No description
Find a file
2023-05-31 09:25:10 +02:00
.github/workflows use dda-python-teraform instead of outdated python-terraform 2021-06-25 17:15:42 +02:00
doc write rationale 2023-05-31 09:25:10 +02:00
infrastructure adjust image builds to new build-version 2023-05-20 11:49:24 +02:00
src not needed any more 2023-05-31 09:24:54 +02:00
.gitignore add alpine image for using devops-build on gitlab 2020-11-13 16:19:47 +01:00
.gitlab-ci.yml fixed last missing pieces 2023-05-28 17:15:25 +02:00
build.py adjust version & homepage 2023-05-31 08:40:39 +02:00
dev_requirements.txt add types for type checkin 2022-12-30 18:08:54 +01:00
LICENSE Initial commit 2019-09-04 16:57:40 +02:00
README.md write rationale 2023-05-31 09:25:10 +02:00
requirements.txt introduce Credentials 2023-05-16 08:47:11 +02:00

dda-devops-build

Slack | team@social.meissa-gmbh.de team@social.meissa-gmbh.de | Website & Blog

release prod

dda-devops-build integrates all the tools we use to work with clouds & provide some nice functions around.

Tools we support are

  • terraform: for setting up the plain infrastructure around.
  • docker: for creating images
  • c4k: for generating kubernetes manifests
  • provs: for setting up small single-node k3s clusters
  • gopass: for credential management on devops computers
  • cloud providers: hetzner, digitalocean, aws

In addition we provide a ReleaseMixin for release related tasks like tag / publish & version-bump

classDiagram
    class DevopsBuild {
        name()
        build_path()
        initialize_build_dir()
    }


    class DevopsTerraformBuild {
        terraform_build_commons_path()
        project_vars()
        initialize_build_dir()
        post_build()
        read_output_json()
        plan()
        plan_fail_on_diff()
        apply(auto_approve=False)
        refresh()
        destroy(auto_approve=False)
        tf_import(tf_import_name, tf_import_resource,)
        print_terraform_command(terraform)
    }

    class DevopsImageBuild {
        def initialize_build_dir()
        image()
        drun()
        dockerhub_login()
        dockerhub_publish()
        test()
    }

    class ReleaseMixin {
        prepare_release()
        tag_and_push_release()
    }
    
    class ProvsK3sBuild {
        def update_runtime_config(dns_record)
        write_provs_config()
        provs_apply(dry_run=False)
    }

    class C4kBuild {
        def update_runtime_config(dns_record)
        def write_c4k_config()
        def write_c4k_auth()
        c4k_apply(dry_run=False)
    }

    DevopsBuild <|-- DevopsImageBuild
    DevopsBuild <|-- DevopsTerraformBuild
    DevopsBuild <|-- ReleaseMixin
    DevopsBuild <|-- ProvsK3sBuild
    DevopsBuild <|-- C4kBuild

Principles we follow are:

  • Seperate build artefacts from version controlled code
  • Domain Driven Design - in order to stay sustainable

Setup

Ensure that yout python3 version is at least Python 3.10

sudo apt install python3-pip
pip3 install -r requirements.txt
export PATH=$PATH:~/.local/bin

Example Build

lets assume the following project structure

my-project
   | -> my-module
   |       | -> build.py
   |       | -> some-terraform.tf
   | -> an-other-module
   | -> target  (here will the build happen)
   |       | -> ...
from pybuilder.core import task, init
from ddadevops import *

name = 'my-project'
MODULE = 'my-module'
PROJECT_ROOT_PATH = '..'

class MyBuild(DevopsTerraformBuild):
    pass


@init
def initialize(project):
    project.build_depends_on('ddadevops>=0.5.0')
    account_name = 'my-aws-account-name'
    account_id = 'my-aws-account-id'
    stage = 'my stage i.e. dev|test|prod'
    additional_vars = {'var_to_use_insied_terraform': '...'}
    additional_var_files = ['variable-' + account_name + '-' + stage + '.tfvars']
    config = create_devops_terraform_build_config(stage, PROJECT_ROOT_PATH,
                                                  MODULE, additional_vars,
                                                  additional_tfvar_files=additional_var_files)
    build = MyBuild(project, config)
    build.initialize_build_dir()


@task
def plan(project):
    build = get_devops_build(project)
    build.plan()


@task
def apply(project):
    build = get_devops_build(project)
    build.apply()

@task
def destroy(project):
    build = get_devops_build(project)
    build.destroy()

@task
def tf_import(project):
    build = get_devops_build(project)
    build.tf_import('aws_resource.choosen_name', 'the_aws_id')

Feature aws-backend

Will use a file backend.dev.live.properties where dev is the [account-name], live is the [stage].

the backend.dev.live.properties file content:

key = ".."
region = "the aws region"
profile = "the profile used for aws"
bucket = "the s3 bucket name"
kms_key_id = "the aws key id"

the build.py file content:

class MyBuild(AwsBackendPropertiesMixin, DevopsTerraformBuild):
    pass


@init
def initialize(project):
    project.build_depends_on('ddadevops>=1.0')
    account_name = 'my-aws-account-name'
    account_id = 'my-aws-account-id'
    stage = 'my stage i.e. dev|test|prod'
    additional_vars = {}
    config = create_devops_terraform_build_config(stage, PROJECT_ROOT_PATH,
                                                  MODULE, additional_vars)
    config = add_aws_backend_properties_mixin_config(config, account_name)
    build = MyBuild(project, config)
    build.initialize_build_dir()

Feature aws-mfa-assume-role

In order to use aws assume role in combination with the mfa-tool (pip install mfa):

the build.py file content:

class MyBuild(class MyBuild(AwsMfaMixin, DevopsTerraformBuild):
    pass


@init
def initialize(project):
    project.build_depends_on('ddadevops>=1.0')
    account_name = 'my-aws-account-name'
    account_id = 'my-aws-account-id'
    stage = 'my stage i.e. dev|test|prod'
    additional_vars = {}
    config = create_devops_terraform_build_config(stage, PROJECT_ROOT_PATH,
                                                  MODULE, additional_vars)
    config = add_aws_backend_properties_mixin_config(config, account_name)
    config = add_aws_mfa_mixin_config(config, account_id, 'eu-central-1',
                                      mfa_role='my_developer_role',
                                      mfa_account_prefix='company-',
                                      mfa_login_account_suffix='users_are_defined_here')
    build = MyBuild(project, config)
    build.initialize_build_dir()

@task
def access(project):
    build = get_devops_build(project)
    build.get_mfa_session()

Feature DdaImageBuild

The docker build supports image building, tagging, testing and login to dockerhost. For bash based builds we support often used script-parts as predefined functions see install_functions.sh.

A full working example: doc/example/50_docker_module

Feature AwsRdsPgMixin

The AwsRdsPgMixin provides

  • execute_pg_rds_sql - function will optionally resolve dns-c-names for trusted ssl-handshakes
  • alter_db_user_password
  • add_new_user
  • deactivate_user

the build.py file content:

class MyBuild(..., AwsRdsPgMixin):
    pass


@init
def initialize(project):
    project.build_depends_on('ddadevops>=1.0')

    ...
    config = add_aws_rds_pg_mixin_config(config,
                                         stage + "-db.bcsimport.kauf." + account_name + ".breuni.de",
                                         "kauf_bcsimport",
                                         rds_resolve_dns=True,)
    build = MyBuild(project, config)
    build.initialize_build_dir()

@task
def rotate_credentials_in(project):
    build = get_devops_build(project)
    build.alter_db_user_password('/postgres/support')
    build.alter_db_user_password('/postgres/superuser')
    build.add_new_user('/postgres/superuser', '/postgres/app', 'pg_group_role')


@task
def rotate_credentials_out(project):
    build = get_devops_build(project)
    build.deactivate_user('/postgres/superuser', 'old_user_name')

Releasing and updating

Publish snapshot

  1. every push will be published as dev-dependency

Release

adjust version no in build.py to release version no.
git commit -am "release"
git tag -am "release" [release version no]
git push --follow-tags
increase version no in build.py
git commit -am "version bump"
git push
pip3 install --upgrade --user ddadevops

License

Copyright © 2021 meissa GmbH Licensed under the Apache License, Version 2.0 (the "License")