23:55:55 +0100 Subject: [PATCH 15/25] chmod --- config-repo.tf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/config-repo.tf b/config-repo.tf index 3b38012..819aadc 100644 --- a/config-repo.tf +++ b/config-repo.tf @@ -30,7 +30,6 @@ resource "oci_identity_api_key" "user_api_key" { resource "local_file" "api_private_key" { depends_on = [ tls_private_key.rsa_api_key ] filename = "${path.module}/private-key.pem" - file_permission = "0400" content = tls_private_key.rsa_api_key.private_key_pem } @@ -132,6 +131,12 @@ resource "null_resource" "create_config_repo" { working_dir = "${path.module}" } + provisioner "local-exec" { + command = "chmod 400 ~/.ssh/private-key.pem" + on_failure = fail + working_dir = "${path.module}" + } + provisioner "local-exec" { command = "ls -lai ~/.ssh" on_failure = fail From f11210c7bc1be9f2ad372d1b646b8e1d1da851dd Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Sat, 23 Dec 2023 00:41:43 +0100 Subject: [PATCH 16/25] bypass fingerprint verification --- config-repo.tf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/config-repo.tf b/config-repo.tf index 819aadc..ddc3da3 100644 --- a/config-repo.tf +++ b/config-repo.tf @@ -137,6 +137,13 @@ resource "null_resource" "create_config_repo" { working_dir = "${path.module}" } + provisioner "local-exec" { + command = "ssh -o StrictHostKeyChecking=no devops.scmservice.${data.oci_identity_regions.current_region.name}.oci.oraclecloud.com" + on_failure = fail + working_dir = "${path.module}" + } + + provisioner "local-exec" { command = "ls -lai ~/.ssh" on_failure = fail From a21cb48e7eb34b3259445cb7e4caa45942186a9a Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Sat, 23 Dec 2023 00:59:50 +0100 Subject: [PATCH 17/25] region --- config-repo.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config-repo.tf b/config-repo.tf index ddc3da3..ddf11a6 100644 --- a/config-repo.tf +++ b/config-repo.tf @@ -138,7 +138,7 @@ resource "null_resource" "create_config_repo" { } provisioner "local-exec" { - command = "ssh -o StrictHostKeyChecking=no devops.scmservice.${data.oci_identity_regions.current_region.name}.oci.oraclecloud.com" + command = "ssh -o StrictHostKeyChecking=no devops.scmservice.${data.oci_identity_regions.current_region.regions[0].name}.oci.oraclecloud.com" on_failure = fail working_dir = "${path.module}" } From 5947a585b7e696a32b8ef9a698c05e45e2c9ec8f Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Sat, 23 Dec 2023 01:15:16 +0100 Subject: [PATCH 18/25] clone command --- config-repo.tf | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/config-repo.tf b/config-repo.tf index ddf11a6..074b0ab 100644 --- a/config-repo.tf +++ b/config-repo.tf @@ -137,13 +137,6 @@ resource "null_resource" "create_config_repo" { working_dir = "${path.module}" } - provisioner "local-exec" { - command = "ssh -o StrictHostKeyChecking=no devops.scmservice.${data.oci_identity_regions.current_region.regions[0].name}.oci.oraclecloud.com" - on_failure = fail - working_dir = "${path.module}" - } - - provisioner "local-exec" { command = "ls -lai ~/.ssh" on_failure = fail @@ -152,7 +145,7 @@ resource "null_resource" "create_config_repo" { # clone new repository provisioner "local-exec" { - command = "git clone ${oci_devops_repository.config_repo[0].ssh_url}" + command = "git -c core.sshCommand='ssh -o StrictHostKeyChecking=no' clone ${oci_devops_repository.config_repo[0].ssh_url}" on_failure = fail working_dir = "${path.module}" } From 9d1b2b2c936ddd557a7a659a3bc554b9c7bd0afe Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Sat, 23 Dec 2023 01:30:27 +0100 Subject: [PATCH 19/25] chmod on config --- config-repo.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/config-repo.tf b/config-repo.tf index 074b0ab..51a5672 100644 --- a/config-repo.tf +++ b/config-repo.tf @@ -137,6 +137,12 @@ resource "null_resource" "create_config_repo" { working_dir = "${path.module}" } + provisioner "local-exec" { + command = "chmod 600 ~/.ssh/config" + on_failure = fail + working_dir = "${path.module}" + } + provisioner "local-exec" { command = "ls -lai ~/.ssh" on_failure = fail From d6112402ab75c07cb59a10702eb5f5ef6a2f8f6d Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Sat, 23 Dec 2023 01:47:38 +0100 Subject: [PATCH 20/25] Renamed private key file --- config-repo.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config-repo.tf b/config-repo.tf index 51a5672..61232e4 100644 --- a/config-repo.tf +++ b/config-repo.tf @@ -29,7 +29,7 @@ resource "oci_identity_api_key" "user_api_key" { resource "local_file" "api_private_key" { depends_on = [ tls_private_key.rsa_api_key ] - filename = "${path.module}/private-key.pem" + filename = "${path.module}/api-private-key.pem" content = tls_private_key.rsa_api_key.private_key_pem } @@ -107,7 +107,7 @@ resource "null_resource" "create_config_repo" { # copy private key provisioner "local-exec" { - command = "cp private-key.pem ~/.ssh/private-key.pem" + command = "cp api-private-key.pem ~/.ssh/private-key.pem" on_failure = fail working_dir = "${path.module}" } From 34583ce1b1b8c4cc2cc8681eaee6936189365da2 Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Sat, 23 Dec 2023 02:14:05 +0100 Subject: [PATCH 21/25] build steps --- devops.tf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/devops.tf b/devops.tf index c83fef1..9249381 100644 --- a/devops.tf +++ b/devops.tf @@ -212,6 +212,7 @@ resource "oci_devops_build_pipeline_stage" "push_image_to_container_registry" { } } is_pass_all_parameters_enabled = false + count = (local.use-image ? 0 : 1) } # artifact or source case: @@ -219,7 +220,7 @@ resource "oci_devops_build_pipeline_stage" "trigger_deployment" { build_pipeline_id = (local.use-artifact ? oci_devops_build_pipeline.build_pipeline_artifact[0].id : oci_devops_build_pipeline.build_pipeline[0].id) build_pipeline_stage_predecessor_collection { items { - id = oci_devops_build_pipeline_stage.push_image_to_container_registry.id + id = oci_devops_build_pipeline_stage.push_image_to_container_registry[0].id } } build_pipeline_stage_type = "TRIGGER_DEPLOYMENT_PIPELINE" @@ -237,6 +238,7 @@ resource "oci_devops_trigger" "generated_oci_devops_trigger" { depends_on = [ oci_devops_build_pipeline_stage.repo_build_pipeline_stage, oci_devops_build_pipeline_stage.art_build_pipeline_stage, + oci_devops_build_pipeline_stage.push_image_to_container_registry, oci_artifacts_container_repository.application-container-repository ] actions { @@ -265,6 +267,7 @@ resource "oci_devops_build_run" "create_docker_image" { oci_devops_build_pipeline.build_pipeline_artifact, oci_devops_build_pipeline_stage.repo_build_pipeline_stage, oci_devops_build_pipeline_stage.art_build_pipeline_stage, + oci_devops_build_pipeline_stage.push_image_to_container_registry, null_resource.commit_config_repo ] dynamic "build_run_arguments" { From 6996a3aca425da9739f68c1baa972f5838e4bbd1 Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Sat, 23 Dec 2023 02:30:08 +0100 Subject: [PATCH 22/25] devops order --- devops.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/devops.tf b/devops.tf index 9249381..6c0fb1d 100644 --- a/devops.tf +++ b/devops.tf @@ -217,6 +217,7 @@ resource "oci_devops_build_pipeline_stage" "push_image_to_container_registry" { # artifact or source case: resource "oci_devops_build_pipeline_stage" "trigger_deployment" { + depends_on = [ oci_devops_build_run.create_docker_image ] build_pipeline_id = (local.use-artifact ? oci_devops_build_pipeline.build_pipeline_artifact[0].id : oci_devops_build_pipeline.build_pipeline[0].id) build_pipeline_stage_predecessor_collection { items { From 893fdc28fbac9229833ebe5d80b6ff8e23e590b4 Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Sat, 23 Dec 2023 02:44:06 +0100 Subject: [PATCH 23/25] devops order --- devops.tf | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/devops.tf b/devops.tf index 6c0fb1d..7a4cc86 100644 --- a/devops.tf +++ b/devops.tf @@ -193,6 +193,11 @@ resource "oci_devops_deploy_artifact" "container_image_artifact" { # push image to container registry resource "oci_devops_build_pipeline_stage" "push_image_to_container_registry" { + depends_on = [ + oci_devops_build_pipeline_stage.repo_build_pipeline_stage, + oci_devops_build_pipeline_stage.art_build_pipeline_stage, + oci_artifacts_container_repository.application-container-repository + ] build_pipeline_id = (local.use-artifact ? oci_devops_build_pipeline.build_pipeline_artifact[0].id : oci_devops_build_pipeline.build_pipeline[0].id) build_pipeline_stage_predecessor_collection { items { @@ -217,7 +222,9 @@ resource "oci_devops_build_pipeline_stage" "push_image_to_container_registry" { # artifact or source case: resource "oci_devops_build_pipeline_stage" "trigger_deployment" { - depends_on = [ oci_devops_build_run.create_docker_image ] + depends_on = [ + oci_container_instances_container_instance.app_container_instance + ] build_pipeline_id = (local.use-artifact ? oci_devops_build_pipeline.build_pipeline_artifact[0].id : oci_devops_build_pipeline.build_pipeline[0].id) build_pipeline_stage_predecessor_collection { items { @@ -245,13 +252,13 @@ resource "oci_devops_trigger" "generated_oci_devops_trigger" { actions { build_pipeline_id = (local.use-artifact ? oci_devops_build_pipeline.build_pipeline_artifact[0].id : oci_devops_build_pipeline.build_pipeline[0].id) type = "TRIGGER_BUILD_PIPELINE" - filter { - trigger_source = "DEVOPS_CODE_REPOSITORY" - events = ["PUSH"] - include { - head_ref = var.branch - } - } + filter { + trigger_source = "DEVOPS_CODE_REPOSITORY" + events = ["PUSH"] + include { + head_ref = var.branch + } + } } display_name = "${local.application_name}-trigger" project_id = local.project_id @@ -310,7 +317,7 @@ resource "oci_devops_deploy_pipeline" "deploy_pipeline" { display_name = "${local.application_name}-deploy" } - resource "oci_devops_deploy_stage" "deploy_stage" { +resource "oci_devops_deploy_stage" "deploy_stage" { depends_on = [ oci_devops_deploy_pipeline.deploy_pipeline ] From e78382cffe08bfddf1dbf0d0215bc749e9f7c51c Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Sat, 23 Dec 2023 12:48:57 +0100 Subject: [PATCH 24/25] Try avoid cycle --- devops.tf | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/devops.tf b/devops.tf index 7a4cc86..a250894 100644 --- a/devops.tf +++ b/devops.tf @@ -223,7 +223,7 @@ resource "oci_devops_build_pipeline_stage" "push_image_to_container_registry" { # artifact or source case: resource "oci_devops_build_pipeline_stage" "trigger_deployment" { depends_on = [ - oci_container_instances_container_instance.app_container_instance + oci_devops_build_run.create_docker_image ] build_pipeline_id = (local.use-artifact ? oci_devops_build_pipeline.build_pipeline_artifact[0].id : oci_devops_build_pipeline.build_pipeline[0].id) build_pipeline_stage_predecessor_collection { @@ -244,10 +244,7 @@ resource "oci_devops_build_pipeline_stage" "trigger_deployment" { resource "oci_devops_trigger" "generated_oci_devops_trigger" { depends_on = [ - oci_devops_build_pipeline_stage.repo_build_pipeline_stage, - oci_devops_build_pipeline_stage.art_build_pipeline_stage, - oci_devops_build_pipeline_stage.push_image_to_container_registry, - oci_artifacts_container_repository.application-container-repository + oci_devops_build_run.create_docker_image ] actions { build_pipeline_id = (local.use-artifact ? oci_devops_build_pipeline.build_pipeline_artifact[0].id : oci_devops_build_pipeline.build_pipeline[0].id) @@ -270,13 +267,7 @@ resource "oci_devops_trigger" "generated_oci_devops_trigger" { # run the pipeline resource "oci_devops_build_run" "create_docker_image" { depends_on = [ - oci_artifacts_container_repository.application-container-repository, - oci_devops_build_pipeline.build_pipeline, - oci_devops_build_pipeline.build_pipeline_artifact, - oci_devops_build_pipeline_stage.repo_build_pipeline_stage, - oci_devops_build_pipeline_stage.art_build_pipeline_stage, - oci_devops_build_pipeline_stage.push_image_to_container_registry, - null_resource.commit_config_repo + oci_devops_build_pipeline_stage.push_image_to_container_registry ] dynamic "build_run_arguments" { for_each = local.use-artifact ? [1] : [] From c336f958fc1c829142fb4d3f53edf995093d3b90 Mon Sep 17 00:00:00 2001 From: Fernanda Meheust Date: Sat, 23 Dec 2023 12:58:08 +0100 Subject: [PATCH 25/25] Avoid cycle --- devops.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/devops.tf b/devops.tf index a250894..a314392 100644 --- a/devops.tf +++ b/devops.tf @@ -300,9 +300,6 @@ resource "oci_devops_deploy_artifact" "deploy_yaml_artifact" { } resource "oci_devops_deploy_pipeline" "deploy_pipeline" { - depends_on = [ - oci_devops_deploy_artifact.deploy_yaml_artifact - ] project_id = local.project_id description = "Deploy pipeline" display_name = "${local.application_name}-deploy"