diff --git a/.github/workflows/terraform_apply.yaml b/.github/workflows/terraform_apply.yaml index 3055a9c..12c67b3 100644 --- a/.github/workflows/terraform_apply.yaml +++ b/.github/workflows/terraform_apply.yaml @@ -4,56 +4,139 @@ name: Terraform Apply # Controls when the workflow will run on: push: - branches: [ "main" ] + branches: + - main # Allows you to run this workflow manually from the Actions tab workflow_dispatch: - + +concurrency: + group: ${{ github.repo }}-${{ vars.terraform_workspace }} + +permissions: write-all # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: # This workflow contains a single job called "build" - build: + Plan: # The type of runner that the job will run on - runs-on: [ ghe-runners ] + runs-on: ["229685449397"] + env: - AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}" - AWS_ACCESS_KEY_ID: "${{ vars.AWS_ACCESS_KEY_ID }}" - AWS_SESSION_TOKEN: "${{ secrets.AWS_SESSION_TOKEN }}" - GITHUB_TOKEN: "${{ secrets.GH_TOKEN }}" + TF_WORKSPACE: ${{ vars.terraform_workspace }} + TF_CLI_ARGS_plan: -lock-timeout=30m + TF_CLI_ARGS_apply: -lock-timeout=30m + NO_PROXY: ${{ vars.NO_PROXY }} + + outputs: + commit_sha: "${{ steps.git_show.outputs.commit_sha }}" + cache_key: ${{ steps.terraform_init.outputs.s3_upload_path }} + github_token: ${{ steps.github_credentials.outputs.github_token }} + aws_access_key_id: ${{ steps.aws_auth.outputs.aws_access_key_id }} + aws_secret_access_key: ${{ steps.aws_auth.outputs.aws_secret_access_key }} + aws_session_token: ${{ steps.aws_auth.outputs.aws_session_token }} - # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 - + - uses: CSVD/gh-actions-checkout@v4 + id: checkout + with: + persist-credentials: false - - uses: CSVD/gh-actions-setup-node@v3 + - name: git show + id: git_show + run: | + echo "commit_sha=$(git show | grep commit | head -1 | awk '{ print $NF }')" >> $GITHUB_ENV + echo "commit_sha=$(git show | grep commit | head -1 | awk '{ print $NF }')" >> $GITHUB_OUTPUT + + - name: AWS Auth + id: aws_auth + uses: CSVD/aws-auth@main with: - node-version: 16 - - - uses: CSVD/gh-actions-setup-terraform@v2 + ecs: true + + - name: Setup GITHUB Credentials + id: github_credentials + uses: CSVD/gh-auth@main with: - terraform_wrapper: false - terraform_version: ${{ vars.terraform_version }} + github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }} + github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }} + github_base_url: "${{ github.server_url }}/" - - name: Terraform Format - id: fmt - run: | - terraform fmt -check - - - name: Autoformat Halt - if: env.auto_format == 'true' - run: exit 1 - - name: Terraform Init - id: init - run: terraform init -upgrade - - - name: Terraform Validate - id: validate - run: terraform validate + uses: CSVD/terraform-init@main + id: terraform_init + with: + commit_sha: ${{ env.commit_sha }} + checkout: false + terraform_version: "1.9.1" + workspace: ${{ vars.terraform_workspace }} + setup_terraform: true + terraform_init: true + env: + GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }} + AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }} + AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }} + + - name: Terraform Plan + uses: CSVD/terraform-plan@main + with: + terraform_version: "1.9.1" + workspace: ${{ vars.terraform_workspace }} + commit_sha: ${{ steps.terraform_init.outputs.commit_sha }} + varfile: varfiles/${{ vars.terraform_workspace }}.tfvars + download_cache: true + setup_terraform: false + cache_key: ${{ steps.terraform_init.outputs.s3_upload_path }} + env: + AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }} + AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }} + GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }} + GITHUB_OWNER: ${{ github.repository_owner }} + GITHUB_BASE_URL: "${{ github.server_url }}/" + HTTP_PROXY: http://proxy.tco.census.gov:3128 + HTTPS_PROXY: http://proxy.tco.census.gov:3128 + NO_PROXY: ".census.gov,169.254.169.254,148.129.*,10.*,172.18.*,172.22.*,172.23.*,172.24.*,172.25.*,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com" + + Apply: + # The type of runner that the job will run on + runs-on: ["229685449397"] + needs: Plan + environment: requires_approval + steps: + - name: AWS Auth + id: aws_auth + uses: CSVD/aws-auth@main + with: + ecs: true + + - name: Setup GITHUB Credentials + id: github_credentials + uses: CSVD/gh-auth@main + with: + github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }} + github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }} + github_base_url: "${{ github.server_url }}/" - name: Terraform Apply - id: plan - run: terraform apply -auto-approve - continue-on-error: true + uses: CSVD/terraform-apply@main + with: + terraform_version: "1.9.1" + workspace: ${{ vars.terraform_workspace }} + commit_sha: ${{ needs.Plan.outputs.commit_sha }} + download_cache: true + setup_terraform: true + terraform_wrapper: false + cache_key: ${{ needs.Plan.outputs.cache_key }} + env: + AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }} + AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }} + GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }} + GITHUB_OWNER: ${{ github.repository_owner }} + GITHUB_BASE_URL: "${{ github.server_url }}/" + HTTP_PROXY: http://proxy.tco.census.gov:3128 + HTTPS_PROXY: http://proxy.tco.census.gov:3128 + NO_PROXY: ".census.gov,169.254.169.254,148.129.*,10.*,172.18.*,172.22.*,172.23.*,172.24.*,172.25.*,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com" + +