-
Notifications
You must be signed in to change notification settings - Fork 0
124 lines (105 loc) · 4.32 KB
/
terraform-plan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
name: Terraform Plan
on:
workflow_dispatch:
inputs:
environment:
type: string
description: 'The environment to run terraform plan against:'
required: true
# workflow_call:
# inputs:
# environment:
# type: string
# required: true
env:
DOTNET_VERSION: ${{ vars.DOTNET_VERSION }}
ARM_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
ARM_CLIENT_ID: ${{ secrets.AZ_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZ_CLIENT_SECRET }}
AZ_KEYVAULT_NAME: ${{ secrets.AZ_KEYVAULT_TF }}
TF_BACKEND_STORAGE_ACCOUNT_NAME: ${{ secrets.TF_BACKEND_STORAGE_ACCOUNT_NAME }}
TF_BACKEND_CONTAINER_NAME: ${{ secrets.TF_BACKEND_CONTAINER_NAME }}
TF_BACKEND_KEY: ${{ secrets.TF_BACKEND_KEY }}
TF_BACKEND_RESOURCE_GROUP: ${{ secrets.TF_BACKEND_RESOURCE_GROUP }}
TF_VAR_az_app_kestrel_endpoint: ${{ vars.KESTRELENDPOINT }}
TF_VAR_container_app_image_name : ${{ vars.container_app_image_name }}
TF_VAR_project_name: ${{ secrets.DFE_PROJECT_NAME }}
TF_VAR_environment: ${{ secrets.AZ_ENVIRONMENT }}
TF_VAR_tf_state_storage_account : ${{ secrets.tf_state_storage_account }}
TF_VAR_tfstate_storage_container_name : ${{secrets.tfstate_storage_container_name}}
TF_VAR_resource_group_name : ${{secrets.resource_group_name}}
TF_VAR_azure_location: ${{ vars.AZ_LOCATION }}
TF_VAR_az_tag_environment: ${{ vars.AZ_TAG_ENVIRONMENT }}
TF_VAR_az_tag_product: ${{ vars.AZ_TAG_PRODUCT }}
TF_VAR_registry_server: "ghcr.io"
TF_VAR_registry_username: ${{ github.repository_owner }}
TF_VAR_registry_custom_image_url: "ghcr.io/dfe-digital/sts-knowledgebase:v0.0.1-development.0"
TF_VAR_registry_password: ${{ secrets.GITHUB_TOKEN }}
TF_VAR_serviceprinciple_identity : ${{ secrets.serviceprinciple }}
TF_VAR_registry_password: ${{ secrets.GITHUB_TOKEN }}
TF_WORKING_DIRECTORY: terraform
jobs:
terraform-plan:
name: Terraform plan
runs-on: ubuntu-22.04
defaults:
run:
working-directory: ${{env.TF_WORKING_DIRECTORY}}
environment: ${{ inputs.environment }}
steps:
- name: Clone repo
uses: actions/checkout@v3
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.6.2
- name: Get GitHub Runner IP
id: whats-my-ip
uses: ./.github/actions/whats-my-ip-address
- name: Set GitHub Runner IP to TF Var
shell: bash
run: |
echo "TF_VAR_github_ip=${{ steps.whats-my-ip.outputs.ip}}" >> $GITHUB_ENV
- name: Login with AZ
uses: ./.github/actions/azure-login
with:
az_tenant_id: ${{ secrets.AZ_TENANT_ID }}
az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
az_client_id: ${{ secrets.AZ_CLIENT_ID }}
az_client_secret: ${{ secrets.AZ_CLIENT_SECRET }}
- name: Add Runner to KV whitelist
uses: azure/CLI@v1
with:
azcliversion: 2.45.0
inlineScript: |
az keyvault network-rule add --name ${{ env.AZ_KEYVAULT_NAME }} --ip-address ${{ steps.whats-my-ip.outputs.ip }} &> /dev/null
- name: Terraform init
id: init
run: |
terraform init \
-backend-config="resource_group_name=${{ env.TF_BACKEND_RESOURCE_GROUP }}" \
-backend-config="storage_account_name=${{ env.TF_BACKEND_STORAGE_ACCOUNT_NAME }}" \
-backend-config="container_name=${{ env.TF_BACKEND_CONTAINER_NAME }}" \
-backend-config="key=${{ env.TF_BACKEND_KEY }}"
- name: Plan Terraform changes
id: plan
run: terraform plan
- uses: trstringer/manual-approval@v1
with:
secret: ${{ github.TOKEN }}
approvers: sathishmani219
minimum-approvals: 1
issue-title: "Check and approve"
issue-body: "Review the terraform plan, then approve."
exclude-workflow-initiator-as-approver: false
# - name: Apply Terraform changes
# id: apply
# run: terraform apply -auto-approve
- name: Remove Runner to KV whitelist
uses: azure/CLI@v1
if: always()
with:
azcliversion: 2.45.0
inlineScript: |
az keyvault network-rule remove --name ${{ env.AZ_KEYVAULT_NAME }} --ip-address ${{ steps.whats-my-ip.outputs.ip }} &> /dev/null