Instantly share code, notes, and snippets.
Created
February 12, 2024 05:54
-
Star
0
(0)
You must be signed in to star a gist -
Fork
0
(0)
You must be signed in to fork a gist
-
Save jonesy1234/14465dbad2690f1cca75fcaee829852b to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: 'Terraform GitHub Plan Shared Action' | |
| # yamllint disable-line rule:truthy | |
| on: | |
| workflow_call: | |
| inputs: | |
| aws_region: | |
| description: 'The target AWS Region for access to S3 & DynamoDB' | |
| required: true | |
| type: string | |
| role_to_assume: | |
| description: 'The target IAM Role to assume to grant access to AWS S3 & DynamoDB or other resources required' | |
| required: true | |
| type: string | |
| aws_audience: | |
| description: 'Audience value used to restrict access to the IAM Role' | |
| required: true | |
| type: string | |
| role_session_name: | |
| description: 'Session name for the Assumed IAM Role' | |
| required: false | |
| type: string | |
| terraform_backend_config: | |
| description: 'The Terraform State Variable file defining the location of state settings such as S3, DynamoDb etc' | |
| default: 'terraform_state.tfvars' | |
| required: false | |
| type: string | |
| secrets: | |
| github_app_id: | |
| description: 'The GitHub App ID that provides the necessary access for Terraform to configure GitHub resources' | |
| required: true | |
| github_app_installation_id: | |
| description: 'The GitHub App Installation ID of the GitHub App ID' | |
| required: true | |
| github_app_pem_file: | |
| description: 'The contents of the GitHub App Private Key file' | |
| required: true | |
| terraform_app_id: | |
| description: 'The GitHub App ID that provides the necessary access to the Terraform Community Repositories' | |
| required: true | |
| terraform_app_pem_file: | |
| description: 'The contents of the GitHub App Private Key file that provides the necessary access to the Terraform Community Repositories' | |
| required: true | |
| jobs: | |
| Validation: | |
| name: Terraform Plan Workflow | |
| runs-on: ubuntu-latest | |
| needs: docs | |
| permissions: | |
| id-token: write | |
| contents: read | |
| issues: write | |
| pull-requests: write | |
| container: | |
| image: hashicorp/terraform:latest | |
| env: | |
| GITHUB_APP_ID: ${{ secrets.github_app_id }} | |
| GITHUB_APP_INSTALLATION_ID: ${{ secrets.github_app_installation_id }} | |
| GITHUB_APP_PEM_FILE: ${{ secrets.github_app_pem_file }} | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| audience: ${{ inputs.aws_audience }} | |
| aws-region: ${{ inputs.aws_region }} | |
| role-to-assume: ${{ inputs.role_to_assume }} | |
| role-session-name: ${{ inputs.role_session_name }} | |
| - uses: actions/create-github-app-token@v1 | |
| id: app-token | |
| with: | |
| app-id: ${{ secrets.terraform_app_id }} | |
| private-key: ${{ secrets.terraform_app_pem_file }} | |
| owner: 'another-github-organisation' | |
| - name: Terraform Initialization | |
| run: | | |
| git config --global url."https://oauth2:${{ steps.app-token.outputs.token }}@github.com".insteadOf https://github.com | |
| terraform init -backend-config="${{ inputs.terraform_backend_config }}" -upgrade | |
| id: terraform_init | |
| - name: Terraform Validation | |
| run: terraform validate | |
| id: terraform_validate | |
| - name: Terraform Format and Style | |
| run: terraform fmt -check -diff -recursive | |
| id: terraform_fmt | |
| - name: Terraform Plan | |
| id: terraform_plan | |
| run: terraform plan -no-color --out tfplan.binary | |
| continue-on-error: true | |
| - name: Update Pull Request | |
| uses: actions/github-script@v6 | |
| if: github.event_name == 'pull_request' | |
| with: | |
| script: | | |
| const output = `${ "${{ steps.terraform_fmt.outcome }}" == "success" ? "βοΈ" : "β" } Terraform Format and Style π | |
| ${ "${{ steps.terraform_init.outcome }}" == "success" ? "βοΈ" : "β" } Terraform Initialization βοΈ | |
| ${ "${{ steps.terraform_plan.outcome }}" == "success" ? "βοΈ" : "β" } Terraform Plan π | |
| ${ "${{ steps.terraform_validate.outcome }}" == "success" ? "βοΈ" : "β" } Terraform Validation π€ | |
| *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`* | |
| ${markdownTable}`; | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: output | |
| }); | |
| - name: Terraform Plan Status | |
| if: steps.terraform_plan.outcome == 'failure' | |
| run: exit 1 | |
| docs: | |
| name: Terraform Docs | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.ref }} | |
| - name: Render terraform docs inside the README.md and push changes back to PR branch | |
| uses: terraform-docs/gh-actions@main | |
| with: | |
| working-dir: . | |
| output-file: README.md | |
| output-method: inject | |
| git-push: "true" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment