Infra deploy #20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Infra deploy | |
on: | |
# Allows you to run this workflow manually from the Actions tab | |
workflow_dispatch: | |
inputs: | |
destroy: | |
type: boolean | |
description: Destroy environment? | |
required: true | |
default: false | |
pull_request: | |
paths: | |
- infra/** | |
env: | |
tf_actions_working_dir: infra | |
permissions: | |
id-token: write # required for workload-identity-federation | |
contents: read # for actions/checkout to fetch code | |
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | |
jobs: | |
plan: | |
name: Terraform plan | |
runs-on: ubuntu-latest | |
environment: tfplan | |
defaults: | |
run: | |
working-directory: ${{ env.tf_actions_working_dir }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Log in to Azure using OIDC | |
uses: Azure/login@v2 | |
with: | |
client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
- name: Setup Terraform | |
uses: hashicorp/setup-terraform@v3 | |
- name: Setup TFLint | |
uses: terraform-linters/setup-tflint@v4 | |
- name: Terraform fmt | |
id: fmt | |
run: terraform fmt -check | |
continue-on-error: true | |
- name: Terraform Init | |
id: init | |
run: terraform init -backend-config="storage_account_name=$STORAGE_ACCOUNT" -backend-config="container_name=$CONTAINER_NAME" -backend-config="resource_group_name=$RESOURCE_GROUP" | |
env: | |
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
ARM_USE_OIDC: true | |
RESOURCE_GROUP: ${{ secrets.RESOURCE_GROUP }} | |
STORAGE_ACCOUNT: ${{ secrets.STORAGE_ACCOUNT }} | |
CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }} | |
- name: Terraform Validate | |
id: validate | |
run: terraform validate -no-color | |
- name: Init TFLint | |
run: tflint --init | |
- name: Run TFLint | |
run: tflint -f compact | |
- name: Calculate destroy arg | |
id: destroy_arg | |
run: | | |
if [ $DESTROY == "true" ]; then | |
echo "::set-output name=val::-destroy" | |
else | |
echo "::set-output name=val:: " | |
fi | |
env: | |
DESTROY: ${{ github.event.inputs.destroy }} | |
# Run Checkov against configuration | |
- name: Checkov | |
id: checkov | |
uses: bridgecrewio/checkov-action@master | |
with: | |
quiet: true | |
framework: terraform | |
container_user: 1000 | |
output_format: github_failed_only | |
soft_fail: false | |
skip_check: CKV_AZURE_88,CKV_AZURE_71,CKV_AZURE_16,CKV_AZURE_80,CKV_AZURE_63,CKV_AZURE_18,CKV_AZURE_65,CKV_AZURE_17,CKV_AZURE_13,CKV_AZURE_78,CKV_AZURE_66,CKV_AZURE_44,CKV_AZURE_35,CKV_AZURE_43,CKV_AZURE_33,CKV_AZURE_3,CKV2_AZURE_1,CKV2_AZURE_18,CKV2_AZURE_8,CKV2_AZURE_21,CKV_GIT_4,CKV_AZURE_59,CKV_AZURE_190,CKV_AZURE_50,CKV2_AZURE_41,CKV_AZURE_119,CKV2_AZURE_47,CKV2_AZURE_40 | |
- name: Terraform Plan | |
id: plan | |
run: terraform plan $DESTROY -no-color --out=out.tfplan | |
env: | |
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
ARM_USE_OIDC: true | |
DESTROY: ${{ steps.destroy_arg.outputs.val }} | |
- name: Create the plan summary | |
uses: actions/github-script@v7 | |
if: always() | |
id: summary | |
env: | |
PLAN: '${{ steps.plan.outputs.stdout }}' | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
// 1. Prep the output | |
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` | |
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` | |
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\` | |
<details><summary>Validation Output</summary> | |
\`\`\`\n | |
${{ steps.validate.outputs.stdout }} | |
\`\`\` | |
</details> | |
#### Checkov 🧪\`${{ steps.checkov.outcome }}\` | |
<details><summary>Show Checkov Results</summary> | |
${process.env.CHECKOV_RESULTS} | |
</details> | |
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\` | |
<details><summary>Show Plan</summary> | |
\`\`\`\n | |
${process.env.PLAN} | |
\`\`\` | |
</details> | |
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.tf_actions_working_dir }}\`, Workflow: \`${{ github.workflow }}\`*`; | |
// 2. Set the output variable | |
const fs = require('fs'); | |
fs.writeFileSync('${{ env.tf_actions_working_dir }}/summary.md', output); | |
core.setOutput('summary', output); | |
- name: Write the step summary | |
if: always() | |
run: cat summary.md >> $GITHUB_STEP_SUMMARY | |
- name: Upload the plan | |
uses: actions/upload-artifact@v4 | |
with: | |
name: tf-plan | |
path: ${{ env.tf_actions_working_dir }}/out.tfplan | |
- name: Publish plan as a status | |
if: github.event_name == 'pull_request' | |
uses: guibranco/github-status-action-v2@v1 | |
with: | |
authToken: ${{ secrets.GITHUB_TOKEN }} | |
state: ${{ steps.summary.outputs.summary }} | |
context: Terraform Plan | |
description: Terraform Plan Summary | |
sha: ${{ github.event.pull_request.head.sha }} | |
apply: | |
name: Terraform apply | |
needs: [ plan ] | |
runs-on: ubuntu-latest | |
environment: dev | |
defaults: | |
run: | |
working-directory: ${{ env.tf_actions_working_dir }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Log in to Azure using OIDC | |
uses: azure/login@v2 | |
with: | |
client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
- name: Setup Terraform | |
uses: hashicorp/setup-terraform@v3 | |
- name: Terraform Init | |
id: init | |
run: terraform init -backend-config="storage_account_name=$STORAGE_ACCOUNT" -backend-config="container_name=$CONTAINER_NAME" -backend-config="resource_group_name=$RESOURCE_GROUP" | |
env: | |
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
ARM_USE_OIDC: true | |
RESOURCE_GROUP: ${{ secrets.RESOURCE_GROUP }} | |
STORAGE_ACCOUNT: ${{ secrets.STORAGE_ACCOUNT }} | |
CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }} | |
- name: Download the plan | |
uses: actions/download-artifact@v4 | |
with: | |
name: tf-plan | |
path: ${{ env.tf_actions_working_dir }} | |
- name: Apply the plan | |
id: apply | |
run: terraform apply -no-color -auto-approve out.tfplan | |
env: | |
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
ARM_USE_OIDC: true | |
- name: Create the plan summary | |
uses: actions/github-script@v7 | |
if: always() | |
id: summary | |
env: | |
APPLY: '${{ steps.apply.outputs.stdout }}' | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
// 1. Prep the output | |
const output = `#### Terraform Apply 🚗\`${{ steps.apply.outcome }}\` | |
<details><summary>Show details</summary> | |
\`\`\`\n | |
${process.env.APPLY} | |
\`\`\` | |
</details> | |
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.tf_actions_working_dir }}\`, Workflow: \`${{ github.workflow }}\`*`; | |
// 2. Set the output variable | |
const fs = require('fs'); | |
fs.writeFileSync('${{ env.tf_actions_working_dir }}/summary.md', output); | |
core.setOutput('summary', output); | |
- name: Write the step summary | |
if: always() | |
run: cat summary.md >> $GITHUB_STEP_SUMMARY | |
- name: Publish apply as a status | |
if: github.event_name == 'pull_request' | |
uses: guibranco/github-status-action-v2@v1 | |
with: | |
authToken: ${{ secrets.GITHUB_TOKEN }} | |
state: ${{ steps.summary.outputs.summary }} | |
context: Terraform Plan | |
description: Terraform Plan Summary | |
sha: ${{ github.event.pull_request.head.sha }} |