Created
November 18, 2023 20:32
-
-
Save jSherz/4b87cee90d3f61dcb23ccca6ca4ca9aa to your computer and use it in GitHub Desktop.
Running a GitHub Actions pipeline for every AWS account in an organization
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# See the blog post describing this GitHub Action: https://jsherz.com/aws/github/actions/ci/2023/11/18/running-a-github-actions-pipeline-for-every-aws-account.html | |
# | |
# | |
name: 'Terraform' | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
env: | |
ORGANIZATION_MANAGEMENT_ACCOUNT_ID: 123123123123 | |
COMPANY_IDENTIFIER: shersoft-ltd | |
concurrency: terraform | |
jobs: | |
setup: | |
name: 'setup' | |
runs-on: ubuntu-22.04 | |
defaults: | |
run: | |
shell: bash | |
permissions: | |
contents: read | |
id-token: write | |
outputs: | |
account_ids: ${{steps.list_accounts.outputs.account_ids}} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup Terraform | |
uses: hashicorp/setup-terraform@v3 | |
with: | |
terraform_version: 1.6.3 | |
- name: Authenticate with AWS | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: arn:aws:iam::${{env.ORGANIZATION_MANAGEMENT_ACCOUNT_ID}}:role/github-actions | |
aws-region: eu-west-1 | |
mask-aws-account-id: false | |
- name: List accounts | |
id: list_accounts | |
run: | | |
echo "account_ids="$(aws organizations list-accounts | jq '.Accounts | map(select(.Status == "ACTIVE")) | map(select(.Id != "${{env.ORGANIZATION_MANAGEMENT_ACCOUNT_ID}}")) | map(.Id)') >> "$GITHUB_OUTPUT" | |
deploy: | |
name: 'deploy' | |
runs-on: ubuntu-22.04 | |
needs: setup | |
defaults: | |
run: | |
shell: bash | |
permissions: | |
contents: read | |
id-token: write | |
strategy: | |
fail-fast: false | |
matrix: | |
account_id: ${{fromJson(needs.setup.outputs.account_ids)}} | |
region: | |
- eu-west-1 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup Terraform | |
uses: hashicorp/setup-terraform@v3 | |
with: | |
terraform_version: 1.6.3 | |
- name: Authenticate with AWS | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: arn:aws:iam::${{env.ORGANIZATION_MANAGEMENT_ACCOUNT_ID}}:role/github-actions | |
aws-region: ${{matrix.region}} | |
mask-aws-account-id: false | |
- name: Terraform init | |
run: | | |
terraform init \ | |
-backend-config="bucket=${{env.COMPANY_IDENTIFIER}}-landing-zone-${{env.ORGANIZATION_MANAGEMENT_ACCOUNT_ID}}-${{matrix.region}}-tf-state" \ | |
-backend-config="region=${{matrix.region}}" | |
terraform workspace select -or-create ${{matrix.account_id}} | |
- name: Terraform format check | |
run: terraform fmt -check | |
- name: Terraform plan | |
run: terraform plan -out plan | |
env: | |
TF_VAR_management_account_id: ${{env.ORGANIZATION_MANAGEMENT_ACCOUNT_ID}} | |
TF_VAR_account_id: ${{matrix.account_id}} | |
TF_VAR_region: ${{matrix.region}} | |
TF_VAR_ref: ${{github.ref_name}} | |
TF_VAR_company_identifier: ${{env.COMPANY_IDENTIFIER}} | |
- name: Terraform apply | |
if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
run: terraform apply plan |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment