.drone.yml

kind: pipeline
type: kubernetes
name: default

platform:
  os: linux
  arch: amd64

global-variables:
  vault-image: &vault-image  docker.digital.homeoffice.gov.uk/dq/dq-vault-awscli:1.43
  packer-image: &packer-image quay.io/ukhomeofficedigital/dq-packer-ansible
  copy-image: &copy-image quay.io/ukhomeofficedigital/dq-packer-encrypt-copy

x-anchors:
  retrieve-deployment-aws-key: &retrieve-deployment-aws-key
    - vault --version
    # Derive specific VAULT Environment/AWS Account
    - echo "DRONE_STEP_NAME = $${DRONE_STEP_NAME}"
    - export VAULT_ENV=$(echo $${DRONE_STEP_NAME} | awk -F "_" '{print $NF}')
    - export AWS_CREDS="aws_creds_$${VAULT_ENV}.json"
    - export SET_AWS_SECRETS="set_aws_secrets_$${VAULT_ENV}.sh"
    # Retrieve vault secrets
    - vault read aws_dacc_dq/creds/drone > $${AWS_CREDS}
    - export LEASE_ID=$(cat $${AWS_CREDS} | grep lease_id | awk -F ' ' '{print $2}')
    - export ACCESS_KEY=$(cat $${AWS_CREDS} | grep access_key | awk -F ' ' '{print $2}')
    - export SECRET_KEY=$(cat $${AWS_CREDS} | grep secret_key | awk -F ' ' '{print $2}')
    - export REGION=eu-west-2
    # Update the token TTL to 10mins
    - vault lease renew -increment=3600 $${LEASE_ID}
    # Get the AWS credentials - for `packer-image`
    - echo "export AWS_ACCESS_KEY_ID=$${ACCESS_KEY}" > $${SET_AWS_SECRETS}
    - echo "export AWS_SECRET_ACCESS_KEY=$${SECRET_KEY}" >> $${SET_AWS_SECRETS}
    - echo "export AWS_DEFAULT_REGION=$${REGION}" >> $${SET_AWS_SECRETS}
    # Get the AWS credentials - for `copy-image`
    - echo "export aws_id=$${ACCESS_KEY}" >> $${SET_AWS_SECRETS}
    - echo "export aws_key=$${SECRET_KEY}" >> $${SET_AWS_SECRETS}
    - echo "export region=$${REGION}" >> $${SET_AWS_SECRETS}
    # Since AWS is eventually consistent we need to sleep a little while so the AWS key is created and made available
    - sleep 20

steps:
- name: validate
  pull: always
  image: *packer-image
  commands:
  - export HOME=/home/packer
  - packer --version
  - packer validate packer.json

- name: inspect
  pull: if-not-exists
  image: *packer-image
  commands:
  - export HOME=/home/packer
  - packer --version
  - packer inspect packer.json
  depends_on:
    - validate

- name: retrieve_aws_secrets_ci
  pull: always
  image: *vault-image
  commands:
    *retrieve-deployment-aws-key
  environment:
    VAULT_ADDR:
      from_secret: VAULT_ADDR_SIT
    VAULT_TOKEN:
      from_secret: VAULT_TOKEN_SIT
  when:
    event:
      - push
  depends_on:
    - inspect

- name: build
  pull: if-not-exists
  image: *packer-image
  commands:
    - source ./set_aws_secrets_ci.sh
    - export HOME=/home/packer
    - export DRONE_BUILD_NUMBER=$${DRONE_BUILD_NUMBER}
    - packer --version
    - packer build packer.json
  when:
    event:
    - push
  depends_on:
    - retrieve_aws_secrets_ci

- name: retrieve_aws_secrets_np
  pull: if-not-exists
  image: *vault-image
  commands:
    *retrieve-deployment-aws-key
  environment:
    VAULT_ADDR:
      from_secret: VAULT_ADDR_NOTPROD
    VAULT_TOKEN:
      from_secret: VAULT_TOKEN_NOTPROD
  when:
    event:
      - push
  depends_on:
    - build

- name: packer-copy-notprod
  pull: always
  image: *copy-image
  commands:
  - source ./set_aws_secrets_np.sh
  - export filters="--owner 093401982388 --filters "Name=name,Values=dq-peering-haproxy*""
  - export HOME=/home/packer
  - packer --version
  - cd /home/packer
  - ./build.sh
  when:
    event:
    - push
  depends_on:
    - retrieve_aws_secrets_np

- name: retrieve_aws_secrets_prod
  pull: if-not-exists
  image: *vault-image
  commands:
    *retrieve-deployment-aws-key
  environment:
    VAULT_ADDR:
      from_secret: VAULT_ADDR_PROD
    VAULT_TOKEN:
      from_secret: VAULT_TOKEN_PROD
  when:
    branch:
    - master
    event:
    - push
  depends_on:
    - build

- name: packer-copy-prod
  pull: if-not-exists
  image: *copy-image
  commands:
  - source ./set_aws_secrets_prod.sh
  - export filters="--owner 093401982388 --filters "Name=name,Values=dq-peering-haproxy*""
  - export HOME=/home/packer
  - packer --version
  - cd /home/packer
  - ./build.sh
  when:
    branch:
    - master
    event:
    - push
  depends_on:
    - retrieve_aws_secrets_prod

- name: renew-vault-tokens
  pull: if-not-exists
  image: *vault-image
  commands:
    - vault --version
    # Renew NotProd Drone Vault Token
    - export VAULT_ADDR=$${VAULT_ADDR_NOTPROD}
    - export VAULT_TOKEN=$${VAULT_TOKEN_NOTPROD}
    - vault token renew > /dev/null
    # Renew Prod Drone Vault Token
    - export VAULT_ADDR=$${VAULT_ADDR_PROD}
    - export VAULT_TOKEN=$${VAULT_TOKEN_PROD}
    - vault token renew > /dev/null
    # Renew CI Drone Vault Token
    - export VAULT_ADDR=$${VAULT_ADDR_SIT}
    - export VAULT_TOKEN=$${VAULT_TOKEN_SIT}
    - vault token renew > /dev/null
  environment:
    VAULT_ADDR_NOTPROD:
      from_secret: VAULT_ADDR_NOTPROD
    VAULT_TOKEN_NOTPROD:
      from_secret: VAULT_TOKEN_NOTPROD
    VAULT_ADDR_PROD:
      from_secret: VAULT_ADDR_PROD
    VAULT_TOKEN_PROD:
      from_secret: VAULT_TOKEN_PROD
    VAULT_ADDR_SIT:
      from_secret: VAULT_ADDR_SIT
    VAULT_TOKEN_SIT:
      from_secret: VAULT_TOKEN_SIT
  when:
    event:
      - cron
    cron:
      - renew-vault-tokens
  depends_on:
    - inspect