Terraform 基礎架構部署
DevOps9 個節點 · 10 條連接devops
視覺化
ex-terraform-deploy.osop.yaml
# Terraform Infrastructure Deployment
# Plan, review, apply infrastructure changes with drift detection and notifications
osop_version: "2.0"
id: terraform-deploy
name: "Terraform 基礎架構部署"
nodes:
- id: init_workspace
type: cli
purpose: Initialize Terraform workspace and download provider plugins
runtime:
command: "terraform init -backend-config=env/${ENVIRONMENT}.hcl -reconfigure"
outputs: [workspace_ready]
timeout_sec: 120
- id: validate_config
type: cli
purpose: Validate Terraform configuration syntax and internal consistency
runtime:
command: "terraform validate && terraform fmt -check -recursive"
inputs: [workspace_ready]
outputs: [validation_result]
timeout_sec: 60
- id: plan
type: cli
purpose: Generate and save an execution plan showing proposed infrastructure changes
runtime:
command: "terraform plan -out=tfplan -detailed-exitcode -var-file=env/${ENVIRONMENT}.tfvars"
inputs: [validation_result]
outputs: [plan_file, change_summary]
timeout_sec: 300
explain: |
Exit code 2 means changes detected. The plan file is saved as an artifact
for exact reproducibility during the apply phase.
- id: security_scan
type: cli
purpose: Scan the plan for security misconfigurations using tfsec and checkov
runtime:
command: "tfsec . --format json && checkov -d . --framework terraform --output json"
inputs: [plan_file]
outputs: [security_findings]
timeout_sec: 180
- id: cost_estimate
type: api
purpose: Estimate monthly cost impact of planned changes via Infracost
runtime:
endpoint: /api/v1/estimate
method: POST
url: https://infracost.internal
inputs: [plan_file]
outputs: [cost_delta, monthly_estimate]
security:
auth: bearer_token
secret_ref: INFRACOST_API_KEY
timeout_sec: 60
- id: approval_gate
type: human
purpose: Platform engineer reviews plan, security findings, and cost estimate before apply
role: platform_engineer
inputs: [change_summary, security_findings, cost_delta]
approval_gate:
required_approvers: 1
timeout_min: 120
explain: |
Approver must verify no destructive changes to stateful resources,
security findings are acceptable, and cost impact is within budget.
- id: apply
type: cli
purpose: Apply the saved plan to provision or update infrastructure
runtime:
command: "terraform apply -auto-approve tfplan"
inputs: [plan_file]
outputs: [apply_result, resource_ids]
timeout_sec: 600
retry_policy:
max_retries: 1
backoff_sec: 30
security:
credentials: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY]
- id: verify_state
type: cli
purpose: Run post-apply drift detection and verify expected resources exist
runtime:
command: "terraform plan -detailed-exitcode && ./scripts/verify-resources.sh"
inputs: [apply_result]
outputs: [drift_status]
timeout_sec: 120
- id: notify_team
type: api
purpose: Post deployment summary to Slack with change details and cost impact
runtime:
endpoint: /api/chat.postMessage
method: POST
url: https://slack.com
inputs: [apply_result, cost_delta, drift_status]
security:
auth: bearer_token
secret_ref: SLACK_BOT_TOKEN
edges:
- from: init_workspace
to: validate_config
mode: sequential
- from: validate_config
to: plan
mode: sequential
- from: plan
to: security_scan
mode: parallel
- from: plan
to: cost_estimate
mode: parallel
- from: security_scan
to: approval_gate
mode: sequential
- from: cost_estimate
to: approval_gate
mode: sequential
- from: approval_gate
to: apply
mode: sequential
- from: apply
to: verify_state
mode: sequential
- from: verify_state
to: notify_team
mode: sequential
- from: verify_state
to: plan
mode: fallback
label: "Drift detected, re-plan"