diff --git a/.github/workflows/terraform-destroy.yml b/.github/workflows/terraform-destroy.yml index be2227d..bc0bf95 100644 --- a/.github/workflows/terraform-destroy.yml +++ b/.github/workflows/terraform-destroy.yml @@ -1,6 +1,14 @@ name: Terraform Destroy on: workflow_call: + secrets: + appvia-actions-secret: + description: "Appvia App secret for GH" + required: false + appvia-actions-id: + description: "Appvia App ID for GH" + required: false + inputs: confirmation: description: Expects the name of the repository to be confirmed @@ -63,6 +71,18 @@ on: required: false type: string + enable-private-access: + description: Optional flag to state if terraform requires pulling private modules + required: false + default: false + type: boolean + + organization-name: + default: "appvia" + description: "The name of the GitHub organization" + required: false + type: string + use-env-as-suffix: default: false description: "Whether to use the environment as a suffix for the state file and iam roles" @@ -190,6 +210,19 @@ jobs: echo "name=${{ github.event.repository.name }}.tfstate" >> $GITHUB_OUTPUT fi fi + - name: Enable Private Modules + id: get_workflow_token + if: inputs.enable-private-access + uses: peter-murray/workflow-application-token-action@v4 + with: + application_id: ${{ secrets.appvia-actions-id }} + application_private_key: ${{ secrets.appvia-actions-secret }} + organization: ${{ inputs.organization-name }} + revoke_token: true + - name: Setup Credentials + if: inputs.enable-private-access + run: | + git config --global url."https://x-access-token:${{steps.get_workflow_token.outputs.token}}@github.com/".insteadOf "https://github.com/" - name: Terraform Init id: init run: terraform -chdir=${{ inputs.terraform-dir }} init -backend-config="bucket=${{ inputs.aws-account-id }}-${{ inputs.aws-region }}-tfstate" -backend-config="key=${{ steps.state-key.outputs.name }}" -backend-config="encrypt=true" -backend-config="dynamodb_table=${{ inputs.aws-account-id }}-${{ inputs.aws-region }}-tflock" -backend-config="region=${{ inputs.aws-region }}" @@ -291,6 +324,19 @@ jobs: echo "name=${{ github.event.repository.name }}.tfstate" >> $GITHUB_OUTPUT fi fi + - name: Enable Private Modules + id: get_workflow_token + if: inputs.enable-private-access + uses: peter-murray/workflow-application-token-action@v4 + with: + application_id: ${{ secrets.appvia-actions-id }} + application_private_key: ${{ secrets.appvia-actions-secret }} + organization: ${{ inputs.organization-name }} + revoke_token: true + - name: Setup Credentials + if: inputs.enable-private-access + run: | + git config --global url."https://x-access-token:${{steps.get_workflow_token.outputs.token}}@github.com/".insteadOf "https://github.com/" - name: Terraform Init id: init run: terraform -chdir=${{ inputs.terraform-dir }} init -backend-config="bucket=${{ inputs.aws-account-id }}-${{ inputs.aws-region }}-tfstate" -backend-config="key=${{ steps.state-key.outputs.name }}" -backend-config="encrypt=true" -backend-config="dynamodb_table=${{ inputs.aws-account-id }}-${{ inputs.aws-region }}-tflock" -backend-config="region=${{ inputs.aws-region }}" diff --git a/.github/workflows/terraform-module-validation.yml b/.github/workflows/terraform-module-validation.yml index 797f3ac..970a7b9 100644 --- a/.github/workflows/terraform-module-validation.yml +++ b/.github/workflows/terraform-module-validation.yml @@ -6,6 +6,13 @@ on: infracost-api-key: description: "The API key for infracost" required: false + appvia-actions-secret: + description: "Appvia App secret for GH" + required: false + appvia-actions-id: + description: "Appvia App ID for GH" + required: false + inputs: cicd-repository: default: "appvia/appvia-cicd-workflows" @@ -31,12 +38,24 @@ on: required: false type: boolean + enable-private-access: + description: Optional flag to state if terraform requires pulling private modules + required: false + default: false + type: boolean + enable-terraform-tests: default: true description: "Whether to run terraform test" required: false type: boolean + organization-name: + default: "appvia" + description: "The name of the GitHub organization" + required: false + type: string + terraform-dir: default: "." description: "The directory to validate" @@ -68,6 +87,7 @@ on: type: string env: + ## Location of the AWS Web Identity Token file AWS_WEB_IDENTITY_TOKEN_FILE: /tmp/web_identity_token_file permissions: @@ -134,6 +154,19 @@ jobs: uses: actions/checkout@v4 - name: Setup Linter uses: terraform-linters/setup-tflint@v4 + - name: Enable Private Modules + id: get_workflow_token + if: inputs.enable-private-access + uses: peter-murray/workflow-application-token-action@v4 + with: + application_id: ${{ secrets.appvia-actions-id }} + application_private_key: ${{ secrets.appvia-actions-secret }} + organization: ${{ inputs.organization-name }} + revoke_token: true + - name: Setup Credentials + if: inputs.enable-private-access + run: | + git config --global url."https://x-access-token:${{steps.get_workflow_token.outputs.token}}@github.com/".insteadOf "https://github.com/" - name: Terraform Init run: terraform -chdir=${{ inputs.terraform-dir }} init -backend=false - name: Setup Linter @@ -160,6 +193,19 @@ jobs: uses: hashicorp/setup-terraform@v3 with: terraform_version: ${{ inputs.terraform-version }} + - name: Enable Private Modules + id: get_workflow_token + if: inputs.enable-private-access + uses: peter-murray/workflow-application-token-action@v4 + with: + application_id: ${{ secrets.appvia-actions-id }} + application_private_key: ${{ secrets.appvia-actions-secret }} + organization: ${{ inputs.organization-name }} + revoke_token: true + - name: Setup Credentials + if: inputs.enable-private-access + run: | + git config --global url."https://x-access-token:${{steps.get_workflow_token.outputs.token}}@github.com/".insteadOf "https://github.com/" - name: Terraform Init run: terraform -chdir=${{ inputs.terraform-tests-dir }} init -backend=false - name: Run Tests @@ -185,6 +231,19 @@ jobs: uses: hashicorp/setup-terraform@v3 with: terraform_version: ${{ inputs.terraform-version }} + - name: Enable Private Modules + id: get_workflow_token + if: inputs.enable-private-access + uses: peter-murray/workflow-application-token-action@v4 + with: + application_id: ${{ secrets.appvia-actions-id }} + application_private_key: ${{ secrets.appvia-actions-secret }} + organization: ${{ inputs.organization-name }} + revoke_token: true + - name: Setup Credentials + if: inputs.enable-private-access + run: | + git config --global url."https://x-access-token:${{steps.get_workflow_token.outputs.token}}@github.com/".insteadOf "https://github.com/" - name: Terraform Init id: init run: terraform -chdir=${{ inputs.terraform-dir }} init @@ -208,6 +267,19 @@ jobs: uses: hashicorp/setup-terraform@v3 with: terraform_version: ${{ inputs.terraform-version }} + - name: Enable Private Modules + id: get_workflow_token + if: inputs.enable-private-access + uses: peter-murray/workflow-application-token-action@v4 + with: + application_id: ${{ secrets.appvia-actions-id }} + application_private_key: ${{ secrets.appvia-actions-secret }} + organization: ${{ inputs.organization-name }} + revoke_token: true + - name: Setup Credentials + if: inputs.enable-private-access + run: | + git config --global url."https://x-access-token:${{steps.get_workflow_token.outputs.token}}@github.com/".insteadOf "https://github.com/" - name: Terraform Init id: init run: terraform -chdir=${{ inputs.terraform-dir }} init @@ -233,6 +305,19 @@ jobs: uses: hashicorp/setup-terraform@v3 with: terraform_version: ${{ inputs.terraform-version }} + - name: Enable Private Modules + id: get_workflow_token + if: inputs.enable-private-access + uses: peter-murray/workflow-application-token-action@v4 + with: + application_id: ${{secrets.appvia-actions-id}} + application_private_key: ${{secrets.appvia-actions-secret}} + organization: appvia + revoke_token: true + - name: Setup Credentials + if: inputs.enable-private-access + run: | + git config --global url."https://x-access-token:${{steps.get_workflow_token.outputs.token}}@github.com/".insteadOf "https://github.com/" - name: Terraform Init id: init run: terraform -chdir=${{ inputs.terraform-dir }} init -backend=false @@ -261,6 +346,19 @@ jobs: uses: actions/setup-node@v4 with: node-version: 16 + - name: Enable Private Modules + id: get_workflow_token + if: inputs.enable-private-access + uses: peter-murray/workflow-application-token-action@v4 + with: + application_id: ${{ secrets.appvia-actions-id }} + application_private_key: ${{ secrets.appvia-actions-secret }} + organization: ${{ inputs.organization-name }} + revoke_token: true + - name: Setup Credentials + if: inputs.enable-private-access + run: | + git config --global url."https://x-access-token:${{steps.get_workflow_token.outputs.token}}@github.com/".insteadOf "https://github.com/" - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: diff --git a/.github/workflows/terraform-plan-and-apply-aws.yml b/.github/workflows/terraform-plan-and-apply-aws.yml index 4c9bd55..4dcc799 100644 --- a/.github/workflows/terraform-plan-and-apply-aws.yml +++ b/.github/workflows/terraform-plan-and-apply-aws.yml @@ -6,6 +6,12 @@ on: infracost-api-key: description: "The API key for infracost" required: false + appvia-actions-id: + description: "Appvia App ID for GH" + required: false + appvia-actions-secret: + description: "Appvia App secret for GH" + required: false inputs: additional-dir: @@ -76,18 +82,24 @@ on: required: false type: boolean + enable-private-access: + description: Optional flag to state if terraform requires pulling private modules + required: false + default: false + type: boolean + + organization-name: + description: "The name of the Github organization" + required: false + type: string + default: "appvia" + environment: default: "production" description: "The environment to deploy to" required: false type: string - use-env-as-suffix: - default: false - description: "Whether to use the environment as a suffix for the state file and iam roles" - required: false - type: boolean - runs-on: default: "ubuntu-latest" description: "Single label value for the GitHub runner to use (custom value only applies to Terraform Plan and Apply steps)" @@ -142,6 +154,12 @@ on: required: false type: string + use-env-as-suffix: + default: false + description: "Whether to use the environment as a suffix for the state file and iam roles" + required: false + type: boolean + env: AWS_ROLE: ${{ inputs.aws-role }} AWS_READONLY_OVERRIDE_ROLE: ${{ inputs.aws-read-role-name }} @@ -215,6 +233,19 @@ jobs: uses: actions/checkout@v4 - name: Setup Linter uses: terraform-linters/setup-tflint@v4 + - name: Enable Private Modules + id: get_workflow_token + if: inputs.enable-private-access + uses: peter-murray/workflow-application-token-action@v4 + with: + application_id: ${{ secrets.appvia-actions-id }} + application_private_key: ${{ secrets.appvia-actions-secret }} + organization: ${{ inputs.organization-name }} + revoke_token: true + - name: Setup Credentials + if: inputs.enable-private-access + run: | + git config --global url."https://x-access-token:${{steps.get_workflow_token.outputs.token}}@github.com/".insteadOf "https://github.com/" - name: Terraform Init run: terraform -chdir=${{ inputs.terraform-dir }} init -backend=false - name: Setup Linter @@ -334,6 +365,19 @@ jobs: echo "name=${{ github.event.repository.name }}.tfstate" >> $GITHUB_OUTPUT fi fi + - name: Enable Private Modules + id: get_workflow_token + if: inputs.enable-private-access + uses: peter-murray/workflow-application-token-action@v4 + with: + application_id: ${{ secrets.appvia-actions-id }} + application_private_key: ${{ secrets.appvia-actions-secret }} + organization: ${{ inputs.organization-name }} + revoke_token: true + - name: Setup Credentials + if: inputs.enable-private-access + run: | + git config --global url."https://x-access-token:${{steps.get_workflow_token.outputs.token}}@github.com/".insteadOf "https://github.com/" - name: Terraform Init id: init run: terraform -chdir=${{ inputs.terraform-dir }} init -backend-config="bucket=${{ inputs.aws-account-id }}-${{ inputs.aws-region }}-tfstate" -backend-config="key=${{ steps.state-key.outputs.name }}" -backend-config="encrypt=true" -backend-config="dynamodb_table=${{ inputs.aws-account-id }}-${{ inputs.aws-region }}-tflock" -backend-config="region=${{ inputs.aws-region }}" @@ -403,6 +447,19 @@ jobs: uses: hashicorp/setup-terraform@v3 with: terraform_version: ${{ inputs.terraform-version }} + - name: Enable Private Modules + id: get_workflow_token + if: inputs.enable-private-access + uses: peter-murray/workflow-application-token-action@v4 + with: + application_id: ${{ secrets.appvia-actions-id }} + application_private_key: ${{ secrets.appvia-actions-secret }} + organization: ${{ inputs.organization-name }} + revoke_token: true + - name: Setup Credentials + if: inputs.enable-private-access + run: | + git config --global url."https://x-access-token:${{steps.get_workflow_token.outputs.token}}@github.com/".insteadOf "https://github.com/" - name: Terraform Init id: init run: terraform -chdir=${{ inputs.terraform-dir }} init -backend=false @@ -575,6 +632,19 @@ jobs: echo "name=${{ github.event.repository.name }}.tfstate" >> $GITHUB_OUTPUT fi fi + - name: Enable Private Modules + id: get_workflow_token + if: inputs.enable-private-access + uses: peter-murray/workflow-application-token-action@v4 + with: + application_id: ${{ secrets.appvia-actions-id }} + application_private_key: ${{ secrets.appvia-actions-secret }} + organization: ${{ inputs.organization-name }} + revoke_token: true + - name: Setup Credentials + if: inputs.enable-private-access + run: | + git config --global url."https://x-access-token:${{steps.get_workflow_token.outputs.token}}@github.com/".insteadOf "https://github.com/" - name: Terraform Init id: init run: terraform -chdir=${{ inputs.terraform-dir }} init -backend-config="bucket=${{ inputs.aws-account-id }}-${{ inputs.aws-region }}-tfstate" -backend-config="key=${{ steps.state-key.outputs.name }}" -backend-config="encrypt=true" -backend-config="dynamodb_table=${{ inputs.aws-account-id }}-${{ inputs.aws-region }}-tflock" -backend-config="region=${{ inputs.aws-region }}"