-
Notifications
You must be signed in to change notification settings - Fork 1
147 lines (122 loc) · 4.53 KB
/
infrastructure.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
name: Infrastructure CI/CD
on:
push:
branches:
- main
paths:
- 'packages/infrastructure/**'
- '.github/workflows/infrastructure.yml'
pull_request:
branches:
- main
paths:
- 'packages/infrastructure/**'
- '.github/workflows/infrastructure.yml'
env:
CI: true
TF_VAR_access_key: ${{ secrets.AWS_ACCESS_KEY_ID }}
TF_VAR_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
TF_VAR_region: ${{ vars.AWS_REGION }}
TF_VAR_ghcr_password: ${{ secrets.GH_TOKEN }}
TF_VAR_ghcr_username: ${{ github.actor }}
TF_VAR_ghcr_image_name: ${{ github.repository }}
defaults:
run:
working-directory: packages/infrastructure/project
jobs:
terraform:
name: "Terraform"
runs-on: ubuntu-latest
permissions:
pull-requests: write
contents: read
packages: read
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
- name: Terraform Format
id: fmt
run: terraform fmt -check
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ vars.AWS_REGION }}
- name: Create backend configuration file
run: |
echo '${{ secrets.TF_BACKEND_CONFIG }}' > backend.conf
- name: Terraform Init
id: init
run: terraform init --backend-config=backend.conf
- name: Terraform Validate
id: validate
run: terraform validate -no-color
- name: Get latest image tag from repository
working-directory: .github/scripts
id: get_image_tag
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
echo chmod +x get-latest-tag.sh
echo "tag=$(./get-latest-tag.sh)" >> $GITHUB_OUTPUT
- name: Terraform Plan
env:
TF_VAR_ghcr_image_tag: ${{ steps.get_image_tag.outputs.tag }}
id: plan
if: github.event_name == 'pull_request'
run: terraform plan -no-color -input=false
continue-on-error: true
- name: Update Pull Request
uses: actions/github-script@v6
if: github.event_name == 'pull_request'
env:
PLAN: ${{ steps.plan.outputs.stdout }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
<details><summary>Show Plan</summary>
\`\`\`terraform\n
${process.env.PLAN}
\`\`\`
</details>
*Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
- name: Export Eagle Eye Config
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
run: echo "${{ secrets.EAGLE_EYE_CONFIG_FILE }}" | base64 --decode > eagle-eye-config.yml
continue-on-error: true
- name: Grant execute permission to Eagle Eye script
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
run: chmod +x ${{ github.workspace }}/.github/scripts/run-eagle-eye.sh
continue-on-error: true
- name: Eagle Eye
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
run: ${{ github.workspace }}/.github/scripts/run-eagle-eye.sh
continue-on-error: true
- name: Upload artifact
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
uses: actions/upload-artifact@v2
with:
name: eagle-eye-diagram
path: packages/infrastructure/project/terraform.png
continue-on-error: true
- name: Terraform Plan Status
if: steps.plan.outcome == 'failure'
run: exit 1
- name: Terraform Apply
env:
TF_VAR_ghcr_image_tag: ${{ steps.get_image_tag.outputs.tag }}
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
run: terraform apply -auto-approve -input=false