-
Notifications
You must be signed in to change notification settings - Fork 4
136 lines (114 loc) · 5.42 KB
/
check_terraform.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
# For docs on this see:
# * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
# * https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request
# * https://docs.github.com/en/webhooks/webhook-events-and-payloads?actionType=synchronize#pull_request
on:
pull_request:
types:
- opened
- synchronize # when commits are pushed to the PR
- reopened
- edited # title or body of a pull request was edited, or the base branch of a pull request was changed
jobs:
terraform:
strategy:
matrix:
environment: ["dev"]
runs-on: ubuntu-latest
if: ${{ !startsWith(github.event.head_commit.message, 'skip-terraform:') }}
defaults:
run:
working-directory: tf/environments/${{ matrix.environment }}
permissions:
contents: write
pull-requests: write
steps:
- uses: actions/checkout@v4
- name: Configure AWS credentials
env:
AWS_ACCESS_KEY_ID: ${{ secrets.OONIDEVOPS_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.OONIDEVOPS_AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: eu-central-1
run: |
aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
aws configure set default.region $AWS_DEFAULT_REGION
# Create profile oonidevops_user
aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID --profile oonidevops_user
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY --profile oonidevops_user
aws configure set default.region $AWS_DEFAULT_REGION --profile oonidevops_user
- name: Configure Terraform key
- name: Install Terraform
run: |
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" \
| sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install terraform
- name: Terraform fmt
id: fmt
run: terraform fmt -check
continue-on-error: true
- name: Terraform Init
id: init
run: terraform init
- name: Terraform Validate
id: validate
run: |
echo "terraform_validate<<EOF" >> "$GITHUB_OUTPUT"
echo "\$ terraform validate" >> "$GITHUB_OUTPUT"
terraform validate -no-color | tee -a "$GITHUB_OUTPUT"
echo "EOF" >> "$GITHUB_OUTPUT"
- name: Terraform Plan
id: plan
run: |
echo "terraform_plan<<EOF" >> "$GITHUB_OUTPUT"
echo "\$ terraform plan" >> "$GITHUB_OUTPUT"
terraform plan -no-color | tee -a "$GITHUB_OUTPUT"
echo "EOF" >> "$GITHUB_OUTPUT"
continue-on-error: true
# Temporarily disabled, probably should be moved to a deploy action with stricter checks
#- name: Terraform Apply
# id: apply
# run: |
# echo "terraform_apply<<EOF" >> "$GITHUB_OUTPUT"
# echo "\$ terraform apply -auto-approve" >> "$GITHUB_OUTPUT"
# terraform apply -auto-approve -no-color | tee -a "$GITHUB_OUTPUT"
# echo "EOF" >> "$GITHUB_OUTPUT"
# continue-on-error: true
- uses: actions/github-script@v6
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const terraformPlanOutput = `${{ steps.plan.outputs.terraform_plan }}`;
const terraformApplyOutput = `${{ steps.apply.outputs.terraform_apply }}`;
const terraformPlanPlanLine = terraformPlanOutput.split('\n').find(line => line.startsWith('Plan:'));
const terraformApplyPlanLine = terraformApplyOutput.split('\n').find(line => line.startsWith('Plan:'));
const terraformApplyApplyLine = terraformApplyOutput.split('\n').find(line => line.startsWith('Apply complete!'));
const commentTitle = "Terraform Run Output";
const commentBody = `
#### Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Validation 🤖\`${{ steps.validate.outcome }}\`
<details><summary>Validation Output</summary>
\`\`\`\n
${{ steps.validate.outputs.terraform_validate }}
\`\`\`
</details>
#### Plan 📖\`${{ steps.plan.outcome }}\`
* **${terraformPlanPlanLine}**
<details><summary>Show Plan</summary>
\`\`\`\n
${terraformPlanOutput}
\`\`\`
</details>
| | |
|-------------------|------------------------------------|
| Pusher | @${{ github.actor }} |
| Action | ${{ github.event_name }} |
| Environment | ${{ matrix.environment }} |
| Workflow | ${{ github.workflow }} |
| Last updated | ${ (new Date()).toUTCString() } |
`;
// Call the script to write the comment
const script = require('./scripts/ghactions/comment-on-pr.js');
await script({github, context, core, commentTitle, commentBody});