[pull] main from kyma-project:main #969
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: pull-validate-service-accounts | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event.pull_request.number }} | |
on: | |
pull_request: | |
types: [opened, edited, synchronize, reopened, ready_for_review] | |
branches: | |
- main | |
paths: | |
- "**.tf" | |
- "**.tfvars" | |
- "**.yaml" | |
- "**.yml" | |
jobs: | |
validate-accounts-names: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
id: checkout | |
uses: actions/checkout@v4 | |
with: | |
ref: "refs/pull/${{ github.event.number }}/merge" | |
fetch-depth: 50 | |
- name: Authenticate to GCP | |
id: gcp_auth | |
uses: google-github-actions/auth@v2 | |
with: | |
workload_identity_provider: ${{ vars.GH_COM_KYMA_PROJECT_GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER }} | |
service_account: ${{ vars.GCP_TERRAFORM_PLANNER_SERVICE_ACCOUNT_EMAIL }} | |
- name: Retrieve Terraform Planner github PAT | |
id: secrets | |
uses: google-github-actions/get-secretmanager-secrets@v2 | |
with: | |
secrets: |- | |
gh-terraform-planner-token:${{ vars.GCP_KYMA_PROJECT_PROJECT_ID }}/${{ vars.GH_TERRAFORM_PLANNER_SECRET_NAME }} | |
- name: Setup Terraform | |
id: setup_terraform | |
uses: opentofu/setup-opentofu@592200bd4b9bbf4772ace78f887668b1aee8f716 | |
- name: Terraform Init | |
id: terraform_init | |
run: tofu -chdir=./configs/terraform/environments/prod init -input=false | |
- name: Terraform plan | |
run: tofu -chdir=./configs/terraform/environments/prod plan -input=false -out=plan.out | |
- name: Convert plan to json | |
run: tofu -chdir=./configs/terraform/environments/prod show -no-color -json plan.out > plan.json | |
- name: Validate service account names | |
run: | | |
plan_file="plan.json" | |
if [[ ! -f "$plan_file" ]]; then | |
echo "File not found: $plan_file" | |
exit 1 | |
fi | |
invalid_accounts=0 | |
while read -r account; do | |
if ! [[ $account =~ ^[a-z] ]]; then | |
echo "Invalid name for service account: $account" | |
invalid_accounts=$((++invalid_accounts)) | |
echo $invalid_accounts | |
fi | |
done <<<"$(jq -r ' | |
.planned_values.root_module.resources + | |
(.planned_values.root_module.child_modules | map(.resources) | add) | | |
.[] | | |
select(.type == "google_service_account") | | |
.name' "$plan_file")" | |
if [[ $invalid_accounts -ne 0 ]]; then | |
echo "$invalid_accounts invalid service account names found." | |
exit 1 | |
else | |
echo "All service account names are valid." | |
fi |