-
-
Notifications
You must be signed in to change notification settings - Fork 2
133 lines (109 loc) · 3.73 KB
/
terraform.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
---
name: OpenTofu Enforcement
on:
push:
branches:
- main
paths:
- terraform/**
pull_request:
branches:
- main
paths:
- terraform/**
# Allows for running this workflow manually from the GitHub Actions UI
workflow_dispatch:
permissions:
contents: read
id-token: write
pull-requests: write
jobs:
opentofu_enforcement:
runs-on: ubuntu-latest
strategy:
matrix:
opentofu_module: [aws, github]
defaults:
run:
shell: bash
working-directory: terraform/${{ matrix.opentofu_module }}
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-region: ${{ secrets.DEFAULT_AWS_REGION }}
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GitHubAction-AssumeRoleWithAction
- name: Setup OpenTofu
uses: opentofu/setup-opentofu@v1
with:
tofu_version: 1.6.0-alpha1
- name: OpenTofu Init
id: init
run: tofu init
- name: OpenTofu Format
id: fmt
run: tofu fmt -check
- name: OpenTofu Validate
id: validate
run: tofu validate
- name: OpenTofu Plan
id: plan
if: github.event_name == 'pull_request'
run: otfu plan -no-color -input=false
env:
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
continue-on-error: true
- uses: actions/github-script@v6
if: github.event_name == 'pull_request'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PLAN: "tofu\n${{ steps.plan.outputs.stdout }}"
TERRAFORM_MODULE: ${{ matrix.opentofu_module }}
with:
script: |
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
})
const botComment = comments.find(comment =>
comment.user.type === 'Bot' &&
comment.body.includes('OpenTofu Enforcement Summary (${{ env.TERRAFORM_MODULE }})')
)
const output = `## OpenTofu Enforcement Summary (${{ env.TERRAFORM_MODULE }})
#### OpenTofu Format and Style: 🖌\`${{ steps.fmt.outcome }}\`
#### OpenTofu Initialization: ⚙️\`${{ steps.init.outcome }}\`
#### OpenTofu Validation: 🤖\`${{ steps.validate.outcome }}\`
#### OpenTofu Plan: 📖\`${{ steps.plan.outcome }}\`
<details><summary>Show Plan</summary>
\`\`\`\n
${process.env.PLAN}
\`\`\`
</details>
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.TERRAFORM_MODULE }}\`, Workflow: \`${{ github.workflow }}\`*`;
if (botComment) {
github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: output
})
} else {
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
}
- name: OpenTofu Plan Status
if: steps.plan.outcome == 'failure'
run: exit 1
- name: OpenTofu Apply
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
env:
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
run: tofu apply -auto-approve -input=false