Skip to content
Back to pull request #560

Chore/container app/domains #251

Sign in to view logs

Chore/container app/domains

Chore/container app/domains #251

Workflow file for this run

.github/workflows/terraform.yml at dc85562
# Provision and deploy production infrastructure.
# Runs `terraform plan` on every PR and `terraform apply` on every push to `main`.
# Only runs if the changes are in the `infrastructure/` directory, or if the workflow itself is changed.
# Based on https://developer.hashicorp.com/terraform/tutorials/automation/github-actions
name: "Terraform"
env:
FORCE_COLOR: 1
on:
pull_request:
paths:
- infrastructure/**
- .github/workflows/terraform.yml
defaults:
run:
working-directory: ./infrastructure/server/environments/production
# Ensure that we run the workflows in succession to avoid any race conditions related to infrastructure.
concurrency:
group: terraform
cancel-in-progress: false
jobs:
terraform:
name: Terraform
runs-on: ubuntu-latest
env:
# We authenticate to Azure using service principal with Open ID Connect (OIDC)
# as outlined in https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc
# `ARM_CLIENT_ID`, `ARM_SUBSCRIPTION_ID`, and `ARM_TENANT_ID` are all required for this authentication method.
# They belong to the `indok_web` app registration in Azure AD.
ARM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
ARM_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
# Needed for the `github` provider to have the necessary permissions to create GH environments.
GITHUB_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
permissions:
# `id-token: write` permission is needed for OIDC authentication to Azure.
id-token: write
# `actions: write` permission is needed to create new environments in GH and add environment variables.
actions: write
contents: read
# `pull-requests: write` permission is needed to post the output of `terraform plan` as a comment on the PR.
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
- name: Terraform Format
id: fmt
run: terraform fmt -recursive -check
- name: Terraform Init
id: init
run: terraform init
- name: Terraform Validate
id: validate
run: terraform validate -no-color
- name: Terraform Plan
id: plan
if: github.event_name == 'pull_request'
run: terraform plan -no-color -lock=false -input=false -var docker_registry_password="${{ env.GITHUB_TOKEN }}" -var git_sha="${{ github.sha }}"
continue-on-error: true
- name: Find Existing Comment
uses: peter-evans/find-comment@v3
if: github.event_name == 'pull_request'
id: find-comment
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: "github-actions[bot]"
body-includes: "### Planned Changes to Server Infrastructure"
- name: Update Pull Request
uses: peter-evans/create-or-update-comment@v4
if: github.event_name == 'pull_request'
env:
PLAN: "${{ steps.plan.outputs.stdout }}"
with:
comment-id: ${{ steps.find-comment.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
edit-mode: replace
body: |
### Planned Changes to Server Infrastructure
#### Terraform Format and Style 🖌 `${{ steps.fmt.outcome }}`
#### Terraform Initialization ⚙️ `${{ steps.init.outcome }}`
#### Terraform Plan 📖 `${{ steps.plan.outcome }}`
#### Terraform Validation 🤖 `${{ steps.validate.outcome }}`
<details><summary>Show Plan</summary>
```terraform
${{ env.PLAN }}
```
</details>
*Pushed by: @${{ github.actor }}, Action: `${{ github.event_name }}`*
- name: Terraform Plan Status
if: steps.plan.outcome == 'failure'
run: exit 1
- name: Terraform Apply
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
run: terraform apply -auto-approve -input=false -var docker_registry_password="${{ env.GITHUB_TOKEN }}" -var git_sha="${{ github.sha }}"