jonesy1234/shared-terraform-plan.yml

## shared-terraform-plan.yml
---
name: 'Terraform GitHub Plan Shared Action'

# yamllint disable-line rule:truthy
on:
  workflow_call:
    inputs:
      aws_region:
        description: 'The target AWS Region for access to S3 & DynamoDB'
        required: true
        type: string
      role_to_assume:
        description: 'The target IAM Role to assume to grant access to AWS S3 & DynamoDB or other resources required'
        required: true
        type: string
      aws_audience:
        description: 'Audience value used to restrict access to the IAM Role'
        required: true
        type: string
      role_session_name:
        description: 'Session name for the Assumed IAM Role'
        required: false
        type: string
      terraform_backend_config:
        description: 'The Terraform State Variable file defining the location of state settings such as S3, DynamoDb etc'
        default: 'terraform_state.tfvars'
        required: false
        type: string
    secrets:
      github_app_id:
        description: 'The GitHub App ID that provides the necessary access for Terraform to configure GitHub resources'
        required: true
      github_app_installation_id:
        description: 'The GitHub App Installation ID of the GitHub App ID'
        required: true
      github_app_pem_file:
        description: 'The contents of the GitHub App Private Key file'
        required: true
      terraform_app_id:
        description: 'The GitHub App ID that provides the necessary access to the Terraform Community Repositories'
        required: true
      terraform_app_pem_file:
        description: 'The contents of the GitHub App Private Key file that provides the necessary access to the Terraform Community Repositories'
        required: true

jobs:
  Validation:
    name: Terraform Plan Workflow
    runs-on: ubuntu-latest
    needs: docs
    permissions:
      id-token: write
      contents: read
      issues: write
      pull-requests: write

    container:
      image: hashicorp/terraform:latest
      env:
        GITHUB_APP_ID: ${{ secrets.github_app_id }}
        GITHUB_APP_INSTALLATION_ID: ${{ secrets.github_app_installation_id }}
        GITHUB_APP_PEM_FILE: ${{ secrets.github_app_pem_file }}

    steps:
      - name: Checkout Code
        uses: actions/checkout@v4

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          audience: ${{ inputs.aws_audience }}
          aws-region: ${{ inputs.aws_region }}
          role-to-assume: ${{ inputs.role_to_assume }}
          role-session-name: ${{ inputs.role_session_name }}

      - uses: actions/create-github-app-token@v1
        id: app-token
        with:
          app-id: ${{ secrets.terraform_app_id }}
          private-key: ${{ secrets.terraform_app_pem_file }}
          owner: 'another-github-organisation'

      - name: Terraform Initialization
        run: |
          git config --global url."https://oauth2:${{ steps.app-token.outputs.token }}@github.com".insteadOf https://github.com
          terraform init  -backend-config="${{ inputs.terraform_backend_config }}" -upgrade
        id: terraform_init

      - name: Terraform Validation
        run: terraform validate
        id: terraform_validate

      - name: Terraform Format and Style
        run: terraform fmt -check -diff -recursive
        id: terraform_fmt

      - name: Terraform Plan
        id: terraform_plan
        run: terraform plan -no-color --out tfplan.binary
        continue-on-error: true

      - name: Update Pull Request
        uses: actions/github-script@v6
        if: github.event_name == 'pull_request'
        with:
          script: |
            const output = `${ "${{ steps.terraform_fmt.outcome }}" == "success" ? "✔️" : "❌" } Terraform Format and Style 🖌
            ${ "${{ steps.terraform_init.outcome }}" == "success" ? "✔️" : "❌" } Terraform Initialization ⚙️
            ${ "${{ steps.terraform_plan.outcome }}" == "success" ? "✔️" : "❌" } Terraform Plan 📖
            ${ "${{ steps.terraform_validate.outcome }}" == "success" ? "✔️" : "❌" } Terraform Validation 🤖

            *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*

            ${markdownTable}`;

            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: output
            });

      - name: Terraform Plan Status
        if: steps.terraform_plan.outcome == 'failure'
        run: exit 1

  docs:
    name: Terraform Docs
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.ref }}

      - name: Render terraform docs inside the README.md and push changes back to PR branch
        uses: terraform-docs/gh-actions@main
        with:
          working-dir: .
          output-file: README.md
          output-method: inject
          git-push: "true"
	---
	name: 'Terraform GitHub Plan Shared Action'

	# yamllint disable-line rule:truthy
	on:
	workflow_call:
	inputs:
	aws_region:
	description: 'The target AWS Region for access to S3 & DynamoDB'
	required: true
	type: string
	role_to_assume:
	description: 'The target IAM Role to assume to grant access to AWS S3 & DynamoDB or other resources required'
	required: true
	type: string
	aws_audience:
	description: 'Audience value used to restrict access to the IAM Role'
	required: true
	type: string
	role_session_name:
	description: 'Session name for the Assumed IAM Role'
	required: false
	type: string
	terraform_backend_config:
	description: 'The Terraform State Variable file defining the location of state settings such as S3, DynamoDb etc'
	default: 'terraform_state.tfvars'
	required: false
	type: string
	secrets:
	github_app_id:
	description: 'The GitHub App ID that provides the necessary access for Terraform to configure GitHub resources'
	required: true
	github_app_installation_id:
	description: 'The GitHub App Installation ID of the GitHub App ID'
	required: true
	github_app_pem_file:
	description: 'The contents of the GitHub App Private Key file'
	required: true
	terraform_app_id:
	description: 'The GitHub App ID that provides the necessary access to the Terraform Community Repositories'
	required: true
	terraform_app_pem_file:
	description: 'The contents of the GitHub App Private Key file that provides the necessary access to the Terraform Community Repositories'
	required: true

	jobs:
	Validation:
	name: Terraform Plan Workflow
	runs-on: ubuntu-latest
	needs: docs
	permissions:
	id-token: write
	contents: read
	issues: write
	pull-requests: write

	container:
	image: hashicorp/terraform:latest
	env:
	GITHUB_APP_ID: ${{ secrets.github_app_id }}
	GITHUB_APP_INSTALLATION_ID: ${{ secrets.github_app_installation_id }}
	GITHUB_APP_PEM_FILE: ${{ secrets.github_app_pem_file }}

	steps:
	- name: Checkout Code
	uses: actions/checkout@v4

	- name: Configure AWS Credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	audience: ${{ inputs.aws_audience }}
	aws-region: ${{ inputs.aws_region }}
	role-to-assume: ${{ inputs.role_to_assume }}
	role-session-name: ${{ inputs.role_session_name }}

	- uses: actions/create-github-app-token@v1
	id: app-token
	with:
	app-id: ${{ secrets.terraform_app_id }}
	private-key: ${{ secrets.terraform_app_pem_file }}
	owner: 'another-github-organisation'

	- name: Terraform Initialization
	run: \|
	git config --global url."https://oauth2:${{ steps.app-token.outputs.token }}@github.com".insteadOf https://github.com
	terraform init -backend-config="${{ inputs.terraform_backend_config }}" -upgrade
	id: terraform_init

	- name: Terraform Validation
	run: terraform validate
	id: terraform_validate

	- name: Terraform Format and Style
	run: terraform fmt -check -diff -recursive
	id: terraform_fmt

	- name: Terraform Plan
	id: terraform_plan
	run: terraform plan -no-color --out tfplan.binary
	continue-on-error: true

	- name: Update Pull Request
	uses: actions/github-script@v6
	if: github.event_name == 'pull_request'
	with:
	script: \|
	const output = `${ "${{ steps.terraform_fmt.outcome }}" == "success" ? "✔️" : "❌" } Terraform Format and Style 🖌
	${ "${{ steps.terraform_init.outcome }}" == "success" ? "✔️" : "❌" } Terraform Initialization ⚙️
	${ "${{ steps.terraform_plan.outcome }}" == "success" ? "✔️" : "❌" } Terraform Plan 📖
	${ "${{ steps.terraform_validate.outcome }}" == "success" ? "✔️" : "❌" } Terraform Validation 🤖

	Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`

	${markdownTable}`;

	github.rest.issues.createComment({
	issue_number: context.issue.number,
	owner: context.repo.owner,
	repo: context.repo.repo,
	body: output
	});

	- name: Terraform Plan Status
	if: steps.terraform_plan.outcome == 'failure'
	run: exit 1

	docs:
	name: Terraform Docs
	runs-on: ubuntu-latest

	steps:
	- uses: actions/checkout@v4
	with:
	ref: ${{ github.event.pull_request.head.ref }}

	- name: Render terraform docs inside the README.md and push changes back to PR branch
	uses: terraform-docs/gh-actions@main
	with:
	working-dir: .
	output-file: README.md
	output-method: inject
	git-push: "true"