Add Docker-based Tofu and Ansible operations #12
Conversation
- Add tofu.groovy: Functions for backend init, workspace management, apply/destroy - Add ansible.groovy: Functions for running playbooks and managing inventory - Add infrastructure.groovy: Helper functions for config, SSH keys, and workspace naming
- Update tofu.groovy to execute all commands in Docker - Update ansible.groovy runPlaybook to use Docker - Pass AWS credentials as environment variables to container - Mount workspace and SSH keys into container - Fixes 'tofu: not found' error on Jenkins agents
- Remove invalid steps.env access that caused MissingPropertyException - AWS credentials now inherited from withCredentials block via -e flags - Docker run automatically picks up AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from environment - Fixes 'No such property: env for class: org.jenkinsci.plugins.workflow.cps.DSL' error
floatingman
requested review from
caliskanugur,
lscalabrini01,
rancher-max and
slickwarren
slickwarren
left a comment
slickwarren
left a comment
There was a problem hiding this comment.
not very well versed in this but I don't see anything standing out as an issue. Would like the main contributor's review just in case we miss something.
vars/tofu.groovy
Outdated
| } | ||
|
|
||
| // Run the init-backend.sh script which generates backend.tf and runs tofu init | ||
| def initCommand = "cd ${config.dir} && ./scripts/init-backend.sh ${scriptArgs.join(' ')}" |
There was a problem hiding this comment.
not a fan of this being hard-coded, do we do this anywhere else in the shared lib?
what about something like this instead?
qa-jenkins-library/vars/container.groovy
Lines 73 to 82 in 61a5552
hamistao
left a comment
hamistao
left a comment
There was a problem hiding this comment.
Looks great and looks like will be very helpful. Still I have a couple comments/questions.
| // Run ansible-playbook in a container | ||
| // [ container: string, dir: string, inventory: string, playbook: string, extraVars?: Map, tags?: string, envVars?: Map ] | ||
| def runPlaybookInContainer(Map config) { | ||
| if (!(config.container && config.dir && config.inventory && config.playbook)) { |
There was a problem hiding this comment.
Another nit, if config.container is just the container name, maybe we could generate one and return it or just name it config.container_name. Looks good anyway if you don't want to change this.
There was a problem hiding this comment.
I'm not understanding how this makes it better.
There was a problem hiding this comment.
maybe it doesn't, I guess this well within the subjective realm so this is only a suggestion.
My thought was that you could prefer an alternative that has less arguments.
vars/ansible.groovy
Outdated
| "-w /workspace", | ||
| config.container, | ||
| "-c", | ||
| "\"${ansibleArgs.join(' ')}\"" |
There was a problem hiding this comment.
I don't think it is, but just to make sure, is it possible that ansibleArgs to contain double quotes?
There was a problem hiding this comment.
Add a check for that
| error 'SSH key content and name must be provided.' | ||
| } | ||
|
|
||
| def sshDir = config.dir ?: '.ssh' |
There was a problem hiding this comment.
Could we do a resilient approach like ${HOME}/ssh or something similar that is less dependant on the current directory?
| config.envVars.each { key, value -> | ||
| // Replace both ${VAR} and $VAR patterns | ||
| processedContent = processedContent.replaceAll(/\$\{${key}\}/, value.toString()) | ||
| processedContent = processedContent.replaceAll(/\$${key}(?![a-zA-Z0-9_])/, value.toString()) | ||
| } |
There was a problem hiding this comment.
Do you think we should process both patterns in write_config as well?
|
|
||
| // Archive workspace name for later use | ||
| // [ workspaceName: string, fileName?: string ] | ||
| def archiveWorkspaceName(Map config) { |
There was a problem hiding this comment.
Just a curiosity, is there a reason why you are passing all the parameters as a Map config?
Just asking because it seems less straightforward in some cases but perhaps it is a pattern we use that I am not aware of.
There was a problem hiding this comment.
I think this is a limitation of jenkins / shared libraries IIRC. Something about groovy-java conversions?
There was a problem hiding this comment.
For this example, it can be two string parameters, and the second one can have a default value.
For general Map config:
I haven't tried it fully, but I think the other approach is to know all the types that are being passed to a function -- if that type is needed.
This may introduce a significant curve to writing these functions (especially if our function is calling a DSL or Plugin function), as the types can change with Jenkins and/or plugin versions.
Personally, I don't have a strong opinion on any approach since I used them interchangeably. Trade-off between velocity and static types.
More of a custom function that can be typed vs a function that uses a generic
Mapinstead of the plugin's type.
There was a problem hiding this comment.
If this turns out to be a problem, we can refactor it later.
rancher-max
left a comment
rancher-max
left a comment
There was a problem hiding this comment.
LGTM! Few comments from others -- I commented on a couple from my understanding.
|
|
||
| // Archive workspace name for later use | ||
| // [ workspaceName: string, fileName?: string ] | ||
| def archiveWorkspaceName(Map config) { |
There was a problem hiding this comment.
I think this is a limitation of jenkins / shared libraries IIRC. Something about groovy-java conversions?
…ent MissingMethodException
…tion vulnerabilities
…dling and directory management; enhance generateWorkspaceName to support suffix sanitization
Introduce shared library functions for Tofu and Ansible operations, enabling execution within Docker containers. Enhance AWS credentials handling and SSH key management for improved security and functionality. Implement infrastructure helpers for configuration management and workspace handling.