Skip to content

Instantly share code, notes, and snippets.

@jSherz
Created November 18, 2023 20:32
Show Gist options
  • Save jSherz/4b87cee90d3f61dcb23ccca6ca4ca9aa to your computer and use it in GitHub Desktop.
Save jSherz/4b87cee90d3f61dcb23ccca6ca4ca9aa to your computer and use it in GitHub Desktop.
Running a GitHub Actions pipeline for every AWS account in an organization
#
# See the blog post describing this GitHub Action: https://jsherz.com/aws/github/actions/ci/2023/11/18/running-a-github-actions-pipeline-for-every-aws-account.html
#
#
name: 'Terraform'
on:
push:
branches:
- main
pull_request:
env:
ORGANIZATION_MANAGEMENT_ACCOUNT_ID: 123123123123
COMPANY_IDENTIFIER: shersoft-ltd
concurrency: terraform
jobs:
setup:
name: 'setup'
runs-on: ubuntu-22.04
defaults:
run:
shell: bash
permissions:
contents: read
id-token: write
outputs:
account_ids: ${{steps.list_accounts.outputs.account_ids}}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.6.3
- name: Authenticate with AWS
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::${{env.ORGANIZATION_MANAGEMENT_ACCOUNT_ID}}:role/github-actions
aws-region: eu-west-1
mask-aws-account-id: false
- name: List accounts
id: list_accounts
run: |
echo "account_ids="$(aws organizations list-accounts | jq '.Accounts | map(select(.Status == "ACTIVE")) | map(select(.Id != "${{env.ORGANIZATION_MANAGEMENT_ACCOUNT_ID}}")) | map(.Id)') >> "$GITHUB_OUTPUT"
deploy:
name: 'deploy'
runs-on: ubuntu-22.04
needs: setup
defaults:
run:
shell: bash
permissions:
contents: read
id-token: write
strategy:
fail-fast: false
matrix:
account_id: ${{fromJson(needs.setup.outputs.account_ids)}}
region:
- eu-west-1
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.6.3
- name: Authenticate with AWS
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::${{env.ORGANIZATION_MANAGEMENT_ACCOUNT_ID}}:role/github-actions
aws-region: ${{matrix.region}}
mask-aws-account-id: false
- name: Terraform init
run: |
terraform init \
-backend-config="bucket=${{env.COMPANY_IDENTIFIER}}-landing-zone-${{env.ORGANIZATION_MANAGEMENT_ACCOUNT_ID}}-${{matrix.region}}-tf-state" \
-backend-config="region=${{matrix.region}}"
terraform workspace select -or-create ${{matrix.account_id}}
- name: Terraform format check
run: terraform fmt -check
- name: Terraform plan
run: terraform plan -out plan
env:
TF_VAR_management_account_id: ${{env.ORGANIZATION_MANAGEMENT_ACCOUNT_ID}}
TF_VAR_account_id: ${{matrix.account_id}}
TF_VAR_region: ${{matrix.region}}
TF_VAR_ref: ${{github.ref_name}}
TF_VAR_company_identifier: ${{env.COMPANY_IDENTIFIER}}
- name: Terraform apply
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
run: terraform apply plan
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment