-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathMakefile
131 lines (112 loc) · 4.42 KB
/
Makefile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
PROJECT_ID="ironsecurity"
TERRAFORM_DIR="."
TERRAFORM_VARFILE="settings.tfvars"
TERRAFORM_AUTH="terraform-sa.json"
all: fmt validate plan
setup:
echo "Installing Google Cloud SDK"
brew install google-cloud-sdk aquasecurity/trivy/trivy
echo 'source "/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/path.zsh.inc"' >> $HOME/.zshrc
echo 'source "/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/completion.zsh.inc"' >> $HOME/.zshrc
echo "Logging into Google Cloud"
gcloud auth login
clean:
rm .terraform.lock.hcl || true
rm -r .terraform/ || true
rm .terraform.lock.hcl || true
create-terraform-account:
gcloud --project $(PROJECT_ID) iam service-accounts create terraform-sa
gcloud --project $(PROJECT_ID) iam service-accounts keys create $(TERRAFORM_AUTH) \
--iam-account "terraform-sa@$(PROJECT_ID).iam.gserviceaccount.com"
chmod u=r,g=,o= terraform-sa.json
set-terraform-permissions:
gcloud projects add-iam-policy-binding $(PROJECT_ID) \
--member "serviceAccount:terraform-sa@$(PROJECT_ID).iam.gserviceaccount.com" \
--role roles/editor \
--role roles/storage.admin \
--role roles/resourcemanager.projectIamAdmin \
--role roles/container.admin \
--role roles/cloudkms.admin \
--role roles/iam.securityAdmin \
--role roles/servicenetworking.networksAdmin \
--role roles/orgpolicy.policyAdmin
enable-services:
gcloud --project $(PROJECT_ID) services enable cloudresourcemanager.googleapis.com
gcloud --project $(PROJECT_ID) services enable cloudbilling.googleapis.com
gcloud --project $(PROJECT_ID) services enable iam.googleapis.com
gcloud --project $(PROJECT_ID) services enable compute.googleapis.com
gcloud --project $(PROJECT_ID) services enable serviceusage.googleapis.com
gcloud --project $(PROJECT_ID) services enable container.googleapis.com
gcloud --project $(PROJECT_ID) services enable cloudkms.googleapis.com
gcloud --project $(PROJECT_ID) services enable sqladmin.googleapis.com
gcloud --project $(PROJECT_ID) services enable servicenetworking.googleapis.com
gcloud --project $(PROJECT_ID) services enable iamcredentials.googleapis.com
create-state-bucket:
gsutil mb -p $(PROJECT_ID) -c NEARLINE -l eu -b on gs://terraform-gcloud-state
setup-helm:
GOOGLE_APPLICATION_CREDENTIALS="terraform-sa.json" \
helm repo add intigriti gs://intigriti-hybrid-helm-repo
update-helm:
GOOGLE_APPLICATION_CREDENTIALS="terraform-sa.json" \
helm repo update
lint:
trivy config --format table --exit-code 2 --severity MEDIUM,HIGH,CRITICAL $(TERRAFORM_DIR) | less
init:
GOOGLE_APPLICATION_CREDENTIALS=$(TERRAFORM_AUTH) \
terraform -chdir=$(TERRAFORM_DIR) init \
-upgrade \
-reconfigure
GOOGLE_APPLICATION_CREDENTIALS=$(TERRAFORM_AUTH) \
terraform -chdir=$(TERRAFORM_DIR) get -update
validate:
GOOGLE_APPLICATION_CREDENTIALS=$(TERRAFORM_AUTH) \
terraform -chdir=$(TERRAFORM_DIR) validate .
plan:
echo "Planning infrastructure..."
@if [ -f dev.env ]; then source dev.env; fi; \
GOOGLE_APPLICATION_CREDENTIALS=$(TERRAFORM_AUTH) \
terraform -chdir=$(TERRAFORM_DIR) plan \
-lock=false \
-input=false \
-target='module.cloudflare' -target='module.github' -target='module.google'
echo "Planning kubernetes/helm..."
@if [ -f dev.env ]; then source dev.env; fi; \
GOOGLE_APPLICATION_CREDENTIALS=$(TERRAFORM_AUTH) \
terraform -chdir=$(TERRAFORM_DIR) plan \
-lock=false \
-input=false \
-target='module.kubernetes' -target='module.helm'
apply:
echo "Applying infrastructure..."
@if [ -f dev.env ]; then source dev.env; fi; \
TF_LOG=DEBUG \
GOOGLE_APPLICATION_CREDENTIALS=$(TERRAFORM_AUTH) \
terraform -chdir=$(TERRAFORM_DIR) apply \
-auto-approve \
-lock=false \
-input=false \
-refresh=true \
-target='module.cloudflare' -target='module.github' -target='module.google'
echo "Applying kubernetes/helm..."
@if [ -f dev.env ]; then source dev.env; fi; \
TF_LOG=DEBUG \
GOOGLE_APPLICATION_CREDENTIALS=$(TERRAFORM_AUTH) \
terraform -chdir=$(TERRAFORM_DIR) apply \
-auto-approve \
-lock=false \
-input=false \
-refresh=true \
-target='module.kubernetes' -target='module.helm'
TARGET="foo"
destroy:
@if [ -f dev.env ]; then source dev.env; fi; \
GOOGLE_APPLICATION_CREDENTIALS=$(TERRAFORM_AUTH) \
terraform -chdir=$(TERRAFORM_DIR) apply -destroy \
-input=false \
-target=$(TARGET) -auto-approve
refresh:
@if [ -f dev.env ]; then source dev.env; fi; \
GOOGLE_APPLICATION_CREDENTIALS=$(TERRAFORM_AUTH) \
terraform -chdir=$(TERRAFORM_DIR) refresh
fmt:
terraform fmt -recursive