CDKTF CICD #12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: CDKTF CICD | |
on: | |
workflow_dispatch: | |
inputs: | |
action: | |
description: "Action to perform" | |
required: true | |
type: choice | |
options: | |
- "deploy" | |
- "diff" | |
- "destroy" | |
default: "deploy" | |
workflow_call: | |
inputs: | |
action: | |
description: "Action to perform" | |
required: true | |
type: string | |
permissions: | |
contents: read | |
pull-requests: write | |
issues: read | |
jobs: | |
terraform: | |
name: "Terraform CDK CICD" | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 | |
with: | |
persist-credentials: false | |
# Configure 1Password Service Account | |
- name: Configure 1Password Service Account | |
uses: 1Password/load-secrets-action/configure@d1a4e73495bde3551cf63f6c048588b8f734e21d # v1 | |
with: | |
service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} | |
# Fetch TERRAFORM_CLOUD_TOKEN from 1Password using load-secrets-action | |
- name: Fetch TERRAFORM_CLOUD_TOKEN from 1Password | |
uses: 1Password/load-secrets-action@d1a4e73495bde3551cf63f6c048588b8f734e21d # v1 | |
id: fetch-terraform-cloud-token | |
with: | |
export-env: false | |
env: | |
TERRAFORM_CLOUD_TOKEN: op://Infrastructure/terraform/cloud/token | |
- name: Install Terraform | |
uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3 | |
with: | |
terraform_wrapper: false | |
cli_config_credentials_token: ${{ steps.fetch-terraform-cloud-token.outputs.TERRAFORM_CLOUD_TOKEN }} | |
# Fetch the node version from the .nvmrc file | |
# Strip the leading "v" from the version number | |
- name: Fetch node version | |
id: fetch-node-version | |
run: | | |
echo "NODE_VERSION=$(cat .nvmrc | sed 's/[^0-9.]*//g')" >> $GITHUB_ENV | |
- name: Setup yarn | |
uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4 | |
with: | |
node-version: ${{ steps.fetch-node-version.outputs.NODE_VERSION }} | |
- name: Install corepack | |
run: | | |
corepack enable | |
- name: Install dependencies | |
working-directory: ./cdktf | |
run: | | |
# Install node-gyp globally first | |
npm install -g node-gyp | |
yarn install --frozen-lockfile --immutable | |
- name: Generate module and provider bindings | |
working-directory: ./cdktf | |
run: yarn get | |
- name: Determine mode | |
id: determine-mode | |
run: | | |
if [ "${{ inputs.action }}" == "deploy" ]; then | |
echo "mode=auto-approve-apply" >> $GITHUB_OUTPUT | |
elif [ "${{ inputs.action }}" == "synth" ]; then | |
echo "mode=synth-only" >> $GITHUB_OUTPUT | |
elif [ "${{ inputs.action }}" == "diff" ]; then | |
echo "mode=plan-only" >> $GITHUB_OUTPUT | |
elif [ "${{ inputs.action }}" == "destroy" ]; then | |
echo "mode=auto-approve-destroy" >> $GITHUB_OUTPUT | |
else | |
echo "Unknown action: ${{ inputs.action }}" | |
exit 1 | |
fi | |
- name: Run Terraform CDK | |
uses: hashicorp/terraform-cdk-action@7a6efa0bdbd9e966036d1bf84385042d3a8fc272 # v1.0.2 | |
id: terraform-cdk | |
with: | |
workingDirectory: ./cdktf | |
stackName: cdktf | |
mode: ${{ steps.determine-mode.outputs.mode }} | |
githubToken: ${{ secrets.GITHUB_TOKEN }} | |
terraformCloudToken: ${{ steps.fetch-terraform-cloud-token.outputs.TERRAFORM_CLOUD_TOKEN }} | |
- name: Store generated CDKTF | |
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4 | |
# Only store the CDKTF output if the Terraform CDK step ran | |
if: steps.terraform-cdk.outcome != 'skipped' && steps.terraform-cdk.outcome != 'cancelled' | |
with: | |
name: cdktf | |
path: cdktf/cdktf.out/ | |
retention-days: 5 |