Skip to content

[pull] main from kyma-project:main #969

[pull] main from kyma-project:main

[pull] main from kyma-project:main #969

name: pull-validate-service-accounts
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
on:
pull_request:
types: [opened, edited, synchronize, reopened, ready_for_review]
branches:
- main
paths:
- "**.tf"
- "**.tfvars"
- "**.yaml"
- "**.yml"
jobs:
validate-accounts-names:
runs-on: ubuntu-latest
steps:
- name: Checkout
id: checkout
uses: actions/checkout@v4
with:
ref: "refs/pull/${{ github.event.number }}/merge"
fetch-depth: 50
- name: Authenticate to GCP
id: gcp_auth
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ vars.GH_COM_KYMA_PROJECT_GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER }}
service_account: ${{ vars.GCP_TERRAFORM_PLANNER_SERVICE_ACCOUNT_EMAIL }}
- name: Retrieve Terraform Planner github PAT
id: secrets
uses: google-github-actions/get-secretmanager-secrets@v2
with:
secrets: |-
gh-terraform-planner-token:${{ vars.GCP_KYMA_PROJECT_PROJECT_ID }}/${{ vars.GH_TERRAFORM_PLANNER_SECRET_NAME }}
- name: Setup Terraform
id: setup_terraform
uses: opentofu/setup-opentofu@592200bd4b9bbf4772ace78f887668b1aee8f716
- name: Terraform Init
id: terraform_init
run: tofu -chdir=./configs/terraform/environments/prod init -input=false
- name: Terraform plan
run: tofu -chdir=./configs/terraform/environments/prod plan -input=false -out=plan.out
- name: Convert plan to json
run: tofu -chdir=./configs/terraform/environments/prod show -no-color -json plan.out > plan.json
- name: Validate service account names
run: |
plan_file="plan.json"
if [[ ! -f "$plan_file" ]]; then
echo "File not found: $plan_file"
exit 1
fi
invalid_accounts=0
while read -r account; do
if ! [[ $account =~ ^[a-z] ]]; then
echo "Invalid name for service account: $account"
invalid_accounts=$((++invalid_accounts))
echo $invalid_accounts
fi
done <<<"$(jq -r '
.planned_values.root_module.resources +
(.planned_values.root_module.child_modules | map(.resources) | add) |
.[] |
select(.type == "google_service_account") |
.name' "$plan_file")"
if [[ $invalid_accounts -ne 0 ]]; then
echo "$invalid_accounts invalid service account names found."
exit 1
else
echo "All service account names are valid."
fi