diff --git a/.github/workflows/run-terraform.yml b/.github/workflows/run-terraform.yml index 7df6002c..64aebd4c 100644 --- a/.github/workflows/run-terraform.yml +++ b/.github/workflows/run-terraform.yml @@ -12,6 +12,9 @@ on: runner: required: true type: string + deploy_on: + type: string + default: 'refs/heads/main' working_directory: type: string project_id: @@ -65,7 +68,7 @@ jobs: run: | echo 'Run format check' | tee -a $GITHUB_STEP_SUMMARY terraform fmt -check -no-color || { echo ' - FAILURE! The above files are not properly formatted. + FAILURE! The above files are not properly formatted. Run `terraform fmt` in ${{inputs.working_directory}}, commit the changed files and push to fix the issue' | tee -a $GITHUB_STEP_SUMMARY ; exit 1; } terraform_plan: @@ -77,17 +80,25 @@ jobs: run: shell: bash + outputs: + exitcode: ${{ steps.plan.outputs.exitcode }} + steps: # Checkout the repository to the GitHub Actions runner - name: Checkout uses: actions/checkout@v3 + # Node is required for terraform_wrapper + - uses: actions/setup-node@v3 + with: + node-version: 16 + # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 - with: - terraform_wrapper: false - + # Change to v2.1.0 when released. We require the below fix: + # https://github.com/hashicorp/setup-terraform/pull/125 + uses: hashicorp/setup-terraform@78ea3ac2fbe8fe4dab277d1cbd1e6435a91a49cc + - name: Authenticate with Google Cloud uses: google-github-actions/auth@v0 with: @@ -114,17 +125,18 @@ jobs: run: terraform init - name: Terraform Plan + id: plan working-directory: ${{ inputs.working_directory }} run: | if [ "${{inputs.terraform_workspace}}" != "" ]; then terraform workspace select ${{inputs.terraform_workspace}} fi echo '```' >> $GITHUB_STEP_SUMMARY - terraform plan ${{inputs.terraform_options}} -input=false -no-color | grep -v 'Refreshing state...' | tee -a $GITHUB_STEP_SUMMARY + terraform plan ${{inputs.terraform_options}} -input=false -no-color -detailed-exitcode | grep -v 'Refreshing state...' | tee -a $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY - + run_terraform: - if: github.ref == 'refs/heads/main' + if: github.ref == inputs.deploy_on && needs.terraform_plan.outputs.exitcode == '2' needs: [terraform_check, terraform_plan] name: Terraform Apply runs-on: ${{ inputs.runner }} @@ -145,7 +157,7 @@ jobs: uses: hashicorp/setup-terraform@v2 with: terraform_wrapper: false - + - name: Authenticate with Google Cloud uses: google-github-actions/auth@v0 with: diff --git a/README.md b/README.md index 222d3a74..2380676f 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ This workflow plans and applies terraform config to deploy to an environment. jobs: dev: name: Deploy to dev - permissions: + permissions: id-token: write contents: read uses: kartverket/github-workflows/.github/workflows/run-terraform.yml@v2 @@ -35,8 +35,7 @@ provide an output that can be mapped to the arguments of the job.
Click here to see an example of this -
-env:
+
env:
   WORKLOAD_IDENTITY_FEDERATION_PROVIDER: X
   WORKLOAD_IDENTITY_FEDERATION_SERVICE_ACCOUNT: X
   PROJECT_ID: X
@@ -50,17 +49,17 @@ jobs:
     steps:
       - name: set outputs with default values
         id: set-output
-        run: |    
+        run: |
           echo "::set-output name=workload_identity_provider::${{ env.WORKLOAD_IDENTITY_FEDERATION_PROVIDER }}"
           echo "::set-output name=service_account::${{ env.WORKLOAD_IDENTITY_FEDERATION_SERVICE_ACCOUNT }}"
           echo "::set-output name=project_id::${{ env.PROJECT_ID }}"
   dev:
     name: Deploy to dev
     needs: setup-env
-    permissions: 
+    permissions:
       id-token: write
       contents: read
-    uses: kartverket/github-workflows/.github/workflows/run-terraform.yml@v2
+    uses: kartverket/github-workflows/.github/workflows/run-terraform.yml@v2.1
     with:
       runner: atkv1-dev
       environment: dev
@@ -70,8 +69,7 @@ jobs:
       working_directory: terraform
       workload_identity_provider: ${{ needs.setup-env.outputs.workload_identity_provider }}
       service_account: ${{ needs.setup-env.outputs.service_account }}
-      project_id: ${{ needs.setup-env.outputs.project_id }}
-

+      project_id: ${{ needs.setup-env.outputs.project_id }}
### Passing secrets to run-terraform @@ -95,6 +93,7 @@ this role. | workload_identity_provider | string | X | The ID of the provider to use for authentication. It should be in the format of `projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}` | | service_account | string | X | The GCP service account connected to the identity pool that will be used by Terraform. | | runner | string | X | The GitHub runner to use when running the deploy. This can for example be `atkv1-dev`. | +| deploy_on | string | | Which branch will be the only branch allowed to deploy. This defaults to the main branch so that other branches only run check and plan. Defaults to `refs/head/main`. | | working_directory | string | | The directory in which to run terraform, i.e. where the Terraform files are placed. The path is relative to the root of the repository. | | project_id | string | | The GCP Project ID to use as the "active project" when running Terraform. When deploying to Kubernetes, this must match the project in which the Kubernetes cluster is registered. | | kubernetes_cluster | string | | An optional kubernetes cluster to authenticate to. Note that the project_id must match where the cluster is registered |