-
Notifications
You must be signed in to change notification settings - Fork 2
131 lines (130 loc) · 4.68 KB
/
apply.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: Plan and Apply
concurrency:
group: planapply-${{ github.ref }}
on:
push:
branches:
- main
pull_request:
branches:
- main
workflow_dispatch:
inputs:
perform_apply:
description: 'Actually perform an Apply'
required: false
type: boolean
target:
description: 'Single target to run against'
required: false
default: ''
jobs:
plan:
runs-on: ubuntu-22.04
outputs:
apply: ${{ steps.determine-apply.outputs.apply }}
permissions:
contents: read
id-token: write
env:
TF_VAR_github_app_id: ${{ secrets.GH_APP_ID }}
TF_VAR_github_app_private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
TF_VAR_github_install_enarx: ${{ secrets.GH_APP_INSTALL_ENARX }}
TF_VAR_github_install_profianinc: ${{ secrets.GH_APP_INSTALL_PROFIANINC }}
ARM_USE_OIDC: true
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
steps:
- uses: actions/checkout@v3
- uses: hashicorp/setup-terraform@v2
- name: Terraform init
run: terraform init
- name: Terraform Plan
id: plan
run: |
args=""
if [ "${{ inputs.target }}" != "" ];
then
args="$args -target=${{ inputs.target }}"
fi
if [ "${{ github.event_name }}" == 'pull_request' ];
then
args="$args -refresh=false"
fi
terraform plan -out plan -input=false -lock=false -detailed-exitcode $args
- name: Determine plan outcome
id: determine
run: |
status=${{ steps.plan.outputs.exitcode }}
if [ $status -eq 0 ]; then
echo "# Plan finished: NO changes detected" >>$GITHUB_STEP_SUMMARY
echo "diff=false" >>$GITHUB_OUTPUT
elif [ $status -eq 2 ]; then
echo "# Plan finished: changes detected" >>$GITHUB_STEP_SUMMARY
echo "diff=true" >>$GITHUB_OUTPUT
status=0
else
echo "# Plan failed: exit code $status" >>$GITHUB_STEP_SUMMARY
fi
echo "## Details check script output:" >>$GITHUB_STEP_SUMMARY
terraform show -json plan | python3 ./.github/workflows/check_details.py
echo "## Terraform output:" >>$GITHUB_STEP_SUMMARY
echo '```terraform' >>$GITHUB_STEP_SUMMARY
terraform show -no-color plan | grep -v "^::debug::" >>$GITHUB_STEP_SUMMARY
echo '```' >>$GITHUB_STEP_SUMMARY
exit $status
- name: Enable apply
id: determine-apply
if: steps.determine.outputs.diff == 'true' && ((github.event_name == 'push' && github.ref == 'refs/heads/main') || (github.event_name == 'workflow_dispatch' && inputs.perform_apply))
run: echo "apply=true" >>$GITHUB_OUTPUT
- name: Install age
if: steps.determine-apply.outputs.apply == 'true'
run: sudo apt-get install age
- name: Encrypt plan
if: steps.determine-apply.outputs.apply == 'true'
run: age --encrypt --recipient ${{ secrets.PLAN_PUBKEY }} --armor -o plan.encrypted plan
- name: Delete original plan file
if: steps.determine-apply.outputs.apply == 'true'
run: rm -f plan.out
- name: Upload plan file
if: steps.determine-apply.outputs.apply == 'true'
uses: actions/upload-artifact@v3
with:
name: plan.encrypted
path: plan.encrypted
retention-days: 1
if-no-files-found: error
apply:
environment: production
needs: plan
if: needs.plan.outputs.apply == 'true' && ((github.event_name == 'push' && github.ref == 'refs/heads/main') || github.event_name == 'workflow_dispatch')
runs-on: ubuntu-22.04
concurrency:
group: apply
permissions:
contents: read
id-token: write
env:
TF_VAR_github_app_id: ${{ secrets.GH_APP_ID }}
TF_VAR_github_app_private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
TF_VAR_github_install_enarx: ${{ secrets.GH_APP_INSTALL_ENARX }}
TF_VAR_github_install_profianinc: ${{ secrets.GH_APP_INSTALL_PROFIANINC }}
ARM_USE_OIDC: true
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
steps:
- uses: actions/checkout@v3
- uses: hashicorp/setup-terraform@v2
- run: sudo apt-get install age
- name: Terraform init
run: terraform init
- name: Download plan
uses: actions/download-artifact@v3
with:
name: plan.encrypted
- name: Decrypt plan
run: echo "${{ secrets.PLAN_PRIVKEY }}" | age --decrypt --identity - -o plan plan.encrypted
- name: Terraform Apply
run: terraform apply -input=false -auto-approve plan