Skip to content

Commit

Permalink
feat(terraform): add GitHub configuration to Terraform setup
Browse files Browse the repository at this point in the history 
- Introduced GitHubConfig and GitHubConfigAction structs to manage GitHub-specific settings.
- Updated TerraformConfig to include GitHubConfig.
- Added functions NewGitHubConfigAction and NewGitHubConfig to initialize GitHub configurations.
- Modified GitHub Actions workflow template to utilize the new GitHub configuration settings.
- Conditional steps for setting up Nix and deploy keys based on GitHubConfigAction.
- Environment variables and runner configuration are now dynamically set based on GitHubConfig.
  • Loading branch information
@erikreinert
erikreinert committed Jul 14, 2024
1 parent 120401a commit 2dd67e6
Show file tree
Hide file tree
Showing 2 changed files with 110 additions and 55 deletions.
28 changes: 28 additions & 0 deletions internal/config/terraform.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,20 +8,47 @@ import (

const TerraformName = "terraform"

type GitHubConfigAction struct {
SetupDeployKey bool `json:"setupDeployKey,omitempty" yaml:"setupDeployKey,omitempty"`
SetupNix bool `json:"setupNix,omitempty" yaml:"setupNix,omitempty"`
}

type GitHubConfig struct {
Action GitHubConfigAction `json:"action,omitempty" yaml:"action,omitempty"`
Env map[string]string `json:"env,omitempty" yaml:"env,omitempty"`
RunsOn string `json:"runsOn,omitempty" yaml:"runsOn,omitempty"`
}

type TerraformConfigRole struct {
PlanARN string `json:"planArn,omitempty" yaml:"planArn,omitempty"`
ApplyARN string `json:"applyArn,omitempty" yaml:"applyArn,omitempty"`
}

type TerraformConfig struct {
Config
GitHub GitHubConfig `json:"github,omitempty" yaml:"github,omitempty"`
Nix NixConfig `json:"nix,omitempty" yaml:"nix,omitempty"`
Region string `json:"region,omitempty" yaml:"region,omitempty"`
Role TerraformConfigRole `json:"role,omitempty" yaml:"role,omitempty"`
Schedule *string `json:"schedule,omitempty" yaml:"schedule,omitempty"`
Providers []string `json:"providers,omitempty" yaml:"providers,omitempty"`
}

func NewGitHubConfigAction() GitHubConfigAction {
return GitHubConfigAction{
SetupDeployKey: false,
SetupNix: true,
}
}

func NewGitHubConfig() GitHubConfig {
return GitHubConfig{
Action: NewGitHubConfigAction(),
Env: map[string]string{},
RunsOn: "ubuntu-latest",
}
}

func NewTerraformConfigRole(name string) TerraformConfigRole {
return TerraformConfigRole{
ApplyARN: fmt.Sprintf("arn:aws:iam::677459762413:role/altf4llc-gha-%s-apply", name),
Expand All @@ -32,6 +59,7 @@ func NewTerraformConfigRole(name string) TerraformConfigRole {
func NewTerraformConfig(c Config) TerraformConfig {
return TerraformConfig{
Config: c,
GitHub: NewGitHubConfig(),
Nix: NewNixConfig(),
Region: "us-west-2",
Role: NewTerraformConfigRole(c.Name),
Expand Down
137 changes: 82 additions & 55 deletions internal/templates/templates/terraform/.github__workflows__terraform.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- $envLength := len .GitHub.Env -}}
name: terraform

on:
Expand All @@ -16,83 +17,109 @@ env:

jobs:
check:
runs-on: ubuntu-latest
runs-on: {{ .GitHub.RunsOn }}
steps:
- uses: cachix/install-nix-action@v27
with:
nix_path: nixpkgs=channel:nixos-unstable
- uses: cachix/cachix-action@v15
with:
authToken: ${{"{{"}} secrets.ALTF4LLC_CACHIX_AUTH_TOKEN {{"}}"}}
name: ${{"{{"}} env.CACHIX_BINARY_CACHE {{"}}"}}
- uses: actions/checkout@v4
- run: nix develop -c just check
{{- if .GitHub.Action.SetupNix }}
- uses: cachix/install-nix-action@v27
with:
nix_path: nixpkgs=channel:nixos-unstable
{{- end }}
- uses: cachix/cachix-action@v15
with:
authToken: ${{"{{"}} secrets.ALTF4LLC_CACHIX_AUTH_TOKEN {{"}}"}}
name: ${{"{{"}} env.CACHIX_BINARY_CACHE {{"}}"}}
- uses: actions/checkout@v4
- run: nix develop -c just check

plan:
concurrency:
cancel-in-progress: false
group: tf-lock
{{- if gt $envLength 0 }}
env:
TF_VAR_PLATFORM_DIRECTORY_TOKEN: ${{"{{"}} secrets.TF_VAR_PLATFORM_DIRECTORY_TOKEN {{"}}"}}
{{- range $key, $value := .GitHub.Env }}
{{ $key }}: {{ $value }}
{{- end }}
{{- end }}
needs: check
permissions:
contents: read
id-token: write
runs-on: ubuntu-latest
runs-on: {{ .GitHub.RunsOn }}
steps:
- uses: cachix/install-nix-action@v27
with:
nix_path: nixpkgs=channel:nixos-unstable
- uses: cachix/cachix-action@v15
with:
authToken: ${{"{{"}} secrets.ALTF4LLC_CACHIX_AUTH_TOKEN {{"}}"}}
name: ${{"{{"}} env.CACHIX_BINARY_CACHE {{"}}"}}
- uses: aws-actions/configure-aws-credentials@v4
with:
audience: sts.amazonaws.com
aws-region: us-west-2
role-to-assume: {{ .Role.PlanARN }}
- run: aws sts get-caller-identity
- uses: actions/checkout@v4
- run: nix develop -c just init
- run: nix develop -c just validate
- run: nix develop -c just plan
- uses: actions/upload-artifact@v4
with:
name: tf-plan
path: terraform.tfplan
{{- if .GitHub.Action.SetupNix }}
- uses: cachix/install-nix-action@v27
with:
nix_path: nixpkgs=channel:nixos-unstable
{{- end }}
- uses: cachix/cachix-action@v15
with:
authToken: ${{"{{"}} secrets.ALTF4LLC_CACHIX_AUTH_TOKEN {{"}}"}}
name: ${{"{{"}} env.CACHIX_BINARY_CACHE {{"}}"}}
{{- if .GitHub.Action.SetupDeployKey }}
- uses: shimataro/ssh-key-action@v2
with:
key: ${{"{{"}} secrets.ALTF4LLC_DEPLOY_KEY {{"}}"}}
known_hosts: unnecessary
{{- end }}
- uses: aws-actions/configure-aws-credentials@v4
with:
audience: sts.amazonaws.com
aws-region: us-west-2
role-to-assume: {{ .Role.PlanARN }}
- run: aws sts get-caller-identity
- uses: actions/checkout@v4
- run: nix develop -c just init
- run: nix develop -c just validate
- run: nix develop -c just plan
- uses: actions/upload-artifact@v4
with:
name: tf-plan
path: terraform.tfplan

apply:
concurrency:
group: tf-lock
cancel-in-progress: false
group: tf-lock
environment:
name: prod
{{- if gt $envLength 0 }}
env:
TF_VAR_PACKER_SSH_PUBLIC_KEY: ${{"{{"}} secrets.TF_VAR_PACKER_SSH_PUBLIC_KEY {{"}}"}}
{{- range $key, $value := .GitHub.Env }}
{{ $key }}: {{ $value }}
{{- end }}
{{- end }}
if: github.ref == 'refs/heads/main'
needs: plan
permissions:
contents: read
id-token: write
runs-on: ubuntu-latest
runs-on: {{ .GitHub.RunsOn }}
steps:
- uses: cachix/install-nix-action@v27
with:
nix_path: nixpkgs=channel:nixos-unstable
- uses: cachix/cachix-action@v15
with:
authToken: ${{"{{"}} secrets.ALTF4LLC_CACHIX_AUTH_TOKEN {{"}}"}}
name: ${{"{{"}} env.CACHIX_BINARY_CACHE {{"}}"}}
- uses: aws-actions/configure-aws-credentials@v4
with:
audience: sts.amazonaws.com
aws-region: us-west-2
role-to-assume: {{ .Role.ApplyARN }}
- run: aws sts get-caller-identity
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
with:
name: tf-plan
- run: nix develop -c just init
- run: nix develop -c just apply
{{- if .GitHub.Action.SetupNix }}
- uses: cachix/install-nix-action@v27
with:
nix_path: nixpkgs=channel:nixos-unstable
{{- end }}
- uses: cachix/cachix-action@v15
with:
authToken: ${{"{{"}} secrets.ALTF4LLC_CACHIX_AUTH_TOKEN {{"}}"}}
name: ${{"{{"}} env.CACHIX_BINARY_CACHE {{"}}"}}
{{- if .GitHub.Action.SetupDeployKey }}
- uses: shimataro/ssh-key-action@v2
with:
key: ${{"{{"}} secrets.ALTF4LLC_DEPLOY_KEY {{"}}"}}
known_hosts: unnecessary
{{- end }}
- uses: aws-actions/configure-aws-credentials@v4
with:
audience: sts.amazonaws.com
aws-region: us-west-2
role-to-assume: {{ .Role.ApplyARN }}
- run: aws sts get-caller-identity
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
with:
name: tf-plan
- run: nix develop -c just init
- run: nix develop -c just apply

0 comments on commit 2dd67e6

Please sign in to comment.