-
Notifications
You must be signed in to change notification settings - Fork 452
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Support for Terraforming Fleet Teams (#18750)
This project adds support for terraforming teams in Fleet. If you have 100+ teams, managing them is is prone to error, mistakes, lost configuration, and general pain. An industry standard tool like terraform can unify this configuration as code. In order to do this, I wrote a terraform provider that on one end talks to the Fleet api, and on the other end implements an interface for terraform. More information is in the README. A small sample `main.tf` file is supplied. --------- Co-authored-by: Brock Walters <[email protected]>
- Loading branch information
1 parent
03dd472
commit c7ea012
Showing
16 changed files
with
2,318 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| provider_code_spec.json | ||
| tf/terraformrc-dev-override |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| #! /usr/bin/env make | ||
| # | ||
| # While not very elegant as far as Makefiles go, this Makefile does | ||
| # contain the basic commands to get you terraforming your FleetDM | ||
| # teams. See the README for details. | ||
|
|
||
| provider_code_spec.json: openapi.json | ||
| tfplugingen-openapi generate --config generator.yaml --output ./provider_code_spec.json ./openapi.json | ||
|
|
||
| provider/team_resource_gen.go: provider_code_spec.json | ||
| tfplugingen-framework generate resources --input provider_code_spec.json --output ./provider --package provider | ||
|
|
||
| .PHONY: install build test tidy gen plan apply | ||
|
|
||
| gen: provider/team_resource_gen.go | ||
|
|
||
| install: gen | ||
| go install ./... | ||
|
|
||
| build: gen | ||
| go build ./... | ||
|
|
||
| test: gen | ||
| @test -n "$(FLEETDM_APIKEY)" || (echo "FLEETDM_APIKEY is not set" && exit 1) | ||
| FLEETDM_URL='https://rbx.cloud.fleetdm.com' TF_ACC=1 go test ./... | ||
|
|
||
| tidy: | ||
| go mod tidy | ||
|
|
||
| plan: tf/terraformrc-dev-override | ||
| cd tf && TF_CLI_CONFIG_FILE=./terraformrc-dev-override terraform plan | ||
|
|
||
| apply: tf/terraformrc-dev-override | ||
| cd tf && TF_CLI_CONFIG_FILE=./terraformrc-dev-override terraform apply -auto-approve | ||
|
|
||
| tf/terraformrc-dev-override: | ||
| @echo "provider_installation { \\n\ | ||
| dev_overrides { \\n\ | ||
| \"fleetdm.com/tf/fleetdm\" = \"$$HOME/go/bin\" \\n\ | ||
| } \\n\ | ||
| direct {} \\n\ | ||
| }" > $@ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| # Terraform Provider for FleetDM Teams | ||
|
|
||
| This is a Terraform provider for managing FleetDM teams. When you have | ||
| 100+ teams in FleetDM, and manually managing them is not feasible. The | ||
| primary setting of concern is the team's "agent options" which | ||
| consists of some settings and command line flags. These (potentially | ||
| dangerously) configure FleetDM all machines. | ||
|
|
||
| ## Usage | ||
|
|
||
| All the interesting commands are in the Makefile. If you just want | ||
| to use the thing, see `make install` and `make apply`. | ||
|
|
||
| Note that if you run `terraform apply` in the `tf` directory, it won't | ||
| work out of the box. That's because you need to set the | ||
| `TF_CLI_CONFIG_FILE` environment variable to point to a file that | ||
| enables local development of this provider. The Makefile does this | ||
| for you. | ||
|
|
||
| Future work: actually publish this provider. | ||
|
|
||
| ## Development | ||
|
|
||
| ### Code Generation | ||
|
|
||
| See `make gen`. It will create team_resource_gen.go, which defines | ||
| the types that Terraform knows about. This is automatically run | ||
| when you run `make install`. | ||
|
|
||
| ### Running locally | ||
|
|
||
| See `make plan` and `make apply`. | ||
|
|
||
| ### Running Tests | ||
|
|
||
| You probably guessed this. See `make test`. Note that these tests | ||
| require a FleetDM server to be running. The tests will create teams | ||
| and delete them when they're done. The tests also require a valid | ||
| FleetDM API token to be in the `FLEETDM_APIKEY` environment variable. | ||
|
|
||
| ### Debugging locally | ||
|
|
||
| The basic idea is that you want to run the provider in a debugger. | ||
| When terraform normally runs, it will execute the provider a few | ||
| times in the course of operations. What you want to do instead is | ||
| to run the provider in debug mode and tell terraform to contact it. | ||
|
|
||
| To do this, you need to start the provider with the `-debug` flag | ||
| inside a debugger. You'll also need to give it the FLEETDM_APIKEY | ||
| environment variable. The provider will print out a big environment | ||
| variable that you can copy and paste to your command line. | ||
|
|
||
| When you run `terraform apply` or the like, you'll invoke it with | ||
| that big environment variable. It'll look something like | ||
|
|
||
| ```shell | ||
| TF_REATTACH_PROVIDERS='{"fleetdm.com/tf/fleetdm":{"Protocol":"grpc","ProtocolVersion":6,"Pid":33644,"Test":true,"Addr":{"Network":"unix","String":"/var/folders/32/xw2p1jtd4w10hpnsyrb_4nmm0000gq/T/plugin771405263"}}}' terraform apply | ||
| ``` | ||
|
|
||
| With this magic, terraform will look to your provider that's running | ||
| in a debugger. You get breakpoints and the goodness of a debugger. |
Oops, something went wrong.