Skip to content
OpenTofu CI

ci(tofu-ci): Refactor the pipeline (#48) #34

Sign in to view logs

ci(tofu-ci): Refactor the pipeline (#48)

ci(tofu-ci): Refactor the pipeline (#48) #34

Workflow file for this run

.github/workflows/tofu-ci.yaml at f9ac9fd
name: OpenTofu CI
on:
pull_request:
branches: [main]
paths:
- tf/dev/**/*.tf
- tf/dev/**/*.tfvars
push:
branches: [main]
paths:
- tf/dev/**/*.tf
- tf/dev/**/*.tfvars
# Disable permissions for all available scopes.
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.repository }}
cancel-in-progress: true
jobs:
find-terraform:
outputs:
tf-dir-json: ${{ steps.tf-dir-json.outputs.all_changed_files }}
name: Trunk Check TF
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Find TF files
id: tf-dir-json
uses: tj-actions/changed-files@4918e1183080b35a085c91c8abc9e6adc4de61a1 # v42.1.0
with:
files: |
tf/dev/**/*.tf
tf/dev/**/*.tfvars
dir_names: true
matrix: true
trunk-check-tf:
# This job should only run in pull requests
if: github.event_name == 'pull_request'
name: Trunk Check TF
needs: [find-terraform]
runs-on: ubuntu-latest
permissions:
checks: write
contents: read
id-token: write
strategy:
matrix:
terraform-dir: ${{ fromJSON(needs.find-terraform.outputs.tf-dir-json) }}
steps:
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
# AWS Credentials required for tflint deep check
#TODO: Try running with an ACCESS key with act
- name: Configure AWS credentials via OIDC
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
aws-region: us-east-1
mask-aws-account-id: true
role-to-assume: ${{ secrets.AWS_DEV_OIDC_ROLE_ARN }}
role-session-name: tflint-trunk-check
- name: Cache TFLint plugin directory
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: $GITHUB_WORKSPACE/.trunk/plugins/
key: ${{ runner.os }}-3ware-ans-tflint-${{ hashFiles('$GITHUB_WORKSPACE/.trunk/configs/.tflint.hcl') }}
# Install OpenTofu; required to initialise working directory
- name: Setup OpenTofu
uses: opentofu/setup-opentofu@ae80d4ecaab946d8f5ff18397fbf6d0686c6d46a # v1.0.3
# Initialise OpenTofu in the directory where terraform file have changed.
- name: Initialise OpenTofu
shell: bash
run: |
tofu -chdir=${{ matrix.terraform-dir }} init --backend=false
# Install TFLint; required to download plugins
- name: Install TFLint
uses: terraform-linters/setup-tflint@15ef44638cb215296e7ba9e7a41f20b5b06f4784 # v4.0.0
with:
tflint_version: v0.53.0
# Initialise TFLint using the configuration file in the trunk directory
- name: Initialise TFLint
shell: bash
run: |
tflint -chdir=${{ matrix.terraform-dir }} --init --config=$GITHUB_WORKSPACE/.trunk/configs/.tflint.hcl
# Run Trunk Check
- name: Trunk Check
uses: trunk-io/trunk-action@a19f8a0d6676d8ef1e60bda132f3fbab23cc2aa5
plan-and-apply-dev:
name: Open Tofu CI Development
needs: [find-terraform, trunk-check-tf]
# This job should run if trunk check succeeds in pull requests or is skipped on pushes
# always is required so this job isn't skipped when trunk check is skipped
if: |
always() &&
github.event_name == 'pull_request' && needs.trunk-check-tf.result == 'success' ||
github.event_name == 'push' && needs.trunk-check-tf.result == 'skipped'
runs-on: ubuntu-latest
permissions:
actions: read # Required to download repository artifact.
checks: write # Required to add status summary.
contents: read # Required to checkout repository.
id-token: write # Required to authenticate via OIDC.
pull-requests: write # Required to add PR comment and label.
strategy:
matrix:
terraform-dir: ${{ fromJSON(needs.find-terraform.outputs.tf-dir-json) }}
env:
TF_TOKEN_APP_TERRAFORM_IO: ${{ secrets.TF_TOKEN_APP_TERRAFORM_IO }}
# Set environment for push events only.
environment: ${{ github.event_name == 'push' && 'development' || '' }}
steps:
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Configure AWS credentials via OIDC
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
aws-region: us-east-1
role-to-assume: ${{ secrets.AWS_DEV_OIDC_ROLE_ARN }}
- name: Setup OpenTofu
uses: opentofu/setup-opentofu@12f4debbf681675350b6cd1f0ff8ecfbda62027b # v1.0.4
with:
#TODO: Read version from providers.tf
tofu_version: 1.8.2
tofu_wrapper: true
- name: Provision infrastructure
uses: devsectop/tf-via-pr@86ff2b5756fb1c483c7c3ecc86f7c320c97a7302 # v11.4.1
with:
arg_chdir: ${{ matrix.terraform-dir }}
arg_command: ${{ github.event_name == 'push' && 'apply' || 'plan' }}
arg_lock: ${{ github.event_name == 'push' && 'true' || 'false' }}
- name: Check idempotency
id: idempotency
if: github.event_name == 'push'
uses: devsectop/tf-via-pr@86ff2b5756fb1c483c7c3ecc86f7c320c97a7302 # v11.4.1
with:
arg_chdir: ${{ matrix.terraform-dir }}
arg_command: plan
arg_lock: false
arg_detailed_exitcode: true
- name: Exit if idempotent
if: github.event_name == 'push' && steps.idempotency.outputs.exitcode != 0
shell: bash
run: exit ${{ steps.idempotency.outputs.exitcode }}
- name: Clean up resources
if: github.event_name == 'push'
uses: devsectop/tf-via-pr@86ff2b5756fb1c483c7c3ecc86f7c320c97a7302 # v11.4.1
with:
arg_chdir: ${{ matrix.terraform-dir }}
arg_command: destroy
arg_lock: true
arg_auto_approve: true