Add GCP auth at apply and simplify check-secure-estimate workflow #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Matty-ops
requested changes
May 26, 2023
| @@ -10,8 +10,6 @@ permissions: | |||
| pull-requests: write | |||
|
|
|||
| env: | |||
| AWS_ACCESS_KEY_ID : "${{ secrets.AWS_ACCESS_KEY_ID }}" | |||
There was a problem hiding this comment.
Should be declared to work with the check code step
There was a problem hiding this comment.
As discussed, added -backend=false, which should fix the check issue
| @@ -98,14 +96,6 @@ jobs: | |||
| with: | |||
| terraform_wrapper: false | |||
|
|
|||
| # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. | |||
There was a problem hiding this comment.
ok for this remove of init and plan for estimate cost
There was a problem hiding this comment.
Added explicit init back in to ensure that it is executed withbackend = false
* Add Google auth file if the corresponding secret is set * Remove terraform plan from estimation job in check-secure-estimate workflow * Remove AWS-related auth env vars in check-secure-estimate workflow
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Running
terraform planis not required to get estimates (and infracost runs init on its own if needed), and not running it makes it so that the whole workflow does not need to expose authentication information, hence the removal ofAWS_*env.Adding GCP support for deployments via the
GOOGLE_APPLICATION_CREDENTIALSfile path. Repository owners should definesecrets.GOOGLE_APPLICATION_CREDENTIALS_CONTENTwith the content of their Google authentication file (Related terraform documentation: https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#running-terraform-outside-of-google-cloud ). If the secret is not defined, the step is explicitly skipped and no file is created.