Skip to content

Terraform Deploy - production #79

Terraform Deploy - production

Terraform Deploy - production #79

Workflow file for this run

run-name: 'Terraform Deploy - ${{inputs.environment}}'
name: 'Terraform Deploy'
on:
workflow_dispatch:
inputs:
environment:
description: 'Azure deployment environment'
required: true
default: 'development'
type: choice
options:
- development
- staging
- production
defaults:
run:
working-directory: ./terraform
# Permissions for OIDC authentication
permissions:
id-token: write
contents: write
issues: write
env:
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
ARM_USE_OIDC: true
ARM_SKIP_PROVIDER_REGISTRATION: true
jobs:
terraform-plan:
name: 'Terraform Plan'
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
outputs:
tfplanExitCode: ${{ steps.tf-plan.outputs.exitcode }}
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v4
# Install the latest version of the Terraform CLI
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.5.6
terraform_wrapper: false
# Initialise a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
- name: Terraform Init
run: >
terraform init
-backend-config="resource_group_name=${{ secrets.TERRAFORM_STATE_RESOURCE_GROUP }}"
-backend-config="storage_account_name=${{ secrets.TERRAFORM_STATE_STORAGE_ACCOUNT_NAME }}"
-backend-config="container_name=${{ secrets.TERRAFORM_STATE_STORAGE_CONTAINER_NAME }}"
-backend-config="key=${{ secrets.TERRAFORM_STATE_KEY }}"
# Checks that all Terraform configuration files adhere to a canonical format
# Will fail the build if not
- name: Terraform Format
run: terraform fmt -check
# Generates Terraform input variables
- name: Generate Terraform Variables
shell: bash
env:
WEB_SECRETS: ${{ toJSON(secrets) }}
WEB_VARS: ${{ toJSON(vars) }}
run: |
printf '%s\n' "$WEB_SECRETS" > tmp-secrets.json
printf '%s\n' "$WEB_VARS" > tmp-vars.json
jq 'with_entries(.key |= ascii_downcase)' tmp-secrets.json > web-secrets.auto.tfvars.json
jq 'with_entries(.key |= ascii_downcase)' tmp-vars.json > web-vars.auto.tfvars.json
# Generates an execution plan for Terraform
# An exit code of 0 indicated no changes, 1 a terraform failure, 2 there are pending changes.
- name: Terraform Plan
id: tf-plan
run: |
export exitcode=0
terraform plan -detailed-exitcode -no-color -out tfplan || export exitcode=$?
echo "exitcode=$exitcode" >> $GITHUB_OUTPUT
if [ $exitcode -eq 1 ]; then
echo Terraform Plan Failed!
exit 1
else
exit 0
fi
# Save Terraform Plan
- name: Publish Terraform Plan
uses: actions/upload-artifact@v4
with:
name: tfplan
path: terraform/tfplan
# Create string output of Terraform Plan
- name: Create String Output
id: tf-plan-string
run: |
TERRAFORM_PLAN=$(terraform show -no-color tfplan)
delimiter="$(openssl rand -hex 8)"
echo "summary<<${delimiter}" >> $GITHUB_OUTPUT
echo "## Terraform Plan Output" >> $GITHUB_OUTPUT
echo "<details><summary>Click to expand</summary>" >> $GITHUB_OUTPUT
echo "" >> $GITHUB_OUTPUT
echo '```terraform' >> $GITHUB_OUTPUT
echo "$TERRAFORM_PLAN" >> $GITHUB_OUTPUT
echo '```' >> $GITHUB_OUTPUT
echo "</details>" >> $GITHUB_OUTPUT
echo "${delimiter}" >> $GITHUB_OUTPUT
# Publish Terraform Plan as task summary
- name: Publish Terraform Plan to Task Summary
env:
SUMMARY: ${{ steps.tf-plan-string.outputs.summary }}
run: |
echo "$SUMMARY" >> $GITHUB_STEP_SUMMARY
terraform-apply:
name: 'Terraform Apply'
if: needs.terraform-plan.outputs.tfplanExitCode == 2
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
needs: [terraform-plan]
steps:
# Request review of Terraform Plan for deployment approval
- name: Terraform Plan Approval
uses: trstringer/manual-approval@v1
with:
secret: ${{ github.TOKEN }}
approvers: sam-c-dfe,DanielClarkeEducation,RobertGHippo
minimum-approvals: 1
issue-title: "Terraform deployment to ${{ inputs.environment }}"
issue-body: "Please review the Terraform Plan on the task summary and approve or deny the deployment"
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v4
# Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.5.6
# Initialise a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
- name: Terraform Init
run: >
terraform init
-backend-config="resource_group_name=${{ secrets.TERRAFORM_STATE_RESOURCE_GROUP }}"
-backend-config="storage_account_name=${{ secrets.TERRAFORM_STATE_STORAGE_ACCOUNT_NAME }}"
-backend-config="container_name=${{ secrets.TERRAFORM_STATE_STORAGE_CONTAINER_NAME }}"
-backend-config="key=${{ secrets.TERRAFORM_STATE_KEY }}"
# Generates Terraform input variables
- name: Generate Terraform Variables
shell: bash
env:
WEB_SECRETS: ${{ toJSON(secrets) }}
WEB_VARS: ${{ toJSON(vars) }}
run: |
printf '%s\n' "$WEB_SECRETS" > tmp-secrets.json
printf '%s\n' "$WEB_VARS" > tmp-vars.json
jq 'with_entries(.key |= ascii_downcase)' tmp-secrets.json > web-secrets.auto.tfvars.json
jq 'with_entries(.key |= ascii_downcase)' tmp-vars.json > web-vars.auto.tfvars.json
# Download saved plan from artifacts
- name: Download Terraform Plan
uses: actions/download-artifact@v4
with:
name: tfplan
path: terraform/tfplan
# Terraform Apply
- name: Terraform Apply
run: terraform apply -auto-approve tfplan/tfplan