signalwire · lucasmellos · Sep 27, 2024 · Sep 27, 2024 · Sep 27, 2024 · Sep 27, 2024
diff --git a/.github/workflows/iac-secrets.yml b/.github/workflows/iac-secrets.yml
@@ -0,0 +1,166 @@
+name: 'Secrets GitHub Actions'
+on:
+  workflow_call:
+    inputs:
+      TELEPORT_PROXY_URL:
+        required: false
+        type: string
+        default: ''
+        description: Default Teleport URL
+      GCP_WIP:
+        required: false
+        type: string
+        default: ''
+        description: GCP Workload Identity Provider
+      PROJECT_ID:
+        required: false
+        type: string
+        default: ''
+        description: GCP Project ID
+      WORKING_DIR:
+        required: true
+        type: string
+        default: 'secrets'
+        description: Working directory
+    secrets:
+      TELEPORT_TOKEN:
+        required: false
+        description: Teleport Token name
+      VAULT_TOKEN:
+        required: false
+        description: A Vault token in case vault is required
+      PAT_GIT:
+        required: false
+        description: A PAT token to clone the repository
+
+jobs:
+  terragrunt:
+    name: 'Terraform Vault Secrets'
+    runs-on: ubuntu-latest
+
+    permissions: write-all
+    # defaults:
+    #   run:
+    #     shell: bash
+    #     working-directory: secrets
+
+    steps:
+      - name: Install dependencies
+        run: |
+          sudo apt update
+          sudo apt install unzip git -yq
+
+      - name: cleanup old checkout  
+        run: chmod +w -R ${GITHUB_WORKSPACE}; rm -rf ${GITHUB_WORKSPACE}/*;
+
+      - name: 'Checkout'
+        uses: actions/checkout@v4
+
+      - name: Checkout actions
+        uses: actions/checkout@v4
+        with:
+          repository: signalwire/actions-template
+          ref: main
+          path: actions
+
+      - id: 'auth'
+        name: 'Authenticate to Google Cloud'
+        uses: 'google-github-actions/[email protected]'
+        with:
+          workload_identity_provider: ${{ inputs.GCP_WIP }}
+          project_id: ${{ inputs.PROJECT_ID }}
+
+      - name: Sops Binary Installer
+        uses: mdgreenwald/[email protected]
+        with:
+          version: 3.7.3
+
+      - name: Authenticate against Teleport to use Vault
+        id: teleportapp
+        uses: ./actions/.github/actions/teleport
+        env:
+          TOKEN: ${{ secrets.TELEPORT_TOKEN }}
+          PROXY_URL: ${{ inputs.TELEPORT_PROXY_URL }}
+        with:
+          TELEPORT_APP: vault
+
+      - name: Configure Vault
+        run: |
+          echo VAULT_ADDR=https://${{ inputs.TELEPORT_PROXY_URL }} >> $GITHUB_ENV
+          #echo VAULT_API_ADDR=https://${{ inputs.TELEPORT_PROXY_URL }} >> $GITHUB_ENV
+          echo VAULT_CLIENT_TIMEOUT=120s >> $GITHUB_ENV
+          cp ${{ steps.teleportapp.outputs.certificate-file }} ${{github.workspace}}/certificate-file
+          echo VAULT_CLIENT_CERT=${{github.workspace}}/certificate-file >> $GITHUB_ENV
+          cp ${{ steps.teleportapp.outputs.key-file }} ${{github.workspace}}/key-file
+          echo VAULT_CLIENT_KEY=${{github.workspace}}/key-file >> $GITHUB_ENV
+          echo VAULT_TOKEN=$VAULT_TOKEN >> $GITHUB_ENV
+        env:
+          VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
+
+      - uses: opentofu/setup-opentofu@main
+
+      - name: Init
+        id: init
+        working-directory: ${{ inputs.WORKING_DIR }}
+        run: |
+          git config --global url."https://user:${{secrets.PAT_GIT}}@github.com".insteadOf "https://github.com"
+          tofu init
+
+      - name: Validate
+        id: validate
+        working-directory: ${{ inputs.WORKING_DIR }}
+        run: |
+          tofu validate
+
+      - name: Plan
+        id: plan
+        continue-on-error: true
+        working-directory: ${{ inputs.WORKING_DIR }}
+        run: |
+          tofu plan -no-color
+
+      - uses: actions/github-script@v6
+        if: github.event_name == 'pull_request'
+        env:
+          PLAN: "tofu\n${{ steps.plan.outputs.stdout }}"
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const output = `#### OpenTofu Initialization ⚙️\`${{ steps.init.outcome }}\`
+            #### OpenTofu Validation 🤖\`${{ steps.validate.outcome }}\`
+            <details><summary>Validation Output</summary>
+
+            \`\`\`\n
+            ${{ steps.validate.outputs.stdout }}
+            \`\`\`
+
+            </details>
+
+            #### OpenTofu Plan 📖\`${{ steps.plan.outcome }}\`
+
+            <details><summary>Show Plan</summary>
+
+            \`\`\`\n
+            ${process.env.PLAN}
+            \`\`\`
+
+            </details>
+
+            *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ inputs.WORKING_DIR }}\`, Workflow: \`${{ github.workflow }}\`*`;
+
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+
+      - name: Apply
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        working-directory: ${{ inputs.WORKING_DIR }}
+        id: apply
+        run: |
+          tofu apply --auto-approve
+
+      - run: sudo chmod -R 777 /home/runner/_work/${{ github.event.repository.name }}
+        continue-on-error: true