tfctl 1.0.0 → 1.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.rubocop.yml +2 -2
- data/.travis.yml +12 -12
- data/CHANGELOG.adoc +4 -0
- data/README.adoc +11 -10
- data/bin/tfctl +3 -6
- data/docs/configuration.adoc +12 -4
- data/docs/control_tower.adoc +6 -6
- data/docs/creating_a_profile.adoc +5 -5
- data/docs/project_layout.adoc +6 -2
- data/examples/control_tower/{conf/example.yaml → tfctl.yaml} +0 -0
- data/lib/tfctl/config.rb +1 -2
- data/lib/tfctl/schema.rb +2 -2
- data/lib/tfctl/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d6f58a8ef8569aaec8cc41ad269adf690caca7d13472a26ed65ed846c835273c
|
4
|
+
data.tar.gz: '013649daccb576adbe4c0c95c8fe64347b641dcb07ad2f0d3e5ca1420188489c'
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 2a65943659c0dabe88c40d76d46a99ed23f1ef335486c719729ca599e10e60b2abc0bc81577f2490ca7bbbe64e479ab641b0197a1160b7a1e061f274f224419b
|
7
|
+
data.tar.gz: 8c0cebbab4bc2738357979d1fa013bbf485ea398a3c5ecfdbb4ab9bf670060660a890b900cfca8425764c1387d4ffe5c0d0c50d3a59a10f16ba4f20f3687a303
|
data/.rubocop.yml
CHANGED
@@ -6,7 +6,7 @@ AllCops:
|
|
6
6
|
Layout/IndentationWidth:
|
7
7
|
Width: 4
|
8
8
|
|
9
|
-
Layout/
|
9
|
+
Layout/HeredocIndentation:
|
10
10
|
Enabled: false
|
11
11
|
|
12
12
|
Layout/EmptyLines:
|
@@ -15,7 +15,7 @@ Layout/EmptyLines:
|
|
15
15
|
Layout/EmptyLinesAroundMethodBody:
|
16
16
|
Enabled: false
|
17
17
|
|
18
|
-
Layout/
|
18
|
+
Layout/HashAlignment:
|
19
19
|
EnforcedHashRocketStyle:
|
20
20
|
- table
|
21
21
|
EnforcedColonStyle:
|
data/.travis.yml
CHANGED
@@ -1,18 +1,18 @@
|
|
1
1
|
rvm:
|
2
|
-
|
3
|
-
|
2
|
+
- 2.3
|
3
|
+
- 2.6
|
4
4
|
os: linux
|
5
5
|
language: ruby
|
6
6
|
script: make test
|
7
7
|
jobs:
|
8
8
|
include:
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
9
|
+
- stage: Gem release
|
10
|
+
rvm: 2.6
|
11
|
+
deploy:
|
12
|
+
provider: rubygems
|
13
|
+
api_key:
|
14
|
+
secure: LAVcdER+LtQ2TSUrVOY7Be1BC7GXJRD0QBt386vRM5Nld5QaD9Ow9gtN6FprzkzloI4R8BkPWqZbAT6YjC+C0AFB5HK6iPwD2bLsiF9w3ccDD+yrW99RHxiErpmYMun2PqZv0WkJ/pkEplPCKMRFv7SM7W9DMRlU7dsXc1v6IVyIb5u3A04jErS2jXXKY0ijlCDJYVo8zzYL6yUmUcXhc//3CIVnu2Miu6Qr8h7e6jMXNUWfMkwEXsFP9id4TsCz7hRY+39PkiBAknHTN5UqjjJiEOknZnHeTBcVPvi2h2xv+fFLSzVTxlxaRsVoMCShQp5D12qzhQObRJsRVQFs8Yyg9IYMyPdxssFYyUZFaAy5taWDm57uM3HTHylm/Dq3LmXTgGNxWUUkf2oh1g7R6cYZpBUQwiEPzhZQ7CoBQbGUAJmH9ZU9m+cr8kuAOUipd6BNEDvn/fIH4WJsRCNP72JGX16JBpuICvpkuNhskZT91xFlYk1pTXHOxNpbTcxUTgMHhrTqspeRXPmf6DiYGvjMb2S6kaoGqCIRIcwl0TGKuMsOMqR9SqF8gubkqHMVbSl1E7mwBn4ke8/7IGoMkWOGwUpVxqVOLBHi6zSR09RTVSbKl4oiFV3ZwmVPSxDncq54MptyJ2WCZ7dD6ht2l+VA8iGwYeIoqOpwGWxyuNI=
|
15
|
+
gem: tfctl
|
16
|
+
on:
|
17
|
+
tags: true
|
18
|
+
repo: scalefactory/tfctl
|
data/CHANGELOG.adoc
CHANGED
data/README.adoc
CHANGED
@@ -94,7 +94,8 @@ Anatomy of a tfctl command:
|
|
94
94
|
tfctl -c CONFIG_FILE TARGET_OPTIONS -- TERRAFORM_COMMAND
|
95
95
|
----
|
96
96
|
|
97
|
-
* `-c` specifies which tfctl config file to use (
|
97
|
+
* `-c` specifies which tfctl config file to use (defaults to `tfctl.yaml` in
|
98
|
+
current working directory if not set)
|
98
99
|
* `TARGET_OPTIONS` specifies which accounts to target. This could be an individual
|
99
100
|
account, a group of accounts in an organizational unit or all accounts.
|
100
101
|
* `TERRAFORM_COMMAND` will be passed to `terraform` along with any
|
@@ -116,13 +117,13 @@ tfctl -h
|
|
116
117
|
Show merged configuration:
|
117
118
|
|
118
119
|
----
|
119
|
-
tfctl -
|
120
|
+
tfctl -s
|
120
121
|
----
|
121
122
|
|
122
123
|
List all discovered accounts:
|
123
124
|
|
124
125
|
----
|
125
|
-
tfctl
|
126
|
+
tfctl --all -l
|
126
127
|
----
|
127
128
|
|
128
129
|
TIP: This can be narrowed down using targeting options and is a good way to
|
@@ -131,44 +132,44 @@ test what accounts match.
|
|
131
132
|
Run Terraform init across all accounts:
|
132
133
|
|
133
134
|
----
|
134
|
-
tfctl
|
135
|
+
tfctl --all -- init
|
135
136
|
----
|
136
137
|
|
137
138
|
Run plan in `test` OU accounts:
|
138
139
|
|
139
140
|
----
|
140
|
-
tfctl -
|
141
|
+
tfctl -o test -- plan
|
141
142
|
----
|
142
143
|
|
143
144
|
Run plan in `live` accounts assuming that `live` is a child OU in multiple
|
144
145
|
organization units:
|
145
146
|
|
146
147
|
----
|
147
|
-
tfctl -
|
148
|
+
tfctl -o '.*/live' -- plan
|
148
149
|
----
|
149
150
|
|
150
151
|
Run plan in an individual account:
|
151
152
|
|
152
153
|
----
|
153
|
-
tfctl -
|
154
|
+
tfctl -a example-account - plan
|
154
155
|
----
|
155
156
|
|
156
157
|
Run apply in all accounts:
|
157
158
|
|
158
159
|
----
|
159
|
-
tfctl
|
160
|
+
tfctl --all -- apply
|
160
161
|
----
|
161
162
|
|
162
163
|
Run destroy in `test` OU accounts:
|
163
164
|
|
164
165
|
----
|
165
|
-
tfctl -
|
166
|
+
tfctl -o test -- destroy -auto-approve
|
166
167
|
----
|
167
168
|
|
168
169
|
Don't buffer the output:
|
169
170
|
|
170
171
|
----
|
171
|
-
tfctl -
|
172
|
+
tfctl -a example-account -u -- plan
|
172
173
|
----
|
173
174
|
|
174
175
|
This will show output in real time. Usually output is buffered and displayed
|
data/bin/tfctl
CHANGED
@@ -22,7 +22,7 @@ options = {
|
|
22
22
|
ou: nil,
|
23
23
|
all: nil,
|
24
24
|
show_config: false,
|
25
|
-
config_file:
|
25
|
+
config_file: 'tfctl.yaml',
|
26
26
|
unbuffered: false,
|
27
27
|
debug: false,
|
28
28
|
use_cache: false,
|
@@ -68,10 +68,6 @@ begin
|
|
68
68
|
|
69
69
|
# Validate CLI arguments
|
70
70
|
|
71
|
-
if options[:config_file].nil?
|
72
|
-
raise OptionParser::MissingArgument, '--config-file'
|
73
|
-
end
|
74
|
-
|
75
71
|
unless File.exist? options[:config_file]
|
76
72
|
raise OptionParser::InvalidOption,
|
77
73
|
"Config file not found in: #{options[:config_file]}"
|
@@ -104,7 +100,7 @@ end
|
|
104
100
|
|
105
101
|
|
106
102
|
|
107
|
-
#
|
103
|
+
# Execute terraform in target accounts
|
108
104
|
def run_account(config, account, options, tf_argv, log)
|
109
105
|
|
110
106
|
# Skip excluded accounts
|
@@ -145,6 +141,7 @@ begin
|
|
145
141
|
log.info 'tfctl running'
|
146
142
|
|
147
143
|
config_name = File.basename(options[:config_file]).chomp('.yaml')
|
144
|
+
config_name = 'default' if config_name == 'tfctl'
|
148
145
|
log.info "Using config: #{config_name}"
|
149
146
|
|
150
147
|
log.info 'Working out AWS account topology'
|
data/docs/configuration.adoc
CHANGED
@@ -25,7 +25,7 @@ toc::[]
|
|
25
25
|
== Overview
|
26
26
|
|
27
27
|
Tfctl retrieves initial account configuration from AWS Organizations and merges
|
28
|
-
it with configuration specified in a yaml file.
|
28
|
+
it with configuration specified in a yaml file (`tfctl.yaml` by default).
|
29
29
|
|
30
30
|
The configuration is merged in the following order:
|
31
31
|
|
@@ -68,9 +68,9 @@ organization_units:
|
|
68
68
|
|
69
69
|
This will result in all three profiles deployed to accounts in `team` OU.
|
70
70
|
|
71
|
-
TIP: You can display the fully merged configuration by running `tfctl -
|
72
|
-
|
73
|
-
|
71
|
+
TIP: You can display the fully merged configuration by running `tfctl -s`.
|
72
|
+
It's safe to run as it doesn't make any changes to AWS resources. It's a good
|
73
|
+
way to test your configuration.
|
74
74
|
|
75
75
|
== Defining arbitrary data
|
76
76
|
|
@@ -87,3 +87,11 @@ No secrets should be committed into Terraform or tfctl configuration. Use AWS
|
|
87
87
|
Secrets Manager instead and retrieve in Terraform profiles using
|
88
88
|
https://www.terraform.io/docs/providers/aws/d/secretsmanager_secret.html[secrets
|
89
89
|
manager data source]
|
90
|
+
|
91
|
+
== Configuration Schema
|
92
|
+
|
93
|
+
Config file is validated using https://json-schema.org/[JSON Schema].
|
94
|
+
|
95
|
+
The schema is defined in
|
96
|
+
https://github.com/scalefactory/tfctl/blob/master/lib/tfctl/schema.rb[lib/tfctl/schema.rb]
|
97
|
+
and is a good place to look up all available options.
|
data/docs/control_tower.adoc
CHANGED
@@ -151,7 +151,7 @@ NOTE: Successful status should read: `CREATE_COMPLETE`.
|
|
151
151
|
== Configure tfctl
|
152
152
|
|
153
153
|
Copy the example project directory `examples/control_tower` somewhere convenient
|
154
|
-
and edit `
|
154
|
+
and edit `tfctl.yaml`.
|
155
155
|
|
156
156
|
You need to modify the following parameters:
|
157
157
|
|
@@ -172,7 +172,7 @@ NOTE: Run tfctl commands from the root of you project directory.
|
|
172
172
|
First dump the configuration to verify everything works:
|
173
173
|
|
174
174
|
----
|
175
|
-
tfctl -
|
175
|
+
tfctl -s
|
176
176
|
----
|
177
177
|
|
178
178
|
This will not make any changes but will print out a yaml containing the final,
|
@@ -182,7 +182,7 @@ their configuration.
|
|
182
182
|
Initialise terraform for all discovered accounts:
|
183
183
|
|
184
184
|
----
|
185
|
-
tfctl
|
185
|
+
tfctl --all -- init
|
186
186
|
----
|
187
187
|
|
188
188
|
Tfctl will run Terraform against all accounts in parallel.
|
@@ -190,19 +190,19 @@ Tfctl will run Terraform against all accounts in parallel.
|
|
190
190
|
Run plan:
|
191
191
|
|
192
192
|
----
|
193
|
-
tfctl
|
193
|
+
tfctl --all -- plan
|
194
194
|
----
|
195
195
|
|
196
196
|
and apply:
|
197
197
|
|
198
198
|
----
|
199
|
-
tfctl
|
199
|
+
tfctl --all -- apply
|
200
200
|
----
|
201
201
|
|
202
202
|
To destroy created resources run:
|
203
203
|
|
204
204
|
----
|
205
|
-
tfctl
|
205
|
+
tfctl --all -- destroy -auto-approve
|
206
206
|
----
|
207
207
|
|
208
208
|
That's it! You can now execute terraform across your Control Tower estate.
|
@@ -81,7 +81,7 @@ profile. Tfctl configuration can be accessed using this variable. This It
|
|
81
81
|
includes an array of all discovered accounts as well their parameters from
|
82
82
|
tfctl config file.
|
83
83
|
|
84
|
-
TIP: You can run `tfctl -
|
84
|
+
TIP: You can run `tfctl -s` to show the config data in
|
85
85
|
yaml format. This exact data is available in the `config` variable in your
|
86
86
|
profile.
|
87
87
|
|
@@ -124,7 +124,7 @@ You have few options here:
|
|
124
124
|
For the sake of this example we're going to deploy our bucket to all accounts
|
125
125
|
in `test` OU.
|
126
126
|
|
127
|
-
In tfctl
|
127
|
+
In `tfctl.yaml` add the profile to the `test` OU:
|
128
128
|
|
129
129
|
[source, yaml]
|
130
130
|
----
|
@@ -140,8 +140,8 @@ organization_units:
|
|
140
140
|
To see what would happen when the change is applied run:
|
141
141
|
|
142
142
|
----
|
143
|
-
tfctl -
|
144
|
-
tfctl -
|
143
|
+
tfctl -o test -- init
|
144
|
+
tfctl -o test -- plan
|
145
145
|
----
|
146
146
|
|
147
147
|
This will run `terraform init` to initialise terraform and then `terraform
|
@@ -187,5 +187,5 @@ next step.
|
|
187
187
|
|
188
188
|
Once you're happy with the plan, apply it.
|
189
189
|
----
|
190
|
-
tfctl -
|
190
|
+
tfctl -o test -- apply
|
191
191
|
----
|
data/docs/project_layout.adoc
CHANGED
@@ -23,8 +23,7 @@ endif::[]
|
|
23
23
|
Example project structure
|
24
24
|
----
|
25
25
|
project_dir/
|
26
|
-
├── conf
|
27
|
-
│ └── example.yaml
|
26
|
+
├── tfctl.conf
|
28
27
|
├── modules
|
29
28
|
│ └── s3-bucket
|
30
29
|
│ ├── main.tf
|
@@ -51,6 +50,11 @@ The configuration data is exposed to terraform via a profile `config` variable.
|
|
51
50
|
It also defines Terraform and tfctl configuration such as state tracking and
|
52
51
|
what IAM roles to use.
|
53
52
|
|
53
|
+
By default tfctl will use `tfctl.yaml` in it's current working directory. You
|
54
|
+
can specify a different file using `-c`. Multiple configurations are supported
|
55
|
+
in the same project directory and generated data will be stored separately for
|
56
|
+
each config file in `.tfctl/`.
|
57
|
+
|
54
58
|
== profiles
|
55
59
|
|
56
60
|
Profiles are re-usable collections of resources which can be applied to
|
File without changes
|
data/lib/tfctl/config.rb
CHANGED
@@ -48,7 +48,7 @@ module Tfctl
|
|
48
48
|
@config.to_json
|
49
49
|
end
|
50
50
|
|
51
|
-
# Filters accounts by account property
|
51
|
+
# Filters accounts by an account property
|
52
52
|
def find_accounts(property_name, property_value)
|
53
53
|
output =[]
|
54
54
|
@config[:accounts].each do |account|
|
@@ -88,7 +88,6 @@ module Tfctl
|
|
88
88
|
|
89
89
|
# Retrieves AWS Organizations data and merges it with data from yaml config.
|
90
90
|
def load_config(config_name, yaml_config, aws_org_config)
|
91
|
-
|
92
91
|
# AWS Organizations data
|
93
92
|
config = aws_org_config
|
94
93
|
# Merge organization sections from yaml file
|
data/lib/tfctl/schema.rb
CHANGED
@@ -29,7 +29,7 @@ module Tfctl
|
|
29
29
|
def main_schema
|
30
30
|
iam_arn_pattern = 'arn:aws:iam:[a-z\-0-9]*:[0-9]{12}:[a-zA-Z\/+@=.,]*'
|
31
31
|
|
32
|
-
# rubocop:disable Layout/
|
32
|
+
# rubocop:disable Layout/HashAlignment
|
33
33
|
{
|
34
34
|
'type' => 'object',
|
35
35
|
'properties' => {
|
@@ -61,7 +61,7 @@ module Tfctl
|
|
61
61
|
],
|
62
62
|
'additionalProperties' => false,
|
63
63
|
}
|
64
|
-
# rubocop:enable Layout/
|
64
|
+
# rubocop:enable Layout/HashAlignment
|
65
65
|
end
|
66
66
|
|
67
67
|
def org_schema
|
data/lib/tfctl/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: tfctl
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.1.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Andrew Wasilczuk
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2020-01-15 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: aws-sdk-organizations
|
@@ -135,12 +135,12 @@ files:
|
|
135
135
|
- examples/bootstrap/terraform-exec-role.template
|
136
136
|
- examples/bootstrap/terraform-state.template
|
137
137
|
- examples/bootstrap/tfctl-org-access.template
|
138
|
-
- examples/control_tower/conf/example.yaml
|
139
138
|
- examples/control_tower/modules/s3-bucket/main.tf
|
140
139
|
- examples/control_tower/modules/s3-bucket/variables.tf
|
141
140
|
- examples/control_tower/profiles/example-profile/data.tf
|
142
141
|
- examples/control_tower/profiles/example-profile/main.tf
|
143
142
|
- examples/control_tower/profiles/example-profile/variables.tf
|
143
|
+
- examples/control_tower/tfctl.yaml
|
144
144
|
- lib/hash.rb
|
145
145
|
- lib/tfctl.rb
|
146
146
|
- lib/tfctl/aws_org.rb
|