diff --git a/.github/workflows/terraform_apply.yaml b/.github/workflows/terraform_apply.yaml index 3fc7b41..16bb75e 100644 --- a/.github/workflows/terraform_apply.yaml +++ b/.github/workflows/terraform_apply.yaml @@ -3,54 +3,128 @@ name: Terraform Apply # Controls when the workflow will run on: + push: + branches: + - main + # Allows you to run this workflow manually from the Actions tab workflow_dispatch: - + +concurrency: + group: ${{ github.repo }}-${{ vars.terraform_workspace }} + +permissions: write-all # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: # This workflow contains a single job called "build" - Apply: + Plan: # The type of runner that the job will run on - runs-on: [ "229685449397" ] + runs-on: ["229685449397"] + env: - GITHUB_TOKEN: "${{ secrets.GH_TOKEN }}" - GITHUB_OWNER: CSVD - GITHUB_BASE_URL: https://github.e.it.census.gov TF_WORKSPACE: ${{ vars.terraform_workspace }} TF_CLI_ARGS_plan: -lock-timeout=30m TF_CLI_ARGS_apply: -lock-timeout=30m + NO_PROXY: ${{ vars.NO_PROXY }} # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 - - - uses: CSVD/gh-actions-setup-node@v3 + - uses: CSVD/gh-actions-checkout@v4 + id: checkout with: - node-version: 16 - - - name: blow up .terraform - run: rm -rf ${{ github.workspace }}/.terraform || echo "nope" + persist-credentials: false + + - name: git show + run: echo "commit_sha=$(git show | grep commit | head -1 | awk '{ print $NF }')" >> $GITHUB_ENV - - name: Setup AWS Credentials - id: aws_credentials - run: | - curl -qL -o aws_credentials.json http://169.254.170.2/${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI} > aws_credentials.json - aws configure set aws_access_key_id `jq -r '.AccessKeyId' aws_credentials.json` - echo AWS_ACCESS_KEY_ID=`jq -r '.AccessKeyId' aws_credentials.json` >> $GITHUB_ENV - aws configure set aws_secret_access_key `jq -r '.SecretAccessKey' aws_credentials.json` - echo AWS_SECRET_ACCESS_KEY=`jq -r '.SecretAccessKey' aws_credentials.json` >> $GITHUB_ENV - aws configure set aws_session_token `jq -r '.Token' aws_credentials.json` - echo AWS_SESSION_TOKEN=`jq -r '.Token' aws_credentials.json` >> $GITHUB_ENV + - name: AWS Auth + id: aws_auth + uses: CSVD/aws-auth@main + with: + ecs: true + + - name: Setup GITHUB Credentials + id: github_credentials + uses: CSVD/gh-auth@main + with: + github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }} + github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }} + github_base_url: "${{ github.server_url }}/" - name: Terraform Init - id: init - run: /opt/tfenv/bin/terraform init -upgrade - - - name: Terraform Validate - id: validate - run: /opt/tfenv/bin/terraform validate + uses: CSVD/terraform-init@main + id: terraform_init + with: + commit_sha: ${{ env.commit_sha }} + checkout: false + terraform_version: "1.9.1" + workspace: ${{ vars.terraform_workspace }} + setup_terraform: true + terraform_init: true + env: + GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }} + AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }} + AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }} + + - name: debug outputs + run: | + echo "S3 Upload Path: ${{ steps.terraform_init.outputs.s3_upload_path }}" + echo "Commit SHA: ${{ steps.terraform_init.outputs.commit_sha }}" + - name: show me + if: ${{ steps.terraform_init.outputs.s3_upload_path == '' }} + run: echo "s3_upload_path is not populated" + + - name: show me + if: ${{ steps.terraform_init.outputs.commit_sha == '' }} + run: echo "commit_sha is not populated" + + - name: Terraform Plan + uses: CSVD/terraform-plan@main + with: + terraform_version: "1.9.1" + workspace: ${{ vars.terraform_workspace }} + commit_sha: ${{ steps.terraform_init.outputs.commit_sha }} + varfile: varfiles/${{ vars.terraform_workspace }}.tfvars + download_cache: true + setup_terraform: false + cache_key: ${{ steps.terraform_init.outputs.s3_upload_path }} + env: + AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }} + AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }} + GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }} + GITHUB_OWNER: ${{ github.repository_owner }} + GITHUB_BASE_URL: "${{ github.server_url }}/" + HTTP_PROXY: http://proxy.tco.census.gov:3128 + HTTPS_PROXY: http://proxy.tco.census.gov:3128 + NO_PROXY: ".census.gov,169.254.169.254,148.129.*,10.*,172.18.*,172.22.*,172.23.*,172.24.*,172.25.*,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com" + # This workflow contains a single job called "build" + Apply: + # The type of runner that the job will run on + runs-on: ["229685449397"] + needs: Plan + environment: requires_approval + steps: - name: Terraform Apply - id: apply - run: /opt/tfenv/bin/terraform apply -auto-approve -var-file=varfiles/${{ vars.terraform_workspace }}.tfvars - + uses: CSVD/terraform-apply@main + with: + terraform_version: "1.9.1" + workspace: ${{ vars.terraform_workspace }} + commit_sha: ${{ steps.terraform_init.outputs.commit_sha }} + varfile: varfiles/${{ vars.terraform_workspace }}.tfvars + download_cache: true + setup_terraform: false + cache_key: ${{ steps.terraform_init.outputs.s3_upload_path }} + env: + AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }} + AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }} + GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }} + GITHUB_OWNER: ${{ github.repository_owner }} + GITHUB_BASE_URL: "${{ github.server_url }}/" + HTTP_PROXY: http://proxy.tco.census.gov:3128 + HTTPS_PROXY: http://proxy.tco.census.gov:3128 + NO_PROXY: ".census.gov,169.254.169.254,148.129.*,10.*,172.18.*,172.22.*,172.23.*,172.24.*,172.25.*,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com" + +