From 46afeccc672cb8f79c7599bd578e8e958ddd4043 Mon Sep 17 00:00:00 2001 From: Espen Henriksen Date: Thu, 14 Jul 2022 10:01:57 +0200 Subject: [PATCH 01/14] Verify plan includes changes before apply --- .github/workflows/run-terraform.yml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/.github/workflows/run-terraform.yml b/.github/workflows/run-terraform.yml index 7df6002c..0c169b0d 100644 --- a/.github/workflows/run-terraform.yml +++ b/.github/workflows/run-terraform.yml @@ -65,7 +65,7 @@ jobs: run: | echo 'Run format check' | tee -a $GITHUB_STEP_SUMMARY terraform fmt -check -no-color || { echo ' - FAILURE! The above files are not properly formatted. + FAILURE! The above files are not properly formatted. Run `terraform fmt` in ${{inputs.working_directory}}, commit the changed files and push to fix the issue' | tee -a $GITHUB_STEP_SUMMARY ; exit 1; } terraform_plan: @@ -77,6 +77,9 @@ jobs: run: shell: bash + output: + exitcode: ${{ steps.plan.outputs.exitcode }} + steps: # Checkout the repository to the GitHub Actions runner - name: Checkout @@ -85,9 +88,7 @@ jobs: # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - name: Setup Terraform uses: hashicorp/setup-terraform@v2 - with: - terraform_wrapper: false - + - name: Authenticate with Google Cloud uses: google-github-actions/auth@v0 with: @@ -114,17 +115,18 @@ jobs: run: terraform init - name: Terraform Plan + id: plan working-directory: ${{ inputs.working_directory }} run: | if [ "${{inputs.terraform_workspace}}" != "" ]; then terraform workspace select ${{inputs.terraform_workspace}} fi echo '```' >> $GITHUB_STEP_SUMMARY - terraform plan ${{inputs.terraform_options}} -input=false -no-color | grep -v 'Refreshing state...' | tee -a $GITHUB_STEP_SUMMARY + terraform plan ${{inputs.terraform_options}} -input=false -no-color -detailed-exitcode | grep -v 'Refreshing state...' | tee -a $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY - + run_terraform: - if: github.ref == 'refs/heads/main' + if: github.ref == 'refs/heads/main' && needs.terraform_plan.outputs.exitcode == 2 needs: [terraform_check, terraform_plan] name: Terraform Apply runs-on: ${{ inputs.runner }} @@ -145,7 +147,7 @@ jobs: uses: hashicorp/setup-terraform@v2 with: terraform_wrapper: false - + - name: Authenticate with Google Cloud uses: google-github-actions/auth@v0 with: From 98801388d93d41ed2c2cdf0a5164b20d9e1c1849 Mon Sep 17 00:00:00 2001 From: Espen Henriksen Date: Thu, 14 Jul 2022 11:00:08 +0200 Subject: [PATCH 02/14] Add deploy_on option --- .github/workflows/run-terraform.yml | 5 ++++- README.md | 7 ++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/run-terraform.yml b/.github/workflows/run-terraform.yml index 0c169b0d..56f330a3 100644 --- a/.github/workflows/run-terraform.yml +++ b/.github/workflows/run-terraform.yml @@ -12,6 +12,9 @@ on: runner: required: true type: string + deploy_on: + type: string + default: 'refs/heads/main' working_directory: type: string project_id: @@ -126,7 +129,7 @@ jobs: echo '```' >> $GITHUB_STEP_SUMMARY run_terraform: - if: github.ref == 'refs/heads/main' && needs.terraform_plan.outputs.exitcode == 2 + if: github.ref == inputs.deploy_on && needs.terraform_plan.outputs.exitcode == 2 needs: [terraform_check, terraform_plan] name: Terraform Apply runs-on: ${{ inputs.runner }} diff --git a/README.md b/README.md index 222d3a74..f050b104 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ This workflow plans and applies terraform config to deploy to an environment. jobs: dev: name: Deploy to dev - permissions: + permissions: id-token: write contents: read uses: kartverket/github-workflows/.github/workflows/run-terraform.yml@v2 @@ -50,14 +50,14 @@ jobs: steps: - name: set outputs with default values id: set-output - run: | + run: | echo "::set-output name=workload_identity_provider::${{ env.WORKLOAD_IDENTITY_FEDERATION_PROVIDER }}" echo "::set-output name=service_account::${{ env.WORKLOAD_IDENTITY_FEDERATION_SERVICE_ACCOUNT }}" echo "::set-output name=project_id::${{ env.PROJECT_ID }}" dev: name: Deploy to dev needs: setup-env - permissions: + permissions: id-token: write contents: read uses: kartverket/github-workflows/.github/workflows/run-terraform.yml@v2 @@ -95,6 +95,7 @@ this role. | workload_identity_provider | string | X | The ID of the provider to use for authentication. It should be in the format of `projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}` | | service_account | string | X | The GCP service account connected to the identity pool that will be used by Terraform. | | runner | string | X | The GitHub runner to use when running the deploy. This can for example be `atkv1-dev`. | +| deploy_on | string | | Which branch will be the only branch allowed to deploy. This defaults to the main branch so that other branches only run check and plan. Defaults to `refs/head/main`. | | working_directory | string | | The directory in which to run terraform, i.e. where the Terraform files are placed. The path is relative to the root of the repository. | | project_id | string | | The GCP Project ID to use as the "active project" when running Terraform. When deploying to Kubernetes, this must match the project in which the Kubernetes cluster is registered. | | kubernetes_cluster | string | | An optional kubernetes cluster to authenticate to. Note that the project_id must match where the cluster is registered | From d47b10679e85888d3ef55e1d79b9db4621c19ed7 Mon Sep 17 00:00:00 2001 From: Espen Henriksen Date: Thu, 14 Jul 2022 11:06:39 +0200 Subject: [PATCH 03/14] Fix typo --- .github/workflows/run-terraform.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/run-terraform.yml b/.github/workflows/run-terraform.yml index 56f330a3..bb2478e7 100644 --- a/.github/workflows/run-terraform.yml +++ b/.github/workflows/run-terraform.yml @@ -80,7 +80,7 @@ jobs: run: shell: bash - output: + outputs: exitcode: ${{ steps.plan.outputs.exitcode }} steps: From d5efb8bd5cc2143812278043cd6376973fd21810 Mon Sep 17 00:00:00 2001 From: Espen Henriksen Date: Thu, 14 Jul 2022 11:08:57 +0200 Subject: [PATCH 04/14] Add setup-node step --- .github/workflows/run-terraform.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/run-terraform.yml b/.github/workflows/run-terraform.yml index bb2478e7..cc3190de 100644 --- a/.github/workflows/run-terraform.yml +++ b/.github/workflows/run-terraform.yml @@ -88,6 +88,11 @@ jobs: - name: Checkout uses: actions/checkout@v3 + # Node is required for terraform_wrapper + - uses: actions/setup-node@v3 + with: + node-version: 16 + # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - name: Setup Terraform uses: hashicorp/setup-terraform@v2 From 5d924a88d84a1c4409547e13f40337e0e934e222 Mon Sep 17 00:00:00 2001 From: Espen Henriksen Date: Thu, 14 Jul 2022 12:10:28 +0200 Subject: [PATCH 05/14] Handle exit code manually --- .github/workflows/run-terraform.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/run-terraform.yml b/.github/workflows/run-terraform.yml index cc3190de..d1bdafdb 100644 --- a/.github/workflows/run-terraform.yml +++ b/.github/workflows/run-terraform.yml @@ -125,13 +125,21 @@ jobs: - name: Terraform Plan id: plan working-directory: ${{ inputs.working_directory }} + # Terraform will return exit code 2 when there are changes with -detailed-exitcode + # Using default bash shell includes -e which exits script on non-0 exit codes + # Override bash shell to allow other exit codes and check manually + shell: bash {0} -o pipefail run: | if [ "${{inputs.terraform_workspace}}" != "" ]; then terraform workspace select ${{inputs.terraform_workspace}} fi echo '```' >> $GITHUB_STEP_SUMMARY terraform plan ${{inputs.terraform_options}} -input=false -no-color -detailed-exitcode | grep -v 'Refreshing state...' | tee -a $GITHUB_STEP_SUMMARY + exitcode=$? echo '```' >> $GITHUB_STEP_SUMMARY + if [ $exitcode > 0 && $exitcode != 2 ]; then + exit $exitcode + fi run_terraform: if: github.ref == inputs.deploy_on && needs.terraform_plan.outputs.exitcode == 2 From 3e46d449e3860525d037de0825966f51b320997b Mon Sep 17 00:00:00 2001 From: Espen Henriksen Date: Thu, 14 Jul 2022 12:13:53 +0200 Subject: [PATCH 06/14] Exitcode is actually a string --- .github/workflows/run-terraform.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/run-terraform.yml b/.github/workflows/run-terraform.yml index d1bdafdb..63c07f71 100644 --- a/.github/workflows/run-terraform.yml +++ b/.github/workflows/run-terraform.yml @@ -142,7 +142,7 @@ jobs: fi run_terraform: - if: github.ref == inputs.deploy_on && needs.terraform_plan.outputs.exitcode == 2 + if: github.ref == inputs.deploy_on && needs.terraform_plan.outputs.exitcode == '2' needs: [terraform_check, terraform_plan] name: Terraform Apply runs-on: ${{ inputs.runner }} From 55b3a19edeb841f3799bb98af2ec4fb5e70a369e Mon Sep 17 00:00:00 2001 From: Espen Henriksen Date: Thu, 14 Jul 2022 12:20:01 +0200 Subject: [PATCH 07/14] Double bracket if test --- .github/workflows/run-terraform.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/run-terraform.yml b/.github/workflows/run-terraform.yml index 63c07f71..fc5b559b 100644 --- a/.github/workflows/run-terraform.yml +++ b/.github/workflows/run-terraform.yml @@ -137,7 +137,7 @@ jobs: terraform plan ${{inputs.terraform_options}} -input=false -no-color -detailed-exitcode | grep -v 'Refreshing state...' | tee -a $GITHUB_STEP_SUMMARY exitcode=$? echo '```' >> $GITHUB_STEP_SUMMARY - if [ $exitcode > 0 && $exitcode != 2 ]; then + if [[ $exitcode > 0 && $exitcode != 2 ]]; then exit $exitcode fi From cfd3176e6bae4f98d3df7ff666a40b545d0b63c4 Mon Sep 17 00:00:00 2001 From: Espen Henriksen Date: Thu, 14 Jul 2022 12:31:24 +0200 Subject: [PATCH 08/14] Use pre-release 2.1.0 setup-terraform --- .github/workflows/run-terraform.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/.github/workflows/run-terraform.yml b/.github/workflows/run-terraform.yml index fc5b559b..1a0251f4 100644 --- a/.github/workflows/run-terraform.yml +++ b/.github/workflows/run-terraform.yml @@ -81,21 +81,20 @@ jobs: shell: bash outputs: - exitcode: ${{ steps.plan.outputs.exitcode }} + planHasChanges: ${{ steps.plan.outputs.planHasChanges }} steps: # Checkout the repository to the GitHub Actions runner - name: Checkout uses: actions/checkout@v3 - # Node is required for terraform_wrapper - - uses: actions/setup-node@v3 - with: - node-version: 16 - # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 + # Change to v2.1.0 when released. We require the below fix: + # https://github.com/hashicorp/setup-terraform/pull/125 + uses: hashicorp/setup-terraform@78ea3ac2fbe8fe4dab277d1cbd1e6435a91a49cc + with: + terraform_wrapper: false - name: Authenticate with Google Cloud uses: google-github-actions/auth@v0 @@ -137,12 +136,14 @@ jobs: terraform plan ${{inputs.terraform_options}} -input=false -no-color -detailed-exitcode | grep -v 'Refreshing state...' | tee -a $GITHUB_STEP_SUMMARY exitcode=$? echo '```' >> $GITHUB_STEP_SUMMARY - if [[ $exitcode > 0 && $exitcode != 2 ]]; then + if [[ $exitcode == 2 ]]; then + echo '::set-output name=planHasChanges::true' + elif [[ $exitcode > 0 ]]; then exit $exitcode fi run_terraform: - if: github.ref == inputs.deploy_on && needs.terraform_plan.outputs.exitcode == '2' + if: github.ref == inputs.deploy_on && needs.terraform_plan.outputs.planHasChanges == 'true' needs: [terraform_check, terraform_plan] name: Terraform Apply runs-on: ${{ inputs.runner }} From 72ff3d9aa49f9f881aa9e104fb8f3f1a27c2e58f Mon Sep 17 00:00:00 2001 From: Espen Henriksen Date: Thu, 14 Jul 2022 12:46:05 +0200 Subject: [PATCH 09/14] Use -eq syntax in if test --- .github/workflows/run-terraform.yml | 9 +++++---- README.md | 6 ++---- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/.github/workflows/run-terraform.yml b/.github/workflows/run-terraform.yml index 1a0251f4..21793ccd 100644 --- a/.github/workflows/run-terraform.yml +++ b/.github/workflows/run-terraform.yml @@ -126,7 +126,7 @@ jobs: working-directory: ${{ inputs.working_directory }} # Terraform will return exit code 2 when there are changes with -detailed-exitcode # Using default bash shell includes -e which exits script on non-0 exit codes - # Override bash shell to allow other exit codes and check manually + # Override bash shell to allow other exit codes and check manually for code 2 shell: bash {0} -o pipefail run: | if [ "${{inputs.terraform_workspace}}" != "" ]; then @@ -136,14 +136,15 @@ jobs: terraform plan ${{inputs.terraform_options}} -input=false -no-color -detailed-exitcode | grep -v 'Refreshing state...' | tee -a $GITHUB_STEP_SUMMARY exitcode=$? echo '```' >> $GITHUB_STEP_SUMMARY - if [[ $exitcode == 2 ]]; then + if [[ $exitcode -eq 2 ]]; then echo '::set-output name=planHasChanges::true' - elif [[ $exitcode > 0 ]]; then + else exit $exitcode fi run_terraform: - if: github.ref == inputs.deploy_on && needs.terraform_plan.outputs.planHasChanges == 'true' + #if: github.ref == inputs.deploy_on && needs.terraform_plan.outputs.planHasChanges == 'true' + if: needs.terraform_plan.outputs.planHasChanges == 'true' needs: [terraform_check, terraform_plan] name: Terraform Apply runs-on: ${{ inputs.runner }} diff --git a/README.md b/README.md index f050b104..68af1f93 100644 --- a/README.md +++ b/README.md @@ -35,8 +35,7 @@ provide an output that can be mapped to the arguments of the job.
Click here to see an example of this -
-env:
+
env:
   WORKLOAD_IDENTITY_FEDERATION_PROVIDER: X
   WORKLOAD_IDENTITY_FEDERATION_SERVICE_ACCOUNT: X
   PROJECT_ID: X
@@ -70,8 +69,7 @@ jobs:
       working_directory: terraform
       workload_identity_provider: ${{ needs.setup-env.outputs.workload_identity_provider }}
       service_account: ${{ needs.setup-env.outputs.service_account }}
-      project_id: ${{ needs.setup-env.outputs.project_id }}
-

+      project_id: ${{ needs.setup-env.outputs.project_id }}
### Passing secrets to run-terraform From b5e0800a60fa9c2f345754396c8b5dbc77540e3d Mon Sep 17 00:00:00 2001 From: Espen Henriksen Date: Thu, 14 Jul 2022 12:54:41 +0200 Subject: [PATCH 10/14] Use exitcode output with newer wrapper version --- .github/workflows/run-terraform.yml | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/.github/workflows/run-terraform.yml b/.github/workflows/run-terraform.yml index 21793ccd..b2f7c52b 100644 --- a/.github/workflows/run-terraform.yml +++ b/.github/workflows/run-terraform.yml @@ -80,8 +80,8 @@ jobs: run: shell: bash - outputs: - planHasChanges: ${{ steps.plan.outputs.planHasChanges }} + output: + exitcode: ${{ steps.plan.outputs.exitcode }} steps: # Checkout the repository to the GitHub Actions runner @@ -93,8 +93,6 @@ jobs: # Change to v2.1.0 when released. We require the below fix: # https://github.com/hashicorp/setup-terraform/pull/125 uses: hashicorp/setup-terraform@78ea3ac2fbe8fe4dab277d1cbd1e6435a91a49cc - with: - terraform_wrapper: false - name: Authenticate with Google Cloud uses: google-github-actions/auth@v0 @@ -124,27 +122,17 @@ jobs: - name: Terraform Plan id: plan working-directory: ${{ inputs.working_directory }} - # Terraform will return exit code 2 when there are changes with -detailed-exitcode - # Using default bash shell includes -e which exits script on non-0 exit codes - # Override bash shell to allow other exit codes and check manually for code 2 - shell: bash {0} -o pipefail run: | if [ "${{inputs.terraform_workspace}}" != "" ]; then terraform workspace select ${{inputs.terraform_workspace}} fi echo '```' >> $GITHUB_STEP_SUMMARY terraform plan ${{inputs.terraform_options}} -input=false -no-color -detailed-exitcode | grep -v 'Refreshing state...' | tee -a $GITHUB_STEP_SUMMARY - exitcode=$? echo '```' >> $GITHUB_STEP_SUMMARY - if [[ $exitcode -eq 2 ]]; then - echo '::set-output name=planHasChanges::true' - else - exit $exitcode - fi run_terraform: #if: github.ref == inputs.deploy_on && needs.terraform_plan.outputs.planHasChanges == 'true' - if: needs.terraform_plan.outputs.planHasChanges == 'true' + if: needs.terraform_plan.outputs.exitcode == '2' needs: [terraform_check, terraform_plan] name: Terraform Apply runs-on: ${{ inputs.runner }} From 6164df79738ddef8adfd22d19db50f779b6e4161 Mon Sep 17 00:00:00 2001 From: Espen Henriksen Date: Thu, 14 Jul 2022 12:55:40 +0200 Subject: [PATCH 11/14] Fix typo --- .github/workflows/run-terraform.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/run-terraform.yml b/.github/workflows/run-terraform.yml index b2f7c52b..421e2bed 100644 --- a/.github/workflows/run-terraform.yml +++ b/.github/workflows/run-terraform.yml @@ -80,7 +80,7 @@ jobs: run: shell: bash - output: + outputs: exitcode: ${{ steps.plan.outputs.exitcode }} steps: From ce64fab083620448766e24e97aab858c63a22ec5 Mon Sep 17 00:00:00 2001 From: Espen Henriksen Date: Thu, 14 Jul 2022 12:57:21 +0200 Subject: [PATCH 12/14] Setup node --- .github/workflows/run-terraform.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/run-terraform.yml b/.github/workflows/run-terraform.yml index 421e2bed..25e1baee 100644 --- a/.github/workflows/run-terraform.yml +++ b/.github/workflows/run-terraform.yml @@ -88,6 +88,11 @@ jobs: - name: Checkout uses: actions/checkout@v3 + # Node is required for terraform_wrapper + - uses: actions/setup-node@v3 + with: + node-version: 16 + # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - name: Setup Terraform # Change to v2.1.0 when released. We require the below fix: From be092db27b02267652f3e84882f50666ba6a6b2b Mon Sep 17 00:00:00 2001 From: Espen Henriksen Date: Thu, 14 Jul 2022 13:25:49 +0200 Subject: [PATCH 13/14] Add proper if-test back after testing --- .github/workflows/run-terraform.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/run-terraform.yml b/.github/workflows/run-terraform.yml index 25e1baee..64aebd4c 100644 --- a/.github/workflows/run-terraform.yml +++ b/.github/workflows/run-terraform.yml @@ -136,8 +136,7 @@ jobs: echo '```' >> $GITHUB_STEP_SUMMARY run_terraform: - #if: github.ref == inputs.deploy_on && needs.terraform_plan.outputs.planHasChanges == 'true' - if: needs.terraform_plan.outputs.exitcode == '2' + if: github.ref == inputs.deploy_on && needs.terraform_plan.outputs.exitcode == '2' needs: [terraform_check, terraform_plan] name: Terraform Apply runs-on: ${{ inputs.runner }} From 877a6fb4b1d8f41c081f8fe24f2f471f97a91337 Mon Sep 17 00:00:00 2001 From: Espen Henriksen Date: Thu, 14 Jul 2022 13:50:21 +0200 Subject: [PATCH 14/14] Update README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 68af1f93..2380676f 100644 --- a/README.md +++ b/README.md @@ -59,7 +59,7 @@ jobs: permissions: id-token: write contents: read - uses: kartverket/github-workflows/.github/workflows/run-terraform.yml@v2 + uses: kartverket/github-workflows/.github/workflows/run-terraform.yml@v2.1 with: runner: atkv1-dev environment: dev