-
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
9 changed files
with
276 additions
and
543 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
name: Check | ||
|
||
on: | ||
workflow_dispatch: | ||
push: | ||
branches: [main] | ||
pull_request: | ||
branches: [main] | ||
|
||
jobs: | ||
check: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v4 | ||
with: | ||
fetch-depth: 0 | ||
- uses: DeterminateSystems/nix-installer-action@main | ||
- uses: DeterminateSystems/magic-nix-cache-action@main | ||
- name: Check | ||
run: nix flake check |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,130 @@ | ||
--- | ||
name: OpenTofu Enforcement | ||
|
||
on: | ||
push: | ||
branches: [main] | ||
paths: [terraform/**] | ||
|
||
pull_request: | ||
branches: [main] | ||
paths: [terraform/**] | ||
|
||
jobs: | ||
opentofu_enforcement: | ||
runs-on: ubuntu-latest | ||
|
||
strategy: | ||
matrix: | ||
opentofu_module: [aws, github] | ||
|
||
permissions: | ||
contents: read | ||
id-token: write | ||
pull-requests: write | ||
|
||
steps: | ||
- name: Enforce permission requirement | ||
uses: prince-chrismc/check-actor-permissions-action@v3 | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
with: | ||
permission: write | ||
|
||
- uses: actions/checkout@v4 | ||
with: | ||
fetch-depth: 0 | ||
|
||
- name: Install Nix | ||
uses: DeterminateSystems/nix-installer-action@main | ||
|
||
- name: Enable Magic Nix Cache | ||
uses: DeterminateSystems/magic-nix-cache-action@main | ||
|
||
- name: Configure AWS Credentials | ||
uses: aws-actions/configure-aws-credentials@v2 | ||
with: | ||
aws-region: ${{ secrets.DEFAULT_AWS_REGION }} | ||
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GitHubAction-AssumeRoleWithAction | ||
|
||
- name: OpenTofu Init | ||
id: init | ||
working-directory: terraform/${{ matrix.opentofu_module }} | ||
run: nix develop -c tofu init | ||
|
||
- name: OpenTofu Format | ||
id: fmt | ||
run: nix develop -c tofu fmt -check | ||
|
||
- name: OpenTofu Validate | ||
id: validate | ||
working-directory: terraform/${{ matrix.opentofu_module }} | ||
run: nix develop -c tofu validate | ||
|
||
- name: OpenTofu Plan | ||
id: plan | ||
if: github.event_name == 'pull_request' | ||
working-directory: terraform/${{ matrix.opentofu_module }} | ||
run: | | ||
# Capture plan output | ||
plan=$(nix develop -c tofu plan -no-color -input=false) | ||
# Echo the plan so it is still visible in CI | ||
echo "${plan}" | ||
# Handle appending multi-line strings to GitHub Outputs | ||
echo "plan<<EOF"$'\n'"$plan"$'\n'EOF >> $GITHUB_OUTPUT | ||
env: | ||
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }} | ||
continue-on-error: true | ||
|
||
- name: Find Comment | ||
if: github.event_name == 'pull_request' | ||
id: find-comment | ||
uses: peter-evans/find-comment@v3 | ||
env: | ||
TERRAFORM_MODULE: ${{ matrix.opentofu_module }} | ||
with: | ||
issue-number: ${{ github.event.pull_request.number }} | ||
comment-author: 'github-actions[bot]' | ||
body-includes: <!-- This comment was auto-generated by GitHub Actions by the Terraform Enforcement action for the ${{ env.TERRAFORM_MODULE }} Terraform module --> | ||
|
||
- name: Create Comment | ||
if: github.event_name == 'pull_request' | ||
id: comment | ||
uses: peter-evans/create-or-update-comment@v4 | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
PLAN: "${{ steps.plan.outputs.plan }}" | ||
TERRAFORM_MODULE: ${{ matrix.opentofu_module }} | ||
with: | ||
comment-id: ${{ steps.find-comment.outputs.comment-id }} | ||
issue-number: ${{ github.event.pull_request.number }} | ||
edit-mode: replace | ||
body: | | ||
<!-- This comment was auto-generated by GitHub Actions by the Terraform Enforcement action for the ${{ env.TERRAFORM_MODULE }} Terraform module --> | ||
## OpenTofu Enforcement Summary (${{ env.TERRAFORM_MODULE }}) | ||
#### OpenTofu Format and Style: 🖌`${{ steps.fmt.outcome }}` | ||
#### OpenTofu Initialization: ⚙️`${{ steps.init.outcome }}` | ||
#### OpenTofu Validation: 🤖`${{ steps.validate.outcome }}` | ||
#### OpenTofu Plan: 📖`${{ steps.plan.outcome }}` | ||
<details><summary>Show Plan</summary> | ||
``` | ||
${{ env.PLAN }} | ||
``` | ||
</details> | ||
*Pusher: @${{ github.actor }}, Action: `${{ github.event_name }}`, Working Directory: `${{ env.TERRAFORM_MODULE }}`, Workflow: `${{ github.workflow }}`* | ||
- name: OpenTofu Plan Status | ||
if: github.event_name == 'pull_request' && steps.plan.outcome == 'failure' | ||
run: exit 1 | ||
|
||
- name: OpenTofu Apply | ||
if: github.ref == 'refs/heads/main' && github.event_name == 'push' | ||
working-directory: terraform/${{ matrix.opentofu_module }} | ||
run: nix develop -c tofu apply -auto-approve -input=false | ||
env: | ||
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }} |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.