From 064278d3537d0fff5d5f9de84538a3fdfe10e861 Mon Sep 17 00:00:00 2001 From: David John Arnold Jr Date: Tue, 20 Aug 2024 13:21:28 -0700 Subject: [PATCH] Sandbox (#13) * Refactor image pipeline module names and update workflows * Refactor image pipeline module names and update workflows * adding a workspace for managing service accounts * Autoformatting TF Code * fixing module source * adding service-accounts for use with github actions * Refactor image pipeline module names and update workflows * chore: Update module name in sandbox.tf * chore: Update module source in sandbox.tf * Update terraform_plan.yaml * Update terraform_plan.yaml * Update terraform_plan.yaml * Update sandbox.tf --------- Co-authored-by: Dave Arnold --- .github/workflows/terraform_plan.yaml | 11 ++++- actions_secrets.tf | 14 ++++++ image-pipeline.tf | 2 +- sandbox.tf | 61 +++++++++++++++++++++++++++ 4 files changed, 85 insertions(+), 3 deletions(-) create mode 100644 actions_secrets.tf create mode 100644 sandbox.tf diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 25f471d..4ca8302 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -68,13 +68,20 @@ jobs: - name: Terraform Plan id: plan - run: terraform plan -no-color + if: github.event_name == 'pull_request' + run: terraform plan -out plans/${{ github.sha }} + continue-on-error: true + + - name: Terraform Plan + id: show_plan + if: github.event_name == 'pull_request' + run: terraform show -no-color plans/${{ github.sha }} continue-on-error: true - uses: CSVD/gh-actions-github-script@v6 if: github.event_name == 'pull_request' env: - PLAN: "terraform\n${{ steps.plan.outputs.stdout }}" + PLAN: "terraform\n${{ steps.show_plan.outputs.stdout }}" with: github-token: ${{ secrets.GH_TOKEN }} script: | diff --git a/actions_secrets.tf b/actions_secrets.tf new file mode 100644 index 0000000..2c43dce --- /dev/null +++ b/actions_secrets.tf @@ -0,0 +1,14 @@ +locals { + secrets = [ + "AWS_SECRET_ACCESS_KEY", + "AWS_SESSION_TOKEN", + "AWS_ACCESS_KEY_ID", + "GITHUB_TOKEN" + ] +} + +module "env_var" { + source = "HappyPathway/var/env" + for_each = toset(local.secrets) + env_var = each.value +} diff --git a/image-pipeline.tf b/image-pipeline.tf index e978deb..f19cd98 100644 --- a/image-pipeline.tf +++ b/image-pipeline.tf @@ -132,7 +132,7 @@ module "terraform_aws_image_pipeline" { content = templatefile( "${path.module}/workflows/terraform-plan.yaml.tpl", { - repo_name = "aws-image-pipeline", + repo_name = "terraform-aws-image-pipeline", directory = "./examples" git_owner = { name = "arnol377" diff --git a/sandbox.tf b/sandbox.tf new file mode 100644 index 0000000..99ff22e --- /dev/null +++ b/sandbox.tf @@ -0,0 +1,61 @@ + +locals { + workspace_instances = [ + "arnol377-sandbox" + ] +} + +module "sandbox" { + source = "HappyPathway/repo/github" + for_each = toset(local.workspace_instances) + github_repo_description = "Sandbox - ${each.value}" + repo_org = "arnol377" + name = each.value + github_repo_topics = [ + "terraform" + ] + force_name = true + github_is_private = false + create_codeowners = false + enforce_prs = false + collaborators = {"arnol377": "admin"} + managed_extra_files = [ + { + path = ".github/workflows/terraform-plan.yaml" + content = templatefile( + "${path.module}/workflows/terraform-plan.yaml.tpl", + { + repo_name = each.value, + directory = null + git_owner = { + name = "arnol377" + email = "david.j.arnold.jr@census.gov" + } + } + ) + }, + { + path = ".github/workflows/terraform-apply.yaml" + content = templatefile( + "${path.module}/workflows/terraform-apply.yaml.tpl", + { + repo_name = each.value, + directory = null + } + ) + } + ] + secrets = [ + for secret in [for secret in local.secrets : secret if secret != "AWS_ACCESS_KEY_ID"] : + { + name = replace(secret, "GITHUB", "GH") + value = lookup(module.env_var, secret).value + } + ] + vars = [ + { + name = "AWS_ACCESS_KEY_ID" + value = lookup(module.env_var, "AWS_ACCESS_KEY_ID").value + } + ] +}