Add destroy pipeline

Add a pipeline to destroy environments. It currently consists of 2 jobs - one to destroy VPC which then triggers a job to destroy S3 bucket. We used default/recommended pipeline/task/script distribution with this pipeline. We include taks from file, because this task repeats. Never- theless, in this case, the pipeline needs to contain quite chunky config definitions (params), because they can't be included in the task itself, due to fly only expanding params in the pipeline. In comparison with deploy pipeline, we don't use terraform's ability to pull remote state file, due to bug encountered with `bucket.tfstate`: hashicorp/terraform#4154 The remote state file worked with VPC, but we wanted to unify both tasks on same code to demonstrate default concourse pipeline file organization. We also use fake/dummy `trigger-bucket-destroy` resource here to trigger bucket destroy job after vpc destroy job. The terraform bucket destroy job currently doesnt't work, due to bugs: hashicorp/terraform#3981 and missing functionality - the old file versions are actually not removed. @combor has risen PR to add this functionality here: hashicorp/terraform#4168
alphagov · Dec 7, 2015 · 6f91e9e · 6f91e9e
1 parent 8534fd1
commit 6f91e9e
Showing 1 changed file with 81 additions and 0 deletions.
diff --git a/concourse/pipelines/destroy.yml b/concourse/pipelines/destroy.yml
@@ -0,0 +1,81 @@
+---
+resources:
+  - name: paas-cf
+    type: git
+    source:
+      uri: https://github.com/alphagov/paas-cf
+      branch: {{branch_name}}
+
+  - name: tf-state-bucket
+    type: s3
+    source:
+      bucket: {{state_bucket}}
+      region_name: {{aws_region}}
+      access_key_id: {{aws_access_key_id}}
+      secret_access_key: {{aws_secret_access_key}}
+      versioned_file: bucket.tfstate
+
+  - name: tf-state-vpc
+    type: s3
+    source:
+      bucket: {{state_bucket}}
+      region_name: {{aws_region}}
+      access_key_id: {{aws_access_key_id}}
+      secret_access_key: {{aws_secret_access_key}}
+      versioned_file: vpc.tfstate
+
+  - name: trigger-bucket-destroy
+    type: semver
+    source:
+      bucket: {{state_bucket}}
+      region_name: {{aws_region}}
+      access_key_id: {{aws_access_key_id}}
+      secret_access_key: {{aws_secret_access_key}}
+      key: destroy-trigger
+
+jobs:
+  - name: destroy-vpc
+    plan:
+      - get: paas-cf
+      - get: tf-state-vpc
+      - task: tf-destroy-vpc
+        file: paas-cf/concourse/tasks/tf-destroy.yml
+        config:
+          params:
+              DEPLOY_ENV: {{deploy_env}}
+              AWS_DEFAULT_REGION: {{aws_region}}
+              AWS_ACCESS_KEY_ID: {{aws_access_key_id}}
+              AWS_SECRET_ACCESS_KEY: {{aws_secret_access_key}}
+              TF_VAR_AWS_ACCESS_KEY_ID: {{aws_access_key_id}}
+              TF_VAR_AWS_SECRET_ACCESS_KEY: {{aws_secret_access_key}}
+              TF_FILES_PATH: paas-cf/terraform/vpc
+              TF_STATE_PATH: tf-state-vpc/vpc.tfstate
+          inputs:
+            - name: paas-cf
+            - name: tf-state-vpc
+      - put: trigger-bucket-destroy
+        params: {bump: patch}
+
+  - name: destroy-init-bucket
+    plan:
+      - get: paas-cf
+      - get: tf-state-bucket
+      - get: trigger-bucket-destroy
+        trigger: true
+        passed: [destroy-vpc]
+      - task: tf-destroy-init-bucket
+        file: paas-cf/concourse/tasks/tf-destroy.yml
+        config:
+          params:
+              DEPLOY_ENV: {{deploy_env}}
+              AWS_DEFAULT_REGION: {{aws_region}}
+              AWS_ACCESS_KEY_ID: {{aws_access_key_id}}
+              AWS_SECRET_ACCESS_KEY: {{aws_secret_access_key}}
+              TF_VAR_AWS_ACCESS_KEY_ID: {{aws_access_key_id}}
+              TF_VAR_AWS_SECRET_ACCESS_KEY: {{aws_secret_access_key}}
+              TF_FILES_PATH: paas-cf/terraform/bucket
+              TF_STATE_PATH: tf-state-bucket/bucket.tfstate
+          inputs:
+            - name: paas-cf
+            - name: tf-state-bucket
+