diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 5d5681b..335080b 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -4,117 +4,83 @@ name: Terraform Plan # Controls when the workflow will run on: pull_request: - # Allows you to run this workflow manually from the Actions tab + # Allows you to run this workflow manually from the Actions tab workflow_dispatch: + +concurrency: + group: ${{ github.repo }}-${{ vars.terraform_workspace }} +permissions: write-all # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: # This workflow contains a single job called "build" - build: + Plan: # The type of runner that the job will run on - runs-on: [ "229685449397" ] + runs-on: ["229685449397"] + env: - AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}" - AWS_ACCESS_KEY_ID: "${{ vars.AWS_ACCESS_KEY_ID }}" - AWS_SESSION_TOKEN: "${{ secrets.AWS_SESSION_TOKEN }}" - GITHUB_TOKEN: "${{ secrets.GH_TOKEN }}" + TF_WORKSPACE: ${{ vars.terraform_workspace }} + TF_CLI_ARGS_plan: -lock-timeout=30m + TF_CLI_ARGS_apply: -lock-timeout=30m + NO_PROXY: ${{ vars.NO_PROXY }} - # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: CSVD/gh-actions-checkout@v3 + - uses: CSVD/gh-actions-checkout@v4 + id: checkout with: - github-server-url: https://github.e.it.census.gov - ref: ${{ github.head_ref }} - token: ${{ secrets.GH_TOKEN }} + persist-credentials: false - - - uses: CSVD/gh-actions-setup-node@v3 + - name: git show + run: echo "commit_sha=$(git show | grep commit | head -1 | awk '{ print $NF }')" >> $GITHUB_ENV + + - name: AWS Auth + id: aws_auth + uses: CSVD/aws-auth@main with: - node-version: 16 - - - uses: CSVD/gh-actions-setup-terraform@v2 + ecs: true + + - name: Setup GITHUB Credentials + id: github_credentials + uses: CSVD/gh-auth@main with: - terraform_version: ${{ vars.terraform_version }} + github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }} + github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }} + github_base_url: "${{ github.server_url }}/" - - name: Set output - id: vars - run: echo ::set-output name=short_ref::${GITHUB_REF#refs/*/} - - - name: Terraform Format - id: fmt - run: | - terraform fmt - if ! git diff-index --quiet HEAD; then - git config --global user.name '${{ vars.REPO_OWNER }}' - git config --global user.email '${{ vars.REPO_OWNER_EMAIL }}' - git commit -am "Autoformatting TF Code" - git push - echo "auto_format=true" >> $GITHUB_ENV - fi - - - name: Autoformat Halt - if: env.auto_format == 'true' - run: exit 0 - - name: Terraform Init - id: init - run: terraform init -upgrade - - - name: Terraform Validate - id: validate - run: terraform validate -no-color - - - name: Terraform Plan - id: plan - if: github.event_name == 'pull_request' - run: terraform plan -no-color -out=${{ vars.plan_cache }}/${{ github.sha }} - continue-on-error: true - - - name: Terraform Plan - if: github.event_name != 'pull_request' - run: terraform plan -no-color - continue-on-error: true - - - name: Terraform Show plan - if: github.event_name == 'pull_request' - run: echo ::set-output name=terraform_plan::$(terraform show ${{ vars.plan_cache }}/${{ github.sha }}) - - - name: Post Terraform Plan to PR - uses: CSVD/gh-actions-github-script@v6 - if: github.event_name == 'pull_request' + uses: CSVD/terraform-init@main + id: terraform_init + with: + commit_sha: ${{ env.commit_sha }} + checkout: false + terraform_version: "1.9.1" + workspace: ${{ vars.terraform_workspace }} + setup_terraform: true + terraform_init: true env: - PLAN: "terraform\n${{ env.terraform_plan }}" + GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }} + AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }} + AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }} + + - name: Terraform Plan + uses: CSVD/terraform-plan@main with: - github-token: ${{ secrets.GH_TOKEN }} - script: | - const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` - #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` - #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\` -
Validation Output - - \`\`\`\n - ${{ steps.validate.outputs.stdout }} - \`\`\` - -
- - #### Terraform Plan 📖\`${{ steps.plan.outcome }}\` - -
Show Plan - - \`\`\`\n - ${process.env.PLAN} - \`\`\` - -
- - *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Workflow: \`${{ github.workflow }}\`*`; - - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: output - }) + terraform_version: "1.9.1" + workspace: ${{ vars.terraform_workspace }} + commit_sha: ${{ steps.terraform_init.outputs.commit_sha }} + varfile: varfiles/${{ vars.terraform_workspace }}.tfvars + download_cache: true + setup_terraform: false + cache_key: ${{ steps.terraform_init.outputs.s3_upload_path }} + env: + AWS_ACCESS_KEY_ID: ${{ steps.aws_auth.outputs.aws_access_key_id }} + AWS_SECRET_ACCESS_KEY: ${{ steps.aws_auth.outputs.aws_secret_access_key }} + AWS_SESSION_TOKEN: ${{ steps.aws_auth.outputs.aws_session_token }} + GITHUB_TOKEN: ${{ steps.github_credentials.outputs.github_token }} + GITHUB_OWNER: ${{ github.repository_owner }} + GITHUB_BASE_URL: "${{ github.server_url }}/" + HTTP_PROXY: http://proxy.tco.census.gov:3128 + HTTPS_PROXY: http://proxy.tco.census.gov:3128 + NO_PROXY: ".census.gov,169.254.169.254,148.129.*,10.*,172.18.*,172.22.*,172.23.*,172.24.*,172.25.*,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com"