Merge pull request #784 from cal-itp/feat/azure-pipeline-tf

run continuous integration of Terraform

azure-pipelines.yml

@@ -0,0 +1,44 @@
+trigger:
+  # automatically runs on pull requests; this runs the pipeline after merge
+  # https://docs.microsoft.com/en-us/azure/devops/pipelines/repos/github?view=azure-devops&tabs=yaml#pr-triggers
+  branches:
+    include:
+      - dev
+  # only run for changes to Terraform files
+  paths:
+    include:
+      - terraform/*
+stages:
+  - stage: plan
+    pool:
+      vmImage: ubuntu-latest
+    jobs:
+      - job: plan
+        steps:
+          # https://github.com/microsoft/azure-pipelines-terraform/tree/main/Tasks/TerraformInstaller#readme
+          - task: TerraformInstaller@0
+            displayName: Install Terraform
+            inputs:
+              terraformVersion: 1.2.4
+          # https://github.com/microsoft/azure-pipelines-terraform/tree/main/Tasks/TerraformTask/TerraformTaskV3#readme
+          - task: TerraformTaskV3@3
+            displayName: Terraform init
+            inputs:
+              provider: "azurerm"
+              command: "init"
+              workingDirectory: "$(System.DefaultWorkingDirectory)/terraform"
+              # service connection
+              backendServiceArm: "Production"
+              # needs to match main.tf
+              backendAzureRmResourceGroupName: "RG-CDT-PUB-VIP-CALITP-P-001"
+              backendAzureRmStorageAccountName: "sacdtcalitpp001"
+              backendAzureRmContainerName: "tfstate"
+              backendAzureRmKey: "terraform.tfstate"
+          - task: TerraformTaskV3@3
+            displayName: Terraform plan
+            inputs:
+              provider: "azurerm"
+              command: "plan"
+              workingDirectory: "$(System.DefaultWorkingDirectory)/terraform"
+              # service connection
+              environmentServiceNameAzureRM: "Production"

docs/deployment/infrastructure.md

@@ -111,13 +111,22 @@ az webapp log tail --resource-group RG-CDT-PUB-VIP-CALITP-P-001 --name AS-CDT-PU
 
 https://as-cdt-pub-vip-calitp-p-001-dev.scm.azurewebsites.net/api/logs/docker
 
+## Continuous integration (CI)
+
+[![Build Status](https://calenterprise.visualstudio.com/CDT.OET.CAL-ITP/_apis/build/status/cal-itp.benefits%20Infra?branchName=dev)](https://calenterprise.visualstudio.com/CDT.OET.CAL-ITP/_build/latest?definitionId=828&branchName=dev)
+
+The Terraform configuration is `plan`'d through an Azure Pipeline. It's done there rather than GitHub Actions for a couple of reasons:
+
+- Easier authentication with the Azure API using a service connnection
+- Log output is hidden, avoiding accidentally leaking secrets
+
 ## Making changes
 
 1. Get access to the Azure account through the DevSecOps team.
-
 1. Install dependencies:
-    - [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli)
-    - [Terraform](https://www.terraform.io/downloads)
+
+   - [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli)
+   - [Terraform](https://www.terraform.io/downloads)
 
 1. [Authenticate using the Azure CLI](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/azure_cli), specifying the `CDT/ODI Production` Subscription.
 

terraform/main.tf

@@ -7,6 +7,7 @@ terraform {
   }
 
   backend "azurerm" {
+    # needs to match azure-pipelines.yml
     resource_group_name  = "RG-CDT-PUB-VIP-CALITP-P-001"
     storage_account_name = "sacdtcalitpp001"
     container_name       = "tfstate"