feat: add tf-account to support multiple customers

.github/workflows/tf-account.yaml

@@ -0,0 +1,218 @@
+name: Run terraform on account repo
+on:
+  workflow_call:
+    secrets:
+      AWS_ROLE_TO_ASSUME:
+        required: true
+      AWS_REGION:
+        required: true
+      TF_BACKEND_S3_BUCKET:
+        required: true
+      TF_BACKEND_S3_KEY:
+        required: true
+      TF_BACKEND_S3_REGION:
+        required: true
+      TS_OAUTH_CLIENT_ID:
+        required: false
+      TS_OAUTH_SECRET:
+        required: false
+
+    inputs:
+      terraform-version:
+        description: 'Terraform version'
+        required: false
+        type: string
+        default: '1.5.4'
+      tailscale-tags:
+        required: false
+        type: string
+      https-proxy:
+        required: false
+        type: string
+      no-proxy:
+        required: false
+        type: string
+      customers:
+        required: true
+        type: string 
+        description: YAML file of customers to apply TF-Account Config to 
+
+jobs: 
+  build_matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.yaml2json.outputs.output }}
+    steps:         
+      - name: Checkout
+        uses: actions/checkout@v3           
+      - name: Convert customer yaml to json
+        uses: fabasoad/data-format-converter-action@main
+        id: yaml2json
+        with:
+          input: ${{ github.workspace }}/${{ inputs.customers }} 
+          from: "yaml"
+          to: "json"
+
+  terraform:
+    name: 'Run terraform - ${{ matrix.customers.name }}' 
+    runs-on: ubuntu-latest
+    # Needed to interact with Github's OIDC token
+    permissions:
+      id-token: write
+      contents: write
+      pull-requests: write
+    strategy:
+      fail-fast: false      
+      matrix: ${{ fromJson(needs.build_matrix.outputs.matrix) }}    
+    needs:
+      - build_matrix
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: ${{ inputs.terraform-version }}
+
+      - name: Tailscale
+        uses: tailscale/github-action@v2
+        # a tailscale oauth client requires tags
+        if: inputs.tailscale-tags != ''
+        with:
+          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
+          oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
+          tags: ${{ inputs.tailscale-tags }}
+
+      - name: Config Proxy Environment Variables
+        if: inputs.https-proxy != ''
+        # intermediate variables to avoid injection attack
+        # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+        env:
+          HTTPS_PROXY: ${{ inputs.https-proxy }}
+          NO_PROXY: ${{ inputs.no-proxy }}
+        run: |
+          printf "HTTPS_PROXY=%s\n" "$HTTPS_PROXY" >> "$GITHUB_ENV"
+          printf "NO_PROXY=%s\n" "$NO_PROXY" >> "$GITHUB_ENV"  
+
+      - name: Create Override file (non-default customer)
+        if: matrix.customers.name != 'default'
+        shell: bash 
+        run: |
+            echo "::debug::${{ toJson(matrix) }}"
+            sudo apt-get install --quiet=2 --assume-yes jo
+            if [ -n "${{ matrix.customers.user_email }}" ] && [ -n "${{matrix.customers.user_password_actions_secret_name}}" ]; then
+                jo -p provider=$(jo \
+                    observe[]=$(jo \
+                    customer=${{ matrix.customers.customer }} \
+                    domain=${{ matrix.customers.domain }} \
+                    user_email=${{ matrix.customers.user_email }} \
+                    user_password=${{secrets[matrix.customers.user_password_actions_secret_name]}}))
+            else
+                jo -p provider=$(jo \
+                    observe[]=$(jo \
+                    customer=${{ matrix.customers.customer }} \
+                    domain=${{ matrix.customers.domain }}))
+            fi > override.tf.json                        
+
+      - name: Terraform Format
+        id: fmt
+        run: terraform fmt -check
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          role-session-name: ${{ github.sha }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Terraform Init
+        id: init
+        run: |
+          terraform init -no-color \
+            -backend-config="bucket=${{ secrets.TF_BACKEND_S3_BUCKET }}" \
+            -backend-config="key=${{ secrets.TF_BACKEND_S3_KEY }}" \
+            -backend-config="region=${{ secrets.TF_BACKEND_S3_REGION }}" \
+            -backend-config="workspace_key_prefix=${{ github.event.repository.name }}" 
+
+      - name: Terraform Validate
+        id: validate
+        run: terraform validate -no-color
+
+      - name: Terraform Workspace Configure 
+        id: workspace
+        run: |         
+          terraform workspace select -or-create=true ${{ matrix.customers.name }}      
+          echo "workspace=${{ matrix.customers.name }}" >> $GITHUB_OUTPUT
+
+      - name: Terraform Plan
+        id: plan
+        if: github.event_name == 'pull_request' 
+        run: |
+          path='plan'
+          txt_path='plan.txt'
+          var_file=customers/${{ steps.workspace.outputs.workspace}}.tfvars
+          touch $txt_path && echo "path=${txt_path}" >> $GITHUB_OUTPUT
+          plan_args=()
+          if [ -e "$var_file" ]; then           
+            plan_args+=("-var-file=$var_file") 
+          fi
+          terraform plan "${plan_args[@]}" -no-color -out="$path"
+          terraform show -no-color "$path" > "$txt_path"
+          echo "path=${txt_path}" >> $GITHUB_OUTPUT
+        continue-on-error: true
+
+      - uses: actions/upload-artifact@v3
+        if: steps.plan.outcome == 'success'
+        with:
+          name: plan
+          path: ${{ steps.plan.outputs.path }}
+
+      - name: Add Plan to Job Summary
+        if: steps.plan.outcome == 'success'
+        run: |
+          {
+            echo '# Terraform Plan'
+            echo '```'
+            cat "${{ steps.plan.outputs.path }}"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Create Pull Request Comment
+        uses: actions/github-script@v6
+        if: github.event_name == 'pull_request'
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const fs = require('fs')
+            const MAX_PLAN_LENGTH = 60000 // Max comment length is 65536
+            const plan = '```\n' + fs.readFileSync('${{ steps.plan.outputs.path }}', 'utf8') + '\n```'
+
+            const workflowSummaryURL = '${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}'
+
+            const output = `#### Workspace \`${{ steps.workspace.outputs.workspace}}\`
+            #### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
+            #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
+            #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
+            #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
+            <details><summary>Show <a href="${workflowSummaryURL}">Plan</a></summary>
+
+            ${plan.length <= MAX_PLAN_LENGTH ? plan : `_The plan is too large to include in a comment, open the [workflow summary](${workflowSummaryURL}) to view it._`}
+            </details>
+
+            **Pusher**: @${{ github.actor }}, **Action**: \`${{ github.event_name }}\``;
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+
+      - name: Terraform Plan Status
+        if: steps.plan.outcome == 'failure'
+        run: exit 1
+
+      - name: Terraform Apply
+        if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
+        run: terraform apply -auto-approve
+