Skip to content

Commit

Permalink
Merge pull request #259 from im-practices/tf-auto-plan-update
Browse files Browse the repository at this point in the history 
Updates the Terraform auto-plan workflow
  • Loading branch information
@JosephDSchwartz
JosephDSchwartz committed Apr 2, 2024
2 parents 50dd97e + 4933be5 commit 6e73eb1
Showing 1 changed file with 126 additions and 126 deletions.
252 changes: 126 additions & 126 deletions workflow-templates/im-build-tf-auto-plan-and-comment-on-prs.yml
View file
Original file line number Diff line number Diff line change
@@ -1,126 +1,126 @@
# Workflow Code: DeterminedPorcupine_v23 DO NOT REMOVE
# Purpose:
# Automatically runs a terraform plan against the specified environments and
# comments on the PR with the expected changes when commits are pushed to a PR.
#
# Frequency:
# - This workflow should only be used once per repository
#
# Projects to use this Template with:
# - Terraform (Core Template)
#
# TODO Prerequisites:
# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository.

name: Automatically run tf plan and comment on PR
on:
pull_request:
types: [opened, reopened, synchronize]
# TODO: Verify the paths where changes should trigger this workflow. This can be removed entirely if all changes should trigger the workflow.
paths:
- 'infrastructure/**'

permissions:
# Required for secretless azure access and deploys
id-token: write
contents: read
# Required for commenting on PR
pull-requests: write

jobs:
auto-plan-the-tf:
runs-on: [self-hosted, im-linux]

strategy:
matrix:
# TODO: By default this only runs a plan against dev, but other envs can be added: qa, stage, demo, uat, prod
environment: [dev]

environment: ${{ matrix.environment }}

env:
# The following ARM_* values are env-level secrets/variables
ARM_SUBSCRIPTION_ID: ${{ vars.ARM_SUBSCRIPTION_ID }}
ARM_CLIENT_ID: ${{ vars.ARM_CLIENT_ID }}
ARM_TENANT_ID: ${{ vars.ARM_TENANT_ID }} # This is an org-level variable
ARM_ENVIRONMENT: 'public'
TF_IN_AUTOMATION: 'true'
TF_VERSION: '~>1.4.0' #TODO: Verify your version of terraform.
TF_WORKING_DIR: './infrastructure/${{ matrix.environment }}' # TODO: Verify this directory structure would be correct for your repository (older projects may not be inside of an infrastructure folder)
# The following SSH_* secrets are org-level secrets
SSH_KEY_STORAGE_ACCOUNT: ${{ secrets.SSH_STORAGE_ACCOUNT }}
SSH_KEY_NETWORK_INFO: ${{ secrets.SSH_NETWORK_INFO }}
SSH_KEY_AAD_GROUP_MEMBERS: ${{ secrets.SSH_AAD_GROUP_MEMBERS }} # This is an org level secret
SSH_DEPLOY_KEY_INFO: |
[
{ "orgAndRepo": "im-platform/storage-account-network-rules", "envName" : "SSH_KEY_STORAGE_ACCOUNT" },
{ "orgAndRepo": "im-platform/network-information", "envName" : "SSH_KEY_NETWORK_INFO" },
{ "orgAndRepo": "im-platform/aad-group-members", "envName" : "SSH_KEY_AAD_GROUP_MEMBERS" }
]
defaults:
run:
shell: bash
working-directory: '${{ env.TF_WORKING_DIR }}'

steps:
- name: Checkout Repository
uses: actions/checkout@v4

- name: Setup Terraform
id: setup
uses: hashicorp/setup-terraform@v3
with:
terraform_version: '${{ env.TF_VERSION }}'

# Allows pulling modules from the repo instead of artifactory
- name: Setup SSH Keys and known_hosts
uses: im-open/[email protected]
with:
deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }}

- name: Terraform Init
if: always()
id: init
run: terraform init

- name: Terraform Format
if: always()
working-directory: .
id: fmt
run: terraform fmt -check -recursive

# TODO: Remove the pagerduty token if not configuring pagerduty. If using pagerduty verify 'pagerduty_token' is the name of the variable that tf expects
# TODO: Add any other secrets that would be required for a tf plan to succeed. Since this is a multi-line command every line except the last will need a \ on the end of it
# PAGERDUTY_API_KEY is an org level secret
- name: Terraform Plan
if: always()
id: plan
run: |
terraform plan -no-color -lock=false \
-var="pagerduty_token=${{ secrets.PAGERDUTY_API_KEY }}"
- name: 'Terraform Comment'
if: always()
uses: actions/github-script@v7
env:
PLAN: "\n```\n${{ steps.plan.outputs.stdout }}\n```\n"
with:
github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo
script: |
const output = `### Format, Init and Plan Results for ${{ matrix.environment }}
#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
<details><summary>Show Plan</summary>
${process.env.PLAN}
</details>
__Pusher__: @${{ github.actor }}
__Action__: \`${{ github.event_name }}\``;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
# Workflow Code: DeterminedPorcupine_v24 DO NOT REMOVE
# Purpose:
# Automatically runs a terraform plan against the specified environments and
# comments on the PR with the expected changes when commits are pushed to a PR.
#
# Frequency:
# - This workflow should only be used once per repository
#
# Projects to use this Template with:
# - Terraform (Core Template)
#
# TODO Prerequisites:
# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository.

name: Automatically run tf plan and comment on PR
on:
pull_request:
types: [opened, reopened, synchronize]
# TODO: Verify the paths where changes should trigger this workflow. This can be removed entirely if all changes should trigger the workflow.
paths:
- 'infrastructure/**'

permissions:
# Required for secretless azure access and deploys
id-token: write
contents: read
# Required for commenting on PR
pull-requests: write

jobs:
auto-plan-the-tf:
runs-on: [self-hosted, im-linux]

strategy:
matrix:
# TODO: By default this only runs a plan against dev, but other envs can be added: qa, stage, demo, uat, prod
environment: [dev]

environment: ${{ matrix.environment }}

env:
# The following ARM_* values are env-level secrets/variables
ARM_SUBSCRIPTION_ID: ${{ vars.ARM_SUBSCRIPTION_ID }}
ARM_CLIENT_ID: ${{ vars.ARM_CLIENT_ID }}
ARM_TENANT_ID: ${{ vars.ARM_TENANT_ID }} # This is an org-level variable
ARM_ENVIRONMENT: 'public'
TF_IN_AUTOMATION: 'true'
TF_VERSION: '~>1.4.0' #TODO: Verify your version of terraform.
TF_WORKING_DIR: './infrastructure/${{ matrix.environment }}' # TODO: Verify this directory structure would be correct for your repository (older projects may not be inside of an infrastructure folder)
# The following SSH_* secrets are org-level secrets
SSH_KEY_STORAGE_ACCOUNT: ${{ secrets.SSH_STORAGE_ACCOUNT }}
SSH_KEY_NETWORK_INFO: ${{ secrets.SSH_NETWORK_INFO }}
SSH_KEY_AAD_GROUP_MEMBERS: ${{ secrets.SSH_AAD_GROUP_MEMBERS }} # This is an org level secret
SSH_DEPLOY_KEY_INFO: |
[
{ "orgAndRepo": "im-platform/storage-account-network-rules", "envName" : "SSH_KEY_STORAGE_ACCOUNT" },
{ "orgAndRepo": "im-platform/network-information", "envName" : "SSH_KEY_NETWORK_INFO" },
{ "orgAndRepo": "im-platform/aad-group-members", "envName" : "SSH_KEY_AAD_GROUP_MEMBERS" }
]
defaults:
run:
shell: bash
working-directory: '${{ env.TF_WORKING_DIR }}'

steps:
- name: Checkout Repository
uses: actions/checkout@v4

- name: Setup Terraform
id: setup
uses: hashicorp/setup-terraform@v3
with:
terraform_version: '${{ env.TF_VERSION }}'

# Allows pulling modules from the repo instead of artifactory
- name: Setup SSH Keys and known_hosts
uses: im-open/[email protected]
with:
deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }}

- name: Terraform Init
if: always()
id: init
run: terraform init -input=false

- name: Terraform Format
if: always()
working-directory: .
id: fmt
run: terraform fmt -check -recursive

# TODO: Remove the pagerduty token if not configuring pagerduty. If using pagerduty verify 'pagerduty_token' is the name of the variable that tf expects
# TODO: Add any other secrets that would be required for a tf plan to succeed. Since this is a multi-line command every line except the last will need a \ on the end of it
# PAGERDUTY_API_KEY is an org level secret
- name: Terraform Plan
if: always()
id: plan
run: |
terraform plan -no-color -lock=false -input=false \
-var="pagerduty_token=${{ secrets.PAGERDUTY_API_KEY }}"
- name: 'Terraform Comment'
if: always()
uses: actions/github-script@v7
env:
PLAN: "\n```\n${{ steps.plan.outputs.stdout }}\n```\n"
with:
github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo
script: |
const output = `### Format, Init and Plan Results for ${{ matrix.environment }}
#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
<details><summary>Show Plan</summary>
${process.env.PLAN}
</details>
__Pusher__: @${{ github.actor }}
__Action__: \`${{ github.event_name }}\``;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})

0 comments on commit 6e73eb1

Please sign in to comment.