Infra deploy #17

Workflow file for this run

.github/workflows/deploy-infra.yaml at 3221596

	name: Infra deploy

	on:
	# Allows you to run this workflow manually from the Actions tab
	workflow_dispatch:
	inputs:
	destroy:
	type: boolean
	description: Destroy environment?
	required: true
	default: false

	pull_request:
	paths:
	- infra/**

	env:
	tf_actions_working_dir: infra

	permissions:
	id-token: write # required for workload-identity-federation
	contents: read # for actions/checkout to fetch code
	security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
	actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status

	jobs:
	plan:
	name: Terraform plan
	runs-on: ubuntu-latest
	environment: tfplan
	defaults:
	run:
	working-directory: ${{ env.tf_actions_working_dir }}

	steps:
	- uses: actions/checkout@v4

	- name: Log in to Azure using OIDC
	uses: Azure/login@v2
	with:
	client-id: ${{ secrets.AZURE_CLIENT_ID }}
	tenant-id: ${{ secrets.AZURE_TENANT_ID }}
	subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

	- name: Setup Terraform
	uses: hashicorp/setup-terraform@v3

	- name: Setup TFLint
	uses: terraform-linters/setup-tflint@v4

	- name: Terraform fmt
	id: fmt
	run: terraform fmt -check
	continue-on-error: true

	- name: Terraform Init
	id: init
	run: terraform init -backend-config="storage_account_name=$STORAGE_ACCOUNT" -backend-config="container_name=$CONTAINER_NAME" -backend-config="resource_group_name=$RESOURCE_GROUP"
	env:
	ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
	ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
	ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
	ARM_USE_OIDC: true
	RESOURCE_GROUP: ${{ secrets.RESOURCE_GROUP }}
	STORAGE_ACCOUNT: ${{ secrets.STORAGE_ACCOUNT }}
	CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }}

	- name: Terraform Validate
	id: validate
	run: terraform validate -no-color

	- name: Init TFLint
	run: tflint --init

	- name: Run TFLint
	run: tflint -f compact

	- name: Calculate destroy arg
	id: destroy_arg
	run: \|
	if [ $DESTROY == "true" ]; then
	echo "::set-output name=val::-destroy"
	else
	echo "::set-output name=val:: "
	fi
	env:
	DESTROY: ${{ github.event.inputs.destroy }}

	# Run Checkov against configuration
	- name: Checkov
	id: checkov
	uses: bridgecrewio/checkov-action@master
	with:
	quiet: true
	framework: terraform
	container_user: 1000
	output_format: github_failed_only
	soft_fail: false
	skip_check: CKV_AZURE_88,CKV_AZURE_71,CKV_AZURE_16,CKV_AZURE_80,CKV_AZURE_63,CKV_AZURE_18,CKV_AZURE_65,CKV_AZURE_17,CKV_AZURE_13,CKV_AZURE_78,CKV_AZURE_66,CKV_AZURE_44,CKV_AZURE_35,CKV_AZURE_43,CKV_AZURE_33,CKV_AZURE_3,CKV2_AZURE_1,CKV2_AZURE_18,CKV2_AZURE_8,CKV2_AZURE_21,CKV_GIT_4

	- name: Terraform Plan
	id: plan
	run: terraform plan $DESTROY -no-color --out=out.tfplan
	env:
	ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
	ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
	ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
	ARM_USE_OIDC: true
	DESTROY: ${{ steps.destroy_arg.outputs.val }}

	- name: Create the plan summary
	uses: actions/github-script@v7
	if: always()
	id: summary
	env:
	PLAN: '${{ steps.plan.outputs.stdout }}'
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }}
	script: \|
	// 1. Prep the output
	const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
	#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
	#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
	<details><summary>Validation Output</summary>

	\`\`\`\n
	${{ steps.validate.outputs.stdout }}
	\`\`\`

	</details>

	<details><summary>Show Checkov Results</summary>

	${process.env.CHECKOV_RESULTS}


	#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`

	<details><summary>Show Plan</summary>

	\`\`\`\n
	${process.env.PLAN}
	\`\`\`

	</details>

	Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.tf_actions_working_dir }}\`, Workflow: \`${{ github.workflow }}\``;

	// 2. Set the output variable
	const fs = require('fs');
	fs.writeFileSync('${{ env.tf_actions_working_dir }}/summary.md', output);
	core.setOutput('summary', output);

	- name: Write the step summary
	if: always()
	run: cat summary.md >> $GITHUB_STEP_SUMMARY

	- name: Upload the plan
	uses: actions/upload-artifact@v4
	with:
	name: tf-plan
	path: ${{ env.tf_actions_working_dir }}/out.tfplan

	- name: Publish plan as a status
	if: github.event_name == 'pull_request'
	uses: guibranco/github-status-action-v2@v1
	with:
	authToken: ${{ secrets.GITHUB_TOKEN }}
	state: ${{ steps.summary.outputs.summary }}
	context: Terraform Plan
	description: Terraform Plan Summary
	sha: ${{ github.event.pull_request.head.sha }}

	apply:
	name: Terraform apply
	needs: [ plan ]
	runs-on: ubuntu-latest
	environment: dev
	defaults:
	run:
	working-directory: ${{ env.tf_actions_working_dir }}

	steps:
	- uses: actions/checkout@v4

	- name: Log in to Azure using OIDC
	uses: azure/login@v2
	with:
	client-id: ${{ secrets.AZURE_CLIENT_ID }}
	tenant-id: ${{ secrets.AZURE_TENANT_ID }}
	subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

	- name: Setup Terraform
	uses: hashicorp/setup-terraform@v3

	- name: Terraform Init
	id: init
	run: terraform init
	env:
	ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
	ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
	ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
	ARM_USE_OIDC: true

	- name: Download the plan
	uses: actions/download-artifact@v4
	with:
	name: tf-plan
	path: ${{ env.tf_actions_working_dir }}

	- name: Apply the plan
	id: apply
	run: terraform apply -no-color -auto-approve out.tfplan
	env:
	ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
	ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
	ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
	ARM_USE_OIDC: true

	- name: Create the plan summary
	uses: actions/github-script@v7
	if: always()
	id: summary
	env:
	APPLY: '${{ steps.apply.outputs.stdout }}'
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }}
	script: \|
	// 1. Prep the output
	const output = `#### Terraform Apply 🚗\`${{ steps.apply.outcome }}\`

	<details><summary>Show details</summary>

	\`\`\`\n
	${process.env.APPLY}
	\`\`\`

	</details>

	Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.tf_actions_working_dir }}\`, Workflow: \`${{ github.workflow }}\``;

	// 2. Set the output variable
	const fs = require('fs');
	fs.writeFileSync('${{ env.tf_actions_working_dir }}/summary.md', output);
	core.setOutput('summary', output);

	- name: Write the step summary
	if: always()
	run: cat summary.md >> $GITHUB_STEP_SUMMARY

	- name: Publish apply as a status
	if: github.event_name == 'pull_request'
	uses: guibranco/github-status-action-v2@v1
	with:
	authToken: ${{ secrets.GITHUB_TOKEN }}
	state: ${{ steps.summary.outputs.summary }}
	context: Terraform Plan
	description: Terraform Plan Summary
	sha: ${{ github.event.pull_request.head.sha }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Infra deploy #17

Workflow file

Infra deploy #17

Jobs

Run details

Workflow file for this run