diff --git a/internal/config/terraform.go b/internal/config/terraform.go index ad33cdd..5c511f2 100644 --- a/internal/config/terraform.go +++ b/internal/config/terraform.go @@ -8,6 +8,17 @@ import ( const TerraformName = "terraform" +type GitHubConfigAction struct { + SetupDeployKey bool `json:"setupDeployKey,omitempty" yaml:"setupDeployKey,omitempty"` + SetupNix bool `json:"setupNix,omitempty" yaml:"setupNix,omitempty"` +} + +type GitHubConfig struct { + Action GitHubConfigAction `json:"action,omitempty" yaml:"action,omitempty"` + Env map[string]string `json:"env,omitempty" yaml:"env,omitempty"` + RunsOn string `json:"runsOn,omitempty" yaml:"runsOn,omitempty"` +} + type TerraformConfigRole struct { PlanARN string `json:"planArn,omitempty" yaml:"planArn,omitempty"` ApplyARN string `json:"applyArn,omitempty" yaml:"applyArn,omitempty"` @@ -15,6 +26,7 @@ type TerraformConfigRole struct { type TerraformConfig struct { Config + GitHub GitHubConfig `json:"github,omitempty" yaml:"github,omitempty"` Nix NixConfig `json:"nix,omitempty" yaml:"nix,omitempty"` Region string `json:"region,omitempty" yaml:"region,omitempty"` Role TerraformConfigRole `json:"role,omitempty" yaml:"role,omitempty"` @@ -22,6 +34,21 @@ type TerraformConfig struct { Providers []string `json:"providers,omitempty" yaml:"providers,omitempty"` } +func NewGitHubConfigAction() GitHubConfigAction { + return GitHubConfigAction{ + SetupDeployKey: false, + SetupNix: true, + } +} + +func NewGitHubConfig() GitHubConfig { + return GitHubConfig{ + Action: NewGitHubConfigAction(), + Env: map[string]string{}, + RunsOn: "ubuntu-latest", + } +} + func NewTerraformConfigRole(name string) TerraformConfigRole { return TerraformConfigRole{ ApplyARN: fmt.Sprintf("arn:aws:iam::677459762413:role/altf4llc-gha-%s-apply", name), @@ -32,6 +59,7 @@ func NewTerraformConfigRole(name string) TerraformConfigRole { func NewTerraformConfig(c Config) TerraformConfig { return TerraformConfig{ Config: c, + GitHub: NewGitHubConfig(), Nix: NewNixConfig(), Region: "us-west-2", Role: NewTerraformConfigRole(c.Name), diff --git a/internal/templates/templates/terraform/.github__workflows__terraform.yaml b/internal/templates/templates/terraform/.github__workflows__terraform.yaml index 330a946..03643e6 100644 --- a/internal/templates/templates/terraform/.github__workflows__terraform.yaml +++ b/internal/templates/templates/terraform/.github__workflows__terraform.yaml @@ -1,3 +1,4 @@ +{{- $envLength := len .GitHub.Env -}} name: terraform on: @@ -16,83 +17,109 @@ env: jobs: check: - runs-on: ubuntu-latest + runs-on: {{ .GitHub.RunsOn }} steps: - - uses: cachix/install-nix-action@v27 - with: - nix_path: nixpkgs=channel:nixos-unstable - - uses: cachix/cachix-action@v15 - with: - authToken: ${{"{{"}} secrets.ALTF4LLC_CACHIX_AUTH_TOKEN {{"}}"}} - name: ${{"{{"}} env.CACHIX_BINARY_CACHE {{"}}"}} - - uses: actions/checkout@v4 - - run: nix develop -c just check + {{- if .GitHub.Action.SetupNix }} + - uses: cachix/install-nix-action@v27 + with: + nix_path: nixpkgs=channel:nixos-unstable + {{- end }} + - uses: cachix/cachix-action@v15 + with: + authToken: ${{"{{"}} secrets.ALTF4LLC_CACHIX_AUTH_TOKEN {{"}}"}} + name: ${{"{{"}} env.CACHIX_BINARY_CACHE {{"}}"}} + - uses: actions/checkout@v4 + - run: nix develop -c just check plan: concurrency: cancel-in-progress: false group: tf-lock + {{- if gt $envLength 0 }} env: - TF_VAR_PLATFORM_DIRECTORY_TOKEN: ${{"{{"}} secrets.TF_VAR_PLATFORM_DIRECTORY_TOKEN {{"}}"}} + {{- range $key, $value := .GitHub.Env }} + {{ $key }}: {{ $value }} + {{- end }} + {{- end }} needs: check permissions: contents: read id-token: write - runs-on: ubuntu-latest + runs-on: {{ .GitHub.RunsOn }} steps: - - uses: cachix/install-nix-action@v27 - with: - nix_path: nixpkgs=channel:nixos-unstable - - uses: cachix/cachix-action@v15 - with: - authToken: ${{"{{"}} secrets.ALTF4LLC_CACHIX_AUTH_TOKEN {{"}}"}} - name: ${{"{{"}} env.CACHIX_BINARY_CACHE {{"}}"}} - - uses: aws-actions/configure-aws-credentials@v4 - with: - audience: sts.amazonaws.com - aws-region: us-west-2 - role-to-assume: {{ .Role.PlanARN }} - - run: aws sts get-caller-identity - - uses: actions/checkout@v4 - - run: nix develop -c just init - - run: nix develop -c just validate - - run: nix develop -c just plan - - uses: actions/upload-artifact@v4 - with: - name: tf-plan - path: terraform.tfplan + {{- if .GitHub.Action.SetupNix }} + - uses: cachix/install-nix-action@v27 + with: + nix_path: nixpkgs=channel:nixos-unstable + {{- end }} + - uses: cachix/cachix-action@v15 + with: + authToken: ${{"{{"}} secrets.ALTF4LLC_CACHIX_AUTH_TOKEN {{"}}"}} + name: ${{"{{"}} env.CACHIX_BINARY_CACHE {{"}}"}} + {{- if .GitHub.Action.SetupDeployKey }} + - uses: shimataro/ssh-key-action@v2 + with: + key: ${{"{{"}} secrets.ALTF4LLC_DEPLOY_KEY {{"}}"}} + known_hosts: unnecessary + {{- end }} + - uses: aws-actions/configure-aws-credentials@v4 + with: + audience: sts.amazonaws.com + aws-region: us-west-2 + role-to-assume: {{ .Role.PlanARN }} + - run: aws sts get-caller-identity + - uses: actions/checkout@v4 + - run: nix develop -c just init + - run: nix develop -c just validate + - run: nix develop -c just plan + - uses: actions/upload-artifact@v4 + with: + name: tf-plan + path: terraform.tfplan apply: concurrency: - group: tf-lock cancel-in-progress: false + group: tf-lock environment: name: prod + {{- if gt $envLength 0 }} env: - TF_VAR_PACKER_SSH_PUBLIC_KEY: ${{"{{"}} secrets.TF_VAR_PACKER_SSH_PUBLIC_KEY {{"}}"}} + {{- range $key, $value := .GitHub.Env }} + {{ $key }}: {{ $value }} + {{- end }} + {{- end }} if: github.ref == 'refs/heads/main' needs: plan permissions: contents: read id-token: write - runs-on: ubuntu-latest + runs-on: {{ .GitHub.RunsOn }} steps: - - uses: cachix/install-nix-action@v27 - with: - nix_path: nixpkgs=channel:nixos-unstable - - uses: cachix/cachix-action@v15 - with: - authToken: ${{"{{"}} secrets.ALTF4LLC_CACHIX_AUTH_TOKEN {{"}}"}} - name: ${{"{{"}} env.CACHIX_BINARY_CACHE {{"}}"}} - - uses: aws-actions/configure-aws-credentials@v4 - with: - audience: sts.amazonaws.com - aws-region: us-west-2 - role-to-assume: {{ .Role.ApplyARN }} - - run: aws sts get-caller-identity - - uses: actions/checkout@v4 - - uses: actions/download-artifact@v4 - with: - name: tf-plan - - run: nix develop -c just init - - run: nix develop -c just apply + {{- if .GitHub.Action.SetupNix }} + - uses: cachix/install-nix-action@v27 + with: + nix_path: nixpkgs=channel:nixos-unstable + {{- end }} + - uses: cachix/cachix-action@v15 + with: + authToken: ${{"{{"}} secrets.ALTF4LLC_CACHIX_AUTH_TOKEN {{"}}"}} + name: ${{"{{"}} env.CACHIX_BINARY_CACHE {{"}}"}} + {{- if .GitHub.Action.SetupDeployKey }} + - uses: shimataro/ssh-key-action@v2 + with: + key: ${{"{{"}} secrets.ALTF4LLC_DEPLOY_KEY {{"}}"}} + known_hosts: unnecessary + {{- end }} + - uses: aws-actions/configure-aws-credentials@v4 + with: + audience: sts.amazonaws.com + aws-region: us-west-2 + role-to-assume: {{ .Role.ApplyARN }} + - run: aws sts get-caller-identity + - uses: actions/checkout@v4 + - uses: actions/download-artifact@v4 + with: + name: tf-plan + - run: nix develop -c just init + - run: nix develop -c just apply