added generation of zip files #26
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'TofuPlan' | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| workflow_call: | |
| inputs: | |
| region: | |
| required: true | |
| type: string | |
| roleArn: | |
| required: true | |
| type: string | |
| s3bucketName: | |
| required: true | |
| type: string | |
| github_event_number: | |
| required: true | |
| type: string | |
| github_event_issue_comments_url: | |
| required: true | |
| type: string | |
| stack: | |
| required: false | |
| type: string | |
| default: "." | |
| jobs: | |
| tofu: | |
| name: 'Plan Tofu' | |
| runs-on: arvato | |
| outputs: | |
| run_id: ${{ steps.save-run-id.outputs.run_id }} | |
| output1: ${{ steps.job.outputs.job_id }} | |
| permissions: | |
| actions: read | |
| id-token: write | |
| contents: write | |
| pull-requests: write | |
| defaults: | |
| run: | |
| shell: bash | |
| steps: | |
| - name: Get PR number | |
| run: echo ${{ inputs.github_event_number }} | |
| - name: Save run ID | |
| id: save-run-id | |
| run: echo "run_id=${{ github.run_id }}" >> $GITHUB_OUTPUT | |
| - uses: ReeganExE/[email protected] | |
| - name: Job ID output | |
| id: job | |
| run: | | |
| echo ${GH_JOB_0_ID} | |
| echo "job_id=$GH_JOB_0_ID" >> $GITHUB_OUTPUT | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: ${{ inputs.region }} | |
| role-to-assume: ${{ inputs.roleArn }} | |
| role-session-name: GitHubTerraformDeployment | |
| - name: Generate token | |
| id: generate-token | |
| uses: tibdex/github-app-token@v2 | |
| with: | |
| app_id: ${{ secrets.TERRAFORM_GITHUB_ACTION_APP_ID }} | |
| private_key: ${{ secrets.TERRAFORM_GITHUB_ACTION_PRIVATE_KEY }} | |
| - uses: de-vri-es/setup-git-credentials@v2 | |
| with: | |
| credentials: https://oauth:${{ steps.generate-token.outputs.token }}@github.com/ | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: refs/pull/${{ inputs.github_event_number }}/merge | |
| - run: echo "REPOSITORY_NAME=${GITHUB_REPOSITORY#*/}" >> $GITHUB_ENV | |
| shell: bash | |
| # Terraform Validation Steps | |
| - name: terraform validate ${{ inputs.stack }} | |
| uses: dflook/terraform-validate@v1 | |
| with: | |
| path: ${{ inputs.stack }} | |
| env: | |
| TERRAFORM_HTTP_CREDENTIALS: | | |
| github.com/arvatoaws=oauth:${{ steps.generate-token.outputs.token }} | |
| GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} | |
| TERRAFORM_ACTIONS_GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} | |
| GITHUB_APP_ID: ${{ secrets.TERRAFORM_GITHUB_ACTION_APP_ID }} | |
| GITHUB_APP_PEM_FILE: ${{ secrets.TERRAFORM_GITHUB_ACTION_PRIVATE_KEY }} | |
| - name: terraform fmt ${{ inputs.stack }} | |
| uses: dflook/terraform-fmt-check@v1 | |
| with: | |
| path: ${{ inputs.stack }} | |
| env: | |
| TERRAFORM_HTTP_CREDENTIALS: | | |
| github.com/arvatoaws=oauth:${{ steps.generate-token.outputs.token }} | |
| GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} | |
| TERRAFORM_ACTIONS_GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} | |
| GITHUB_APP_ID: ${{ secrets.TERRAFORM_GITHUB_ACTION_APP_ID }} | |
| GITHUB_APP_PEM_FILE: ${{ secrets.TERRAFORM_GITHUB_ACTION_PRIVATE_KEY }} | |
| # Install the latest version of Tofu CLI | |
| - name: Setup Tofu | |
| uses: opentofu/setup-opentofu@v1 | |
| # Initialize Terraform | |
| - name: Tofu Init | |
| run: | | |
| cd ${{ inputs.stack }} | |
| rm -rf .terraform .terraform.lock.hcl | |
| tofu init -upgrade | |
| # Generate tofu plan | |
| - name: Tofu Plan ${{ inputs.stack }} | |
| id: tfplan | |
| continue-on-error: true | |
| run: | | |
| cd ${{ inputs.stack }} | |
| # Bash script to build tofu plan command dynamically | |
| COMMAND="tofu plan -input=false -no-color -out=tfplan" | |
| SECRETS_JSON='${{ toJson(secrets) }}' | |
| SECRETS=$(echo "$SECRETS_JSON" | jq -r 'keys[]') | |
| for key in $SECRETS; do | |
| value=$(echo "$SECRETS_JSON" | jq -r ".[\"$key\"]") | |
| if [[ $key == TF_VAR_* ]]; then | |
| # Add the secret as an input variable to the tofu command | |
| COMMAND="$COMMAND -var '${key#TF_VAR_}=$value'" | |
| fi | |
| done | |
| # Execute the dynamically generated tofu command | |
| eval $COMMAND && tofu show -no-color tfplan | sed 's/\x27/ /g' | sed -E 's/^([[:space:]]+)([-+])/\2\1/g' > plan.txt | |
| - name: Discover and Generate Lambda ZIPs | |
| run: | | |
| mkdir -p $(pwd)/lambda_zips | |
| find $(pwd) -type d -name 'lambda' | while read -r lambda_dir; do | |
| zip_file="$(pwd)/lambda_zips/$(basename "$(dirname "$lambda_dir")").zip" | |
| echo "Generating $zip_file from $lambda_dir" | |
| if [ -d "$lambda_dir" ]; then | |
| (cd "$lambda_dir" && zip -r "$zip_file" .) | |
| else | |
| echo "Directory $lambda_dir does not exist" | |
| fi | |
| done | |
| - name: Upload Lambda ZIPs as Artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: lambda-zips | |
| path: lambda_zips/*.zip | |
| - name: Update PR with Run ID | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| PR_NUMBER=${{ inputs.github_event_number }} | |
| RUN_ID=${{ steps.save-run-id.outputs.run_id }} | |
| PR_BODY=$(gh pr view $PR_NUMBER --json body --jq '.body') | |
| UPDATED_PR_BODY=$(echo "$PR_BODY" | sed '/run_id=/d') | |
| UPDATED_PR_BODY="${UPDATED_PR_BODY}\nrun_id=${RUN_ID}" | |
| echo "Updating PR #$PR_NUMBER with run_id=$RUN_ID" | |
| curl -X PATCH \ | |
| -H "Authorization: token $GITHUB_TOKEN" \ | |
| -H "Content-Type: application/json" \ | |
| -d "{\"body\":\"$(echo "$UPDATED_PR_BODY" | sed 's/"/\\"/g' | sed ':a;N;$!ba;s/\n/\\n/g')\"}" \ | |
| https://api.github.com/repos/${{ github.repository }}/pulls/$PR_NUMBER | |
| - name: Upload ${{ inputs.stack }} Plan to S3 | |
| run: | | |
| cd ${{ inputs.stack }} | |
| aws s3 cp ./tfplan s3://${{ inputs.s3bucketName }}/plans/${{ github.repository }}/${{ inputs.stack }}/${{ inputs.github_event_number }}/ | |
| - name: Post Plan to GitHub PR | |
| env: | |
| COMMENT: ${{ inputs.github_event_issue_comments_url }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -x | |
| cd ${{ inputs.stack }} | |
| (printf "**Tofu Plan ${{ inputs.stack }} Environment**\n\n\`\`\`diff" && sed '/^::/d' plan.txt) > comment.txt | |
| jq -R -s '.' < comment.txt > comment2.txt | |
| truncate -s -1 comment2.txt | |
| (echo -n '{ "body": ' && cat comment2.txt && echo -n ' }') > comment3.txt | |
| curl \ | |
| -X POST \ | |
| $COMMENT \ | |
| -H "Content-Type: application/json" \ | |
| -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
| -d @comment3.txt | |
| curl \ | |
| -X POST \ | |
| https://api.github.com/repos/${{ github.repository }}/issues/${{ inputs.github_event_number }}/labels \ | |
| -H "Content-Type: application/json" \ | |
| -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
| -d '["planned"]' | |
| logging: | |
| name: 'Save logs' | |
| needs: tofu | |
| runs-on: arvato | |
| if: always() # This job will always run | |
| permissions: | |
| actions: read | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: ${{ inputs.region }} | |
| role-to-assume: ${{ inputs.roleArn }} | |
| - name: Retrieve log file and upload to s3 | |
| run: | | |
| TIMESTAMP=$(date +'%Y-%m-%d-%H:%M:%S') | |
| LOG_FILENAME="TofuPlan_${{ inputs.github_event_number }}_PR_$TIMESTAMP.txt" | |
| # Get log file | |
| gh api repos/{owner}/{repo}/actions/jobs/${{ needs.tofu.outputs.output1 }}/logs > $LOG_FILENAME | |
| # Upload it to s3 | |
| aws s3 cp $LOG_FILENAME s3://${{ inputs.s3bucketName }}/logs/Plan/ | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |