Update terraform_apply.yaml

CSVD · Oct 16, 2024 · f15ebb9 · f15ebb9
1 parent bf62343
commit f15ebb9
Showing 1 changed file with 107 additions and 33 deletions.
diff --git a/.github/workflows/terraform_apply.yaml b/.github/workflows/terraform_apply.yaml
@@ -3,54 +3,128 @@ name: Terraform Apply
 
 # Controls when the workflow will run
 on:
+  push:
+    branches:
+      - main
+  # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
-
+
+concurrency:
+  group: ${{ github.repo }}-${{ vars.terraform_workspace }}
+
+permissions: write-all
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   # This workflow contains a single job called "build"
-  Apply:
+  Plan:
     # The type of runner that the job will run on
-    runs-on: [ "229685449397" ]
+    runs-on: ["229685449397"]
+
     env:
-      GITHUB_TOKEN: "${{ secrets.GH_TOKEN }}"
-      GITHUB_OWNER: CSVD
-      GITHUB_BASE_URL: https://github.e.it.census.gov
       TF_WORKSPACE: ${{ vars.terraform_workspace }}
       TF_CLI_ARGS_plan: -lock-timeout=30m
       TF_CLI_ARGS_apply: -lock-timeout=30m
+      NO_PROXY: ${{ vars.NO_PROXY }}
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v3
-
-      - uses: CSVD/gh-actions-setup-node@v3
+      - uses: CSVD/gh-actions-checkout@v4
+        id: checkout
         with:
-           node-version: 16
-          
-      - name: blow up .terraform
-        run: rm -rf ${{ github.workspace }}/.terraform || echo "nope"
+          persist-credentials: false
+
+      - name: git show
+        run: echo "commit_sha=$(git show | grep commit | head -1 | awk '{ print $NF }')" >> $GITHUB_ENV
 
-      - name: Setup AWS Credentials
-        id: aws_credentials
-        run: |
-          curl -qL -o aws_credentials.json http://169.254.170.2/${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI} > aws_credentials.json
-          aws configure set aws_access_key_id `jq -r '.AccessKeyId' aws_credentials.json`
-          echo AWS_ACCESS_KEY_ID=`jq -r '.AccessKeyId' aws_credentials.json` >> $GITHUB_ENV
-          aws configure set aws_secret_access_key `jq -r '.SecretAccessKey' aws_credentials.json`
-          echo AWS_SECRET_ACCESS_KEY=`jq -r '.SecretAccessKey' aws_credentials.json` >> $GITHUB_ENV
-          aws configure set aws_session_token `jq -r '.Token' aws_credentials.json`
-          echo AWS_SESSION_TOKEN=`jq -r '.Token' aws_credentials.json` >> $GITHUB_ENV
+      - name: AWS Auth
+        id: aws_auth
+        uses: CSVD/aws-auth@main
+        with:
+          ecs: true
+
+      - name: Setup GITHUB Credentials
+        id: github_credentials
+        uses: CSVD/gh-auth@main
+        with:
+          github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }}
+          github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }}
+          github_base_url: "${{ github.server_url }}/"
 
       - name: Terraform Init
-        id: init
-        run: /opt/tfenv/bin/terraform init -upgrade
-
-      - name: Terraform Validate
-        id: validate
-        run: /opt/tfenv/bin/terraform validate
+        uses: CSVD/terraform-init@main
+        id: terraform_init
+        with:
+          commit_sha: ${{ env.commit_sha }}
+          checkout: false
+          terraform_version: "1.9.1"
+          workspace: ${{ vars.terraform_workspace }}
+          setup_terraform: true
+          terraform_init: true
+        env:
+          GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }}
+          AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }}
+          AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }}
+          AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }}
+
+      - name: debug outputs
+        run: |
+          echo "S3 Upload Path: ${{ steps.terraform_init.outputs.s3_upload_path }}"
+          echo "Commit SHA: ${{ steps.terraform_init.outputs.commit_sha }}"
 
+      - name: show me
+        if: ${{ steps.terraform_init.outputs.s3_upload_path == '' }}
+        run: echo "s3_upload_path is not populated"
+
+      - name: show me
+        if: ${{ steps.terraform_init.outputs.commit_sha == '' }}
+        run: echo "commit_sha is not populated"
+
+      - name: Terraform Plan
+        uses: CSVD/terraform-plan@main
+        with:
+          terraform_version: "1.9.1"
+          workspace: ${{ vars.terraform_workspace }}
+          commit_sha: ${{ steps.terraform_init.outputs.commit_sha }}
+          varfile: varfiles/${{ vars.terraform_workspace }}.tfvars
+          download_cache: true
+          setup_terraform: false
+          cache_key: ${{ steps.terraform_init.outputs.s3_upload_path }}
+        env:
+          AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }}
+          AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }}
+          AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }}
+          GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }}
+          GITHUB_OWNER: ${{ github.repository_owner }}
+          GITHUB_BASE_URL: "${{ github.server_url }}/"
+          HTTP_PROXY: http://proxy.tco.census.gov:3128
+          HTTPS_PROXY: http://proxy.tco.census.gov:3128
+          NO_PROXY: ".census.gov,169.254.169.254,148.129.*,10.*,172.18.*,172.22.*,172.23.*,172.24.*,172.25.*,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com" 
+  # This workflow contains a single job called "build"
+  Apply:
+    # The type of runner that the job will run on
+    runs-on: ["229685449397"]
+    needs: Plan
+    environment: requires_approval
+    steps:
       - name: Terraform Apply
-        id: apply
-        run: /opt/tfenv/bin/terraform apply -auto-approve -var-file=varfiles/${{ vars.terraform_workspace }}.tfvars
-
+        uses: CSVD/terraform-apply@main
+        with:
+          terraform_version: "1.9.1"
+          workspace: ${{ vars.terraform_workspace }}
+          commit_sha: ${{ steps.terraform_init.outputs.commit_sha }}
+          varfile: varfiles/${{ vars.terraform_workspace }}.tfvars
+          download_cache: true
+          setup_terraform: false
+          cache_key: ${{ steps.terraform_init.outputs.s3_upload_path }}
+        env:
+          AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }}
+          AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }}
+          AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }}
+          GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }}
+          GITHUB_OWNER: ${{ github.repository_owner }}
+          GITHUB_BASE_URL: "${{ github.server_url }}/"
+          HTTP_PROXY: http://proxy.tco.census.gov:3128
+          HTTPS_PROXY: http://proxy.tco.census.gov:3128
+          NO_PROXY: ".census.gov,169.254.169.254,148.129.*,10.*,172.18.*,172.22.*,172.23.*,172.24.*,172.25.*,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com"
+
+