Created
April 3, 2023 20:00
-
-
Save corkupine/63459ca3d2262b8049e723fce6847c20 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Based on: https://developer.hashicorp.com/terraform/tutorials/automation/github-actions | |
| name: Terraform plan on PR and apply on merge | |
| on: | |
| pull_request: | |
| types: [opened, closed, synchronize, reopened] | |
| paths: | |
| - "environment/**" | |
| jobs: | |
| terraform_plan: | |
| runs-on: ubuntu-latest | |
| if: github.event.pull_request.merged == false && github.event.action != 'closed' | |
| defaults: | |
| run: | |
| working-directory: ./environment | |
| permissions: | |
| pull-requests: write | |
| contents: read | |
| id-token: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v1 | |
| with: | |
| role-to-assume: arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxxxxxxxx | |
| aws-region: xxxxxxxxxx | |
| - name: Set up Terraform | |
| uses: hashicorp/setup-terraform@v2 | |
| with: | |
| terraform_version: 1.4.0 | |
| # We need Helm and kubectl for AWS Load Balancer Controller module, which uses a chart | |
| - name: Set up Helm | |
| uses: azure/setup-helm@v3 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up kubectl | |
| uses: azure/setup-kubectl@v3 | |
| - name: Terraform fmt check | |
| id: fmt | |
| run: terraform fmt -check -diff -recursive | |
| continue-on-error: true | |
| # terraform init needs a token to access modules in private repos | |
| - name: Configure git access token | |
| run: git config --global url."https://oauth2:${{ secrets.ACCESS_TOKEN }}@github.com".insteadOf https://github.com | |
| - name: Terraform init | |
| id: init | |
| run: terraform init | |
| - name: Terraform workspace select | |
| run: terraform workspace select 'dev' | |
| - name: Terraform validate | |
| id: validate | |
| run: terraform validate -no-color | |
| - name: Terraform plan | |
| id: plan | |
| run: terraform plan -var-file="./env/dev.tfvars" -out="dev.tfplan" -no-color | |
| continue-on-error: true | |
| - name: Archive plan as artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: plan-pr-${{github.event.pull_request.base.sha}}-${{github.event.pull_request.head.sha}} | |
| path: "environment/dev.tfplan" | |
| retention-days: 10 | |
| - name: Write results to PR comment | |
| uses: actions/github-script@v6 | |
| if: github.event_name == 'pull_request' | |
| env: | |
| FMT: "${{ steps.fmt.outcome }}" | |
| FMT_OUT: "${{ steps.fmt.outputs.stdout }}" | |
| INIT: "${{ steps.init.outcome }}" | |
| PLAN: "${{ steps.plan.outcome }}" | |
| VALIDATE: "${{ steps.validate.outcome }}" | |
| PLAN_OUT: "${{ steps.plan.outputs.stdout }}" | |
| VALIDATE_OUT: "${{ steps.validate.outputs.stdout }}" | |
| ACTOR: "${{ github.actor }}" | |
| EVENT_NAME: "${{ github.event_name }}" | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| const script = require('./.github/workflows/prcomment.js') | |
| await script({github, context}) | |
| - name: Terraform Plan Status | |
| if: steps.plan.outcome == 'failure' || steps.fmt.outcome == 'failure' | |
| run: exit 1 | |
| terraform_apply: | |
| if: github.event.pull_request.merged == true | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ./environment | |
| permissions: | |
| contents: read | |
| id-token: write | |
| actions: read | |
| pull-requests: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| - name: Find [skipapply] in comments | |
| uses: peter-evans/find-comment@v2 | |
| id: findcomment | |
| with: | |
| issue-number: ${{github.event.pull_request.number}} | |
| body-includes: "[skipapply]" | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v1 | |
| with: | |
| role-to-assume: arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxxx | |
| aws-region: xxxxxxxxxx | |
| - name: Set up Terraform | |
| uses: hashicorp/setup-terraform@v2 | |
| with: | |
| terraform_version: 1.4.0 | |
| - name: Set up Helm | |
| uses: azure/setup-helm@v3 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up kubectl | |
| uses: azure/setup-kubectl@v3 | |
| - name: Download the plan from the PR | |
| uses: dawidd6/action-download-artifact@v2 | |
| with: | |
| workflow_conclusion: success | |
| pr: ${{github.event.pull_request.number}} | |
| name: plan-pr-${{github.event.pull_request.base.sha}}-${{github.event.pull_request.head.sha}} | |
| path: ./environment | |
| # terraform init needs a token to access modules in private repos | |
| - name: Configure git access token | |
| run: git config --global url."https://oauth2:${{ secrets.ACCESS_TOKEN }}@github.com".insteadOf https://github.com | |
| - name: Terraform init | |
| id: init | |
| run: terraform init | |
| - name: Terraform workspace select | |
| run: terraform workspace select 'dev' | |
| - name: Terraform apply | |
| run: terraform apply dev.tfplan -no-color | |
| if: steps.findcomment.outputs.comment-id == '' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment