Skip to content

pull-plan-prod-terraform #3233

pull-plan-prod-terraform

pull-plan-prod-terraform #3233

name: Pull Plan Prod Terraform
run-name: pull-plan-prod-terraform
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
on: # runs on main
pull_request_target:
types: [opened, edited, synchronize, reopened, ready_for_review]
branches:
- main
paths:
- "**.tf"
- "**.tfvars"
- "**.yaml"
- "**.yml"
jobs:
pull-plan-prod-terraform:
permissions:
contents: "read" # needed for gcp_auth
id-token: "write" # needed for gcp_auth to create id token
issues: "write" # needed for tfcmt to post comments
pull-requests: "write" # needed for tfcmt to post comments
runs-on: ubuntu-latest
steps:
- name: Checkout
id: checkout
uses: actions/checkout@v4
with:
ref: "refs/pull/${{ github.event.number }}/merge"
fetch-depth: 50
# Important security check: https://github.com/actions/checkout/issues/518
- name: Sanity check
id: sanity-check
run: |
[[ "$(git rev-parse 'HEAD^1')" == "${{ github.event.pull_request.head.sha }}" || "$(git rev-parse 'HEAD^2')" == "${{ github.event.pull_request.head.sha }}" ]]
- name: Wait for other terraform executions
id: wait_for_terraform
uses: ahmadnassri/action-workflow-queue@0144da6a252d1986d817826d963ad3a9af1e7fdf
- name: Authenticate to GCP
id: gcp_auth
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ vars.GH_COM_KYMA_PROJECT_GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER }}
service_account: ${{ vars.GCP_TERRAFORM_PLANNER_SERVICE_ACCOUNT_EMAIL }}
- name: Retrieve Terraform Planner github PAT
id: secrets
uses: google-github-actions/get-secretmanager-secrets@v2
with:
secrets: |-
gh-terraform-planner-token:${{ vars.GCP_KYMA_PROJECT_PROJECT_ID }}/${{ vars.GH_TERRAFORM_PLANNER_SECRET_NAME }}
# Build tofu CLI from source until setup-opentofu action will become stable
- name: Download the tofu source
uses: actions/checkout@v4
with:
repository: opentofu/opentofu
path: opentofu
ref: 89ca50f3fe8c5327ec9943e9590bdb7b023fd4eb # v1.6.1
- name: Install tofu tooling
uses: actions/setup-go@v5
with:
go-version-file: opentofu/go.mod
cache-dependency-path: opentofu/go.sum
- name: Prepare the tofu command
working-directory: opentofu
run: |
go build -ldflags "-w -s -X 'github.com/opentofu/opentofu/version.dev=no'" -o bin/ ./cmd/tofu
echo $(pwd)/bin >> $GITHUB_PATH
# - name: Setup Terraform
# id: setup_terraform
# uses: opentofu/setup-opentofu@b06654f7ba51088e987c0a454d042360df3ebe86
- name: Setup GitHub comments
id: setup-github-comment
uses: shmokmt/actions-setup-github-comment@93d9e7c3ea11e473e3061a8dbed8231faea13dea
with:
version: v6.0.2
if: ${{ !cancelled() }}
- name: setup tfcmt
id: setup-tfcmt
uses: shmokmt/actions-setup-tfcmt@0d2b0c4cc4b5edc9c2dfdf7eb0c33ee7b23a7c85
with:
version: v4.7.1
- name: Terraform Init
id: terraform_init
run: tofu -chdir=./configs/terraform/environments/prod init -input=false
- name: Terraform Plan
env:
GITHUB_TOKEN: ${{ steps.secrets.outputs.gh-terraform-planner-token }}
id: terraform_plan
run: tfcmt -owner $GITHUB_REPOSITORY_OWNER -repo ${{ github.event.repository.name }} -pr ${{ github.event.pull_request.number }} -sha ${{ github.event.pull_request.head.sha }} plan -- tofu -chdir=./configs/terraform/environments/prod plan -input=false -no-color -lock-timeout=300s
- name: Hide GitHub comment
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
id: hide-github-comment
run: github-comment hide --org $GITHUB_REPOSITORY_OWNER --repo ${{ github.event.repository.name }} -pr ${{ github.event.pull_request.number }} -sha1 ${{ github.event.pull_request.head.sha }}
if: ${{ !cancelled() }}