Terraform Plan/Apply Pipeline for commit cb6b9401e8b470ec9031ad49b6c4883ffe443d4e #271
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Terraform Plan/Apply Pipeline" | |
| run-name: "Terraform Plan/Apply Pipeline for commit ${{ github.sha }}" | |
| on: | |
| pull_request: | |
| paths: | |
| - "infrastructure/**" | |
| - ".github/workflows/tf-pipeline.yaml" | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - "infrastructure/**" | |
| - ".github/workflows/tf-pipeline.yaml" | |
| permissions: | |
| id-token: write | |
| contents: read | |
| pull-requests: write | |
| jobs: | |
| terraform: | |
| name: "Terraform" | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| env: ["infrastructure"] | |
| defaults: | |
| run: | |
| shell: bash | |
| working-directory: ${{matrix.env}} | |
| env: | |
| TF_VAR_azure_backend_rg: ${{ secrets.AZURE_TF_RESOURCE_GROUP }} | |
| TF_VAR_azure_backend_sa: ${{ secrets.AZURE_TF_STORAGE_ACCOUNT_NAME }} | |
| TF_VAR_azure_backend_container: ${{ secrets.AZURE_TF_CONTAINER_NAME }} | |
| TF_GITHUB_TOKEN: ${{ secrets.TF_GITHUB_TOKEN }} | |
| GITHUB_TOKEN: ${{ secrets.TF_GITHUB_TOKEN }} | |
| GITHUB_OWNER: ${{ github.repository_owner }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/[email protected] | |
| - name: Azure Authentication | |
| id: login | |
| uses: azure/[email protected] | |
| with: | |
| creds: ${{ secrets.AZURE_CREDENTIALS }} | |
| - name: JSON Parse | |
| id: parse | |
| env: | |
| AZJSON: ${{ secrets.AZURE_CREDENTIALS }} | |
| run: | | |
| ARM_CLIENT_ID=$(echo $AZJSON | jq -r '.["clientId"]') | |
| ARM_CLIENT_SECRET=$(echo $AZJSON | jq -r '.["clientSecret"]') | |
| ARM_TENANT_ID=$(echo $AZJSON | jq -r '.["tenantId"]') | |
| ARM_SUBSCRIPTION_ID=$(echo $AZJSON | jq -r '.["subscriptionId"]') | |
| echo ARM_CLIENT_ID=$ARM_CLIENT_ID >> $GITHUB_ENV | |
| echo ARM_CLIENT_SECRET=$ARM_CLIENT_SECRET >> $GITHUB_ENV | |
| echo ARM_TENANT_ID=$ARM_TENANT_ID >> $GITHUB_ENV | |
| echo ARM_SUBSCRIPTION_ID=$ARM_SUBSCRIPTION_ID >> $GITHUB_ENV | |
| - name: GitHub Token | |
| id: token | |
| env: | |
| TOKEN: ${{ secrets.TF_GITHUB_TOKEN }} | |
| run: | | |
| echo "machine github.com login x password ${TOKEN}" > ~/.netrc | |
| git config --global url."https://github.com/".insteadOf "git://github.com/" | |
| git config --global advice.detachedHead false | |
| - name: Install Terraform | |
| uses: hashicorp/[email protected] | |
| with: | |
| terraform_wrapper: false | |
| - name: Terraform Init | |
| id: init | |
| run: | | |
| terraform init -backend-config="resource_group_name=${TF_VAR_azure_backend_rg}" -backend-config="storage_account_name=${TF_VAR_azure_backend_sa}" -backend-config="container_name=${TF_VAR_azure_backend_container}" -upgrade | |
| - name: Install Checkov | |
| id: checkov | |
| if: github.event_name == 'pull_request' | |
| run: | | |
| pip install checkov | |
| - name: Checkov Static Test | |
| id: static | |
| if: github.event_name == 'pull_request' | |
| run: | | |
| checkov -d . --download-external-modules true | |
| - name: Terraform Format | |
| id: fmt | |
| run: terraform fmt -check -recursive | |
| - name: Terraform Validate | |
| id: validate | |
| run: terraform validate -no-color | |
| - name: Terraform Plan | |
| id: tplan | |
| run: | | |
| plan_output=$(terraform plan -no-color -var "github_token=${{ secrets.TF_GITHUB_TOKEN }}" -var "openai_key=${{ secrets.OPENAI_KEY }}" -var "sp_client_id=${{ env.ARM_CLIENT_ID}}" -var "sp_tenant_id=${{ env.ARM_TENANT_ID}}") | |
| echo "plan<<EOF" >> $GITHUB_OUTPUT | |
| echo "$plan_output" >> $GITHUB_OUTPUT | |
| echo "EOF" >> $GITHUB_OUTPUT | |
| - name: Checkov Plan Test | |
| id: cplan | |
| if: github.event_name == 'pull_request' | |
| run: | | |
| echo Disable until we have a self-hosted runner | |
| # terraform plan --out plan.tfplan -var "github_token=${{ secrets.TF_GITHUB_TOKEN }}" -var "openai_key=${{ secrets.OPENAI_KEY }}" -var "sp_client_id=${{ env.ARM_CLIENT_ID}}" -var "sp_tenant_id=${{ env.ARM_TENANT_ID}}" | |
| # terraform show -json plan.tfplan > tfplan.json | |
| # ls | |
| # checkov -f tfplan.json --framework terraform_plan | |
| - name: Pull Request Comment | |
| id: comment | |
| uses: actions/[email protected] | |
| if: github.event_name == 'pull_request' | |
| env: | |
| TPLAN: "terraform\n${{ steps.tplan.outputs.plan }}" | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| const output = ` | |
| ### Pull Request Information | |
| Please review this pull request. Merging the PR will run Terraform Apply with the plan detailed below. | |
| #### Terraform Checks | |
| Init: \`${{ steps.init.outcome }}\` | |
| Format: \`${{ steps.fmt.outcome }}\` | |
| Validation: \`${{ steps.validate.outcome }}\` | |
| Plan: \`${{ steps.tplan.outcome }}\` | |
| #### Checkov | |
| Static: \`${{ steps.static.outcome }}\` | |
| Plan: \`${{ steps.cplan.outcome }}\` | |
| <details> | |
| <summary>Plan File</summary> | |
| \`\`\`${process.env.TPLAN}\`\`\` | |
| ` | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: output | |
| }) | |
| - name: Terraform Apply | |
| id: apply | |
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
| run: terraform apply -auto-approve -var "github_token=${{ secrets.TF_GITHUB_TOKEN }}" -var "openai_key=${{ secrets.OPENAI_KEY }}" -var "sp_client_id=${{ env.ARM_CLIENT_ID}}" -var "sp_tenant_id=${{ env.ARM_TENANT_ID}}" |