soat-fiap · italopessoa · Sep 12, 2024 · Sep 11, 2024 · Sep 11, 2024 · Sep 11, 2024
diff --git a/.github/workflows/dotnet.yml b/.github/workflows/dotnet.yml
@@ -22,6 +22,10 @@ env:
   REGISTRY: ghcr.io
   # github.repository as <account>/<repo>
   IMAGE_NAME: ${{ github.repository }}/api
+  TF_CLOUD_ORGANIZATION: "${{ vars.BMB_TF_ORGANIZATION }}"
+  TF_API_TOKEN: "${{ secrets.TF_API_TOKEN }}"
+  TF_WORKSPACE: "${{ vars.TF_WORKSPACE }}"
+  CONFIG_DIRECTORY: "./tf"
 
 jobs:
   build:
@@ -71,15 +75,17 @@ jobs:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
   build-docker-image:
-    needs: [sonarcloud]
     if: github.ref == 'refs/heads/main'
+    needs: [build]
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
       # This is used to complete the identity challenge
       # with sigstore/fulcio when running outside of PRs.
       id-token: write
+    outputs:
+      API_IMAGE_TAG: ${{ fromJson(steps.meta.outputs.json).tags[0] }}
 
     steps:
       - name: Checkout repository
@@ -131,11 +137,55 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=
 
-  create-infrastructure:
+  create-app:
     if: github.ref == 'refs/heads/main'
     needs: [build-docker-image]
+    name: "Terraform Apply"
     runs-on: ubuntu-latest
+    environment: dev
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - name: Terraform goes here
-        run: echo WRAU!
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Create .auto.tfvars file
+        env:
+          API_IMAGE_TAG: ${{needs.build-docker-image.outputs.API_IMAGE_TAG}}
+        run: |
+          cat <<EOF > tf/api.auto.tfvars
+          eks_cluster_name = "${{ vars.BMB_EKS_CLUSTER_NAME }}"
+          apgw_name ="${{ vars.BMB_AUTH_API_NAME }}"
+          mercadopago_webhook_secret = "${{ secrets.BMB_MERCADO_PAGO_WH_SECRET }}"
+          mercadopago_accesstoken = "${{ secrets.BMB_MERCADO_PAGO_ACCESS_TOKEN }}"
+          jwt_signing_key = "${{ secrets.BMB_JWT_SECRET_KEY }}"
+          jwt_issuer = "${{ vars.BMB_JWT_ISSUER }}"
+          jwt_aud = "${{ vars.BMB_JWT_AUDIENCE }}"
+          api_docker_image = "${{ env.API_IMAGE_TAG }}"
+          internal_elb_name = "${{ vars.BMB_INTERNAL_LB_NAME }}"
+          db_user = "${{ secrets.BMB_MYSQL_USER }}"
+          db_pwd = "${{ secrets.BMB_MYSQL_PASSWORD }}"
+          rds_cluster_identifier = "${{ vars.BMB_MYSQL_CLUSTER }}"
+          EOF
+
+      - name: Upload Configuration
+        uses: hashicorp/tfc-workflows-github/actions/[email protected]
+        id: apply-upload
+        with:
+          workspace: ${{ env.TF_WORKSPACE }}
+          directory: ${{ env.CONFIG_DIRECTORY }}
+
+      - name: Create Apply Run
+        uses: hashicorp/tfc-workflows-github/actions/[email protected]
+        id: apply-run
+        with:
+          workspace: ${{ env.TF_WORKSPACE }}
+          configuration_version: ${{ steps.apply-upload.outputs.configuration_version_id }}
+          message: "Create Run from GitHub Actions CI ${{ github.sha }}"
+
+      - uses: hashicorp/tfc-workflows-github/actions/[email protected]
+        if: ${{ vars.TF_AUTO_APPROVE == 'true' }}
+        id: apply
+        with:
+          run: ${{ steps.apply-run.outputs.run_id }}
+          comment: "Confirmed from GitHub Actions CI ${{ github.sha }}"
diff --git a/.github/workflows/terraform-plan.yaml b/.github/workflows/terraform-plan.yaml
@@ -0,0 +1,97 @@
+name: "Terraform Plan"
+
+on:
+  pull_request:
+
+env:
+  TF_CLOUD_ORGANIZATION: "${{ vars.BMB_TF_ORGANIZATION }}"
+  TF_API_TOKEN: "${{ secrets.TF_API_TOKEN }}"
+  TF_WORKSPACE: "${{ vars.TF_WORKSPACE }}"
+  CONFIG_DIRECTORY: "./tf"
+
+jobs:
+
+  terraform:
+    environment: dev
+    name: "Terraform Plan"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Create .auto.tfvars file
+        run: |
+          cat <<EOF > tf/api.auto.tfvars
+          eks_cluster_name = "${{ vars.BMB_EKS_CLUSTER_NAME }}"
+          apgw_name = "${{ vars.BMB_JWT_ISSUER }}"
+          mercadopago_webhook_secret = "${{ secrets.BMB_MERCADO_PAGO_WH_SECRET}}"
+          mercadopago_accesstoken = "${{ secrets.BMB_MERCADO_PAGO_ACCESS_TOKEN }}"
+          jwt_signing_key = "${{ secrets.BMB_JWT_SECRET_KEY }}"
+          jwt_issuer = "${{ vars.BMB_JWT_ISSUER }}"
+          jwt_aud = "${{ vars.BMB_JWT_AUDIENCE }}"
+          internal_elb_name = "${{ vars.BMB_INTERNAL_LB_NAME }}"
+          db_user = "${{ secrets.BMB_MYSQL_USER }}"
+          db_pwd = "${{ secrets.BMB_MYSQL_PASSWORD }}"
+          rds_cluster_identifier = "${{ vars.BMB_MYSQL_CLUSTER }}"
+          EOF
+
+      - name: Upload Configuration
+        uses: hashicorp/tfc-workflows-github/actions/[email protected]
+        id: plan-upload
+        with:
+          workspace: ${{ env.TF_WORKSPACE }}
+          directory: ${{ env.CONFIG_DIRECTORY }}
+          speculative: true
+
+      - name: Create Plan Run
+        uses: hashicorp/tfc-workflows-github/actions/[email protected]
+        id: plan-run
+        with:
+          workspace: ${{ env.TF_WORKSPACE }}
+          configuration_version: ${{ steps.plan-upload.outputs.configuration_version_id }}
+          plan_only: true
+
+      - name: Get Plan Output
+        uses: hashicorp/tfc-workflows-github/actions/[email protected]
+        id: plan-output
+        with:
+          plan: ${{ fromJSON(steps.plan-run.outputs.payload).data.relationships.plan.data.id }}
+
+      - name: Update PR
+        uses: actions/github-script@v7
+        id: plan-comment
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            // 1. Retrieve existing bot comments for the PR
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            });
+            const botComment = comments.find(comment => {
+              return comment.user.type === 'Bot' && comment.body.includes('Terraform Cloud Plan Output')
+            });
+            const output = `#### Terraform Cloud Plan Output
+               \`\`\`
+               Plan: ${{ steps.plan-output.outputs.add }} to add, ${{ steps.plan-output.outputs.change }} to change, ${{ steps.plan-output.outputs.destroy }} to destroy.
+               \`\`\`
+               [Terraform Cloud Plan](${{ steps.plan-run.outputs.run_link }})
+               `;
+            // 3. Delete previous comment so PR timeline makes sense
+            if (botComment) {
+              github.rest.issues.deleteComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: botComment.id,
+              });
+            }
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            });