Skip to content

Instantly share code, notes, and snippets.

@jonesy1234
Created February 12, 2024 05:52
Show Gist options
  • Save jonesy1234/3007453a79383d36f9f3a6439b5e0540 to your computer and use it in GitHub Desktop.
Save jonesy1234/3007453a79383d36f9f3a6439b5e0540 to your computer and use it in GitHub Desktop.
---
name: Terraform Plan
# yamllint disable-line rule:truthy
on:
pull_request:
branches: [master, main]
workflow_dispatch:
jobs:
Validation:
name: Terraform Plan Workflow
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
issues: write
pull-requests: write
container:
image: hashicorp/terraform:latest
env:
GITHUB_APP_ID: ${{ secrets.TF_APP_ID }}
GITHUB_APP_INSTALLATION_ID: ${{ secrets.TF_APP_INSTALLATION_ID }}
GITHUB_APP_PEM_FILE: ${{ secrets.TF_APP_PEM_FILE }}
GITHUB_ORGANIZATION: 'github-organisation'
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
audience: https://github.com/github-organisation
aws-region: ap-southeast-2
role-to-assume: arn:aws:iam::123456789123:role/app-github-organisation-123456789123
role-session-name: github-organisation
- uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.TERRAFORM_MODULES_APP_ID }}
private-key: ${{ secrets.TERRAFORM_MODULES_APP_PRIVATE_KEY }}
owner: another-github-organisation
- name: Terraform Initialization
run: |
git config --global url."https://oauth2:${{ steps.app-token.outputs.token }}@github.com".insteadOf https://github.com
terraform init -backend-config="terraform_state.tfvars" -upgrade
id: terraform_init
- name: Terraform Validation
run: terraform validate
id: terraform_validate
- name: Terraform Format and Style
run: terraform fmt -check -diff -recursive
id: terraform_fmt
- name: Terraform Plan
id: terraform_plan
# if: github.event_name == 'pull_request'
run: terraform plan -no-color --out tfplan.binary
continue-on-error: true
- name: Terraform JSON output
id: terraform_json
if: steps.terraform_plan.outcome == 'success'
run: terraform show -json tfplan.binary > tfplan.json
continue-on-error: true
- name: Update Pull Request
uses: actions/github-script@v6
if: github.event_name == 'pull_request'
with:
script: |
const output = `${ "${{ steps.terraform_fmt.outcome }}" == "success" ? "✔️" : "❌" } Terraform Format and Style 🖌
${ "${{ steps.terraform_init.outcome }}" == "success" ? "✔️" : "❌" } Terraform Initialization ⚙️
${ "${{ steps.terraform_plan.outcome }}" == "success" ? "✔️" : "❌" } Terraform Plan 📖
${ "${{ steps.terraform_validate.outcome }}" == "success" ? "✔️" : "❌" } Terraform Validation 🤖
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
});
- name: Terraform Plan Status
if: steps.terraform_plan.outcome == 'failure'
run: exit 1
docs:
name: Terraform Docs
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
- name: Render terraform docs inside the README.md and push changes back to PR branch
uses: terraform-docs/gh-actions@main
with:
working-dir: .
output-file: README.md
output-method: inject
git-push: "true"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment