-
-
Notifications
You must be signed in to change notification settings - Fork 2
130 lines (107 loc) · 4.31 KB
/
terraform.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
---
name: OpenTofu Enforcement
on:
push:
branches: [main]
paths: [terraform/**]
pull_request:
branches: [main]
paths: [terraform/**]
jobs:
opentofu_enforcement:
runs-on: ubuntu-latest
strategy:
matrix:
opentofu_module: [aws, github]
permissions:
contents: read
id-token: write
pull-requests: write
steps:
- name: Enforce permission requirement
uses: prince-chrismc/check-actor-permissions-action@v3
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
permission: write
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main
- name: Enable Magic Nix Cache
uses: DeterminateSystems/magic-nix-cache-action@main
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-region: ${{ secrets.DEFAULT_AWS_REGION }}
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GitHubAction-AssumeRoleWithAction
- name: OpenTofu Init
id: init
working-directory: terraform/${{ matrix.opentofu_module }}
run: nix develop -c tofu init
- name: OpenTofu Format
id: fmt
run: nix develop -c tofu fmt -check
- name: OpenTofu Validate
id: validate
working-directory: terraform/${{ matrix.opentofu_module }}
run: nix develop -c tofu validate
- name: OpenTofu Plan
id: plan
if: github.event_name == 'pull_request'
working-directory: terraform/${{ matrix.opentofu_module }}
run: |
# Capture plan output
plan=$(nix develop -c tofu plan -no-color -input=false)
# Echo the plan so it is still visible in CI
echo "${plan}"
# Handle appending multi-line strings to GitHub Outputs
echo "plan<<EOF"$'\n'"$plan"$'\n'EOF >> $GITHUB_OUTPUT
env:
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
continue-on-error: true
- name: Find Comment
if: github.event_name == 'pull_request'
id: find-comment
uses: peter-evans/find-comment@v3
env:
TERRAFORM_MODULE: ${{ matrix.opentofu_module }}
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: <!-- This comment was auto-generated by GitHub Actions by the Terraform Enforcement action for the ${{ env.TERRAFORM_MODULE }} Terraform module -->
- name: Create Comment
if: github.event_name == 'pull_request'
id: comment
uses: peter-evans/create-or-update-comment@v4
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PLAN: "${{ steps.plan.outputs.plan }}"
TERRAFORM_MODULE: ${{ matrix.opentofu_module }}
with:
comment-id: ${{ steps.find-comment.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
edit-mode: replace
body: |
<!-- This comment was auto-generated by GitHub Actions by the Terraform Enforcement action for the ${{ env.TERRAFORM_MODULE }} Terraform module -->
## OpenTofu Enforcement Summary (${{ env.TERRAFORM_MODULE }})
#### OpenTofu Format and Style: 🖌`${{ steps.fmt.outcome }}`
#### OpenTofu Initialization: ⚙️`${{ steps.init.outcome }}`
#### OpenTofu Validation: 🤖`${{ steps.validate.outcome }}`
#### OpenTofu Plan: 📖`${{ steps.plan.outcome }}`
<details><summary>Show Plan</summary>
```
${{ env.PLAN }}
```
</details>
*Pusher: @${{ github.actor }}, Action: `${{ github.event_name }}`, Working Directory: `${{ env.TERRAFORM_MODULE }}`, Workflow: `${{ github.workflow }}`*
- name: OpenTofu Plan Status
if: github.event_name == 'pull_request' && steps.plan.outcome == 'failure'
run: exit 1
- name: OpenTofu Apply
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
working-directory: terraform/${{ matrix.opentofu_module }}
run: nix develop -c tofu apply -auto-approve -input=false
env:
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}