-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #259 from im-practices/tf-auto-plan-update
Updates the Terraform auto-plan workflow
- Loading branch information
Showing
1 changed file
with
126 additions
and
126 deletions.
There are no files selected for viewing
252 changes: 126 additions & 126 deletions
252
workflow-templates/im-build-tf-auto-plan-and-comment-on-prs.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,126 +1,126 @@ | ||
# Workflow Code: DeterminedPorcupine_v23 DO NOT REMOVE | ||
# Purpose: | ||
# Automatically runs a terraform plan against the specified environments and | ||
# comments on the PR with the expected changes when commits are pushed to a PR. | ||
# | ||
# Frequency: | ||
# - This workflow should only be used once per repository | ||
# | ||
# Projects to use this Template with: | ||
# - Terraform (Core Template) | ||
# | ||
# TODO Prerequisites: | ||
# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. | ||
|
||
name: Automatically run tf plan and comment on PR | ||
on: | ||
pull_request: | ||
types: [opened, reopened, synchronize] | ||
# TODO: Verify the paths where changes should trigger this workflow. This can be removed entirely if all changes should trigger the workflow. | ||
paths: | ||
- 'infrastructure/**' | ||
|
||
permissions: | ||
# Required for secretless azure access and deploys | ||
id-token: write | ||
contents: read | ||
# Required for commenting on PR | ||
pull-requests: write | ||
|
||
jobs: | ||
auto-plan-the-tf: | ||
runs-on: [self-hosted, im-linux] | ||
|
||
strategy: | ||
matrix: | ||
# TODO: By default this only runs a plan against dev, but other envs can be added: qa, stage, demo, uat, prod | ||
environment: [dev] | ||
|
||
environment: ${{ matrix.environment }} | ||
|
||
env: | ||
# The following ARM_* values are env-level secrets/variables | ||
ARM_SUBSCRIPTION_ID: ${{ vars.ARM_SUBSCRIPTION_ID }} | ||
ARM_CLIENT_ID: ${{ vars.ARM_CLIENT_ID }} | ||
ARM_TENANT_ID: ${{ vars.ARM_TENANT_ID }} # This is an org-level variable | ||
ARM_ENVIRONMENT: 'public' | ||
TF_IN_AUTOMATION: 'true' | ||
TF_VERSION: '~>1.4.0' #TODO: Verify your version of terraform. | ||
TF_WORKING_DIR: './infrastructure/${{ matrix.environment }}' # TODO: Verify this directory structure would be correct for your repository (older projects may not be inside of an infrastructure folder) | ||
# The following SSH_* secrets are org-level secrets | ||
SSH_KEY_STORAGE_ACCOUNT: ${{ secrets.SSH_STORAGE_ACCOUNT }} | ||
SSH_KEY_NETWORK_INFO: ${{ secrets.SSH_NETWORK_INFO }} | ||
SSH_KEY_AAD_GROUP_MEMBERS: ${{ secrets.SSH_AAD_GROUP_MEMBERS }} # This is an org level secret | ||
SSH_DEPLOY_KEY_INFO: | | ||
[ | ||
{ "orgAndRepo": "im-platform/storage-account-network-rules", "envName" : "SSH_KEY_STORAGE_ACCOUNT" }, | ||
{ "orgAndRepo": "im-platform/network-information", "envName" : "SSH_KEY_NETWORK_INFO" }, | ||
{ "orgAndRepo": "im-platform/aad-group-members", "envName" : "SSH_KEY_AAD_GROUP_MEMBERS" } | ||
] | ||
defaults: | ||
run: | ||
shell: bash | ||
working-directory: '${{ env.TF_WORKING_DIR }}' | ||
|
||
steps: | ||
- name: Checkout Repository | ||
uses: actions/checkout@v4 | ||
|
||
- name: Setup Terraform | ||
id: setup | ||
uses: hashicorp/setup-terraform@v3 | ||
with: | ||
terraform_version: '${{ env.TF_VERSION }}' | ||
|
||
# Allows pulling modules from the repo instead of artifactory | ||
- name: Setup SSH Keys and known_hosts | ||
uses: im-open/[email protected] | ||
with: | ||
deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }} | ||
|
||
- name: Terraform Init | ||
if: always() | ||
id: init | ||
run: terraform init | ||
|
||
- name: Terraform Format | ||
if: always() | ||
working-directory: . | ||
id: fmt | ||
run: terraform fmt -check -recursive | ||
|
||
# TODO: Remove the pagerduty token if not configuring pagerduty. If using pagerduty verify 'pagerduty_token' is the name of the variable that tf expects | ||
# TODO: Add any other secrets that would be required for a tf plan to succeed. Since this is a multi-line command every line except the last will need a \ on the end of it | ||
# PAGERDUTY_API_KEY is an org level secret | ||
- name: Terraform Plan | ||
if: always() | ||
id: plan | ||
run: | | ||
terraform plan -no-color -lock=false \ | ||
-var="pagerduty_token=${{ secrets.PAGERDUTY_API_KEY }}" | ||
- name: 'Terraform Comment' | ||
if: always() | ||
uses: actions/github-script@v7 | ||
env: | ||
PLAN: "\n```\n${{ steps.plan.outputs.stdout }}\n```\n" | ||
with: | ||
github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo | ||
script: | | ||
const output = `### Format, Init and Plan Results for ${{ matrix.environment }} | ||
#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` | ||
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` | ||
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\` | ||
<details><summary>Show Plan</summary> | ||
${process.env.PLAN} | ||
</details> | ||
__Pusher__: @${{ github.actor }} | ||
__Action__: \`${{ github.event_name }}\``; | ||
github.rest.issues.createComment({ | ||
issue_number: context.issue.number, | ||
owner: context.repo.owner, | ||
repo: context.repo.repo, | ||
body: output | ||
}) | ||
# Workflow Code: DeterminedPorcupine_v24 DO NOT REMOVE | ||
# Purpose: | ||
# Automatically runs a terraform plan against the specified environments and | ||
# comments on the PR with the expected changes when commits are pushed to a PR. | ||
# | ||
# Frequency: | ||
# - This workflow should only be used once per repository | ||
# | ||
# Projects to use this Template with: | ||
# - Terraform (Core Template) | ||
# | ||
# TODO Prerequisites: | ||
# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. | ||
|
||
name: Automatically run tf plan and comment on PR | ||
on: | ||
pull_request: | ||
types: [opened, reopened, synchronize] | ||
# TODO: Verify the paths where changes should trigger this workflow. This can be removed entirely if all changes should trigger the workflow. | ||
paths: | ||
- 'infrastructure/**' | ||
|
||
permissions: | ||
# Required for secretless azure access and deploys | ||
id-token: write | ||
contents: read | ||
# Required for commenting on PR | ||
pull-requests: write | ||
|
||
jobs: | ||
auto-plan-the-tf: | ||
runs-on: [self-hosted, im-linux] | ||
|
||
strategy: | ||
matrix: | ||
# TODO: By default this only runs a plan against dev, but other envs can be added: qa, stage, demo, uat, prod | ||
environment: [dev] | ||
|
||
environment: ${{ matrix.environment }} | ||
|
||
env: | ||
# The following ARM_* values are env-level secrets/variables | ||
ARM_SUBSCRIPTION_ID: ${{ vars.ARM_SUBSCRIPTION_ID }} | ||
ARM_CLIENT_ID: ${{ vars.ARM_CLIENT_ID }} | ||
ARM_TENANT_ID: ${{ vars.ARM_TENANT_ID }} # This is an org-level variable | ||
ARM_ENVIRONMENT: 'public' | ||
TF_IN_AUTOMATION: 'true' | ||
TF_VERSION: '~>1.4.0' #TODO: Verify your version of terraform. | ||
TF_WORKING_DIR: './infrastructure/${{ matrix.environment }}' # TODO: Verify this directory structure would be correct for your repository (older projects may not be inside of an infrastructure folder) | ||
# The following SSH_* secrets are org-level secrets | ||
SSH_KEY_STORAGE_ACCOUNT: ${{ secrets.SSH_STORAGE_ACCOUNT }} | ||
SSH_KEY_NETWORK_INFO: ${{ secrets.SSH_NETWORK_INFO }} | ||
SSH_KEY_AAD_GROUP_MEMBERS: ${{ secrets.SSH_AAD_GROUP_MEMBERS }} # This is an org level secret | ||
SSH_DEPLOY_KEY_INFO: | | ||
[ | ||
{ "orgAndRepo": "im-platform/storage-account-network-rules", "envName" : "SSH_KEY_STORAGE_ACCOUNT" }, | ||
{ "orgAndRepo": "im-platform/network-information", "envName" : "SSH_KEY_NETWORK_INFO" }, | ||
{ "orgAndRepo": "im-platform/aad-group-members", "envName" : "SSH_KEY_AAD_GROUP_MEMBERS" } | ||
] | ||
defaults: | ||
run: | ||
shell: bash | ||
working-directory: '${{ env.TF_WORKING_DIR }}' | ||
|
||
steps: | ||
- name: Checkout Repository | ||
uses: actions/checkout@v4 | ||
|
||
- name: Setup Terraform | ||
id: setup | ||
uses: hashicorp/setup-terraform@v3 | ||
with: | ||
terraform_version: '${{ env.TF_VERSION }}' | ||
|
||
# Allows pulling modules from the repo instead of artifactory | ||
- name: Setup SSH Keys and known_hosts | ||
uses: im-open/[email protected] | ||
with: | ||
deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }} | ||
|
||
- name: Terraform Init | ||
if: always() | ||
id: init | ||
run: terraform init -input=false | ||
|
||
- name: Terraform Format | ||
if: always() | ||
working-directory: . | ||
id: fmt | ||
run: terraform fmt -check -recursive | ||
|
||
# TODO: Remove the pagerduty token if not configuring pagerduty. If using pagerduty verify 'pagerduty_token' is the name of the variable that tf expects | ||
# TODO: Add any other secrets that would be required for a tf plan to succeed. Since this is a multi-line command every line except the last will need a \ on the end of it | ||
# PAGERDUTY_API_KEY is an org level secret | ||
- name: Terraform Plan | ||
if: always() | ||
id: plan | ||
run: | | ||
terraform plan -no-color -lock=false -input=false \ | ||
-var="pagerduty_token=${{ secrets.PAGERDUTY_API_KEY }}" | ||
- name: 'Terraform Comment' | ||
if: always() | ||
uses: actions/github-script@v7 | ||
env: | ||
PLAN: "\n```\n${{ steps.plan.outputs.stdout }}\n```\n" | ||
with: | ||
github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo | ||
script: | | ||
const output = `### Format, Init and Plan Results for ${{ matrix.environment }} | ||
#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` | ||
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` | ||
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\` | ||
<details><summary>Show Plan</summary> | ||
${process.env.PLAN} | ||
</details> | ||
__Pusher__: @${{ github.actor }} | ||
__Action__: \`${{ github.event_name }}\``; | ||
github.rest.issues.createComment({ | ||
issue_number: context.issue.number, | ||
owner: context.repo.owner, | ||
repo: context.repo.repo, | ||
body: output | ||
}) |