Note: This is an alpha version! Interface is likely to change. Recommended usage for testing purposes only.
The 'Winglang Pull Request Diff Github Action' is a powerful tool that allows you to see diffs to the currently deployed infrastructure of the Pull Requests's base branch
To use the 'Winglang Deployment Github Action' in your workflow, add the following step:
steps:
- name: Deploy Winglang App
uses: winglang/wing-github-action/actions/pull-request-diff@main
with:
entry: 'main.wing' # Required, replace this with your entry file if different
target: 'tf-aws' # Required, the target to deploy to. e.g. tf-aws, tf-gcp, tf-azure or awscdk.
version: 'latest' # Optional, specify a different version of the Winglang CLI if required
working-directory: '' # Optional, the working directory to use. e.g. ./examples/with-dependencies. Will set backend-scope to the relative path of the working directory.
backend: 's3' # Optional, currently only 's3' is supported
backendScope: '' # Optional, allows setting a postfix to the generated state file name. Useful if multiple wing apps are deployed from the same repo
github-token: '' # Required, e.g. ${{ secrets.GITHUB_TOKEN }}
env:
TF_BACKEND_BUCKET: '<your-bucket-name>' # required, only required if s3 backend is
TF_BACKEND_BUCKET_REGION: '<your-bucket-region>' # required, only required if s3 backend is
A minimal working config for AWS with OIDC could look like this and deploy a main.w
Wing application.
on:
push:
branches:
- main
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
pull-requests: write # required for posting comments to pull requests
env:
AWS_REGION: ${{ secrets.AWS_REGION }}
TF_BACKEND_BUCKET: ${{ secrets.TF_BACKEND_BUCKET }}
TF_BACKEND_BUCKET_REGION: ${{ secrets.AWS_REGION }}
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v3
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
role-session-name: gh-actions-winglang
aws-region: ${{ env.AWS_REGION}}
- name: Terraform Plan
uses: winglang/wing-github-action/actions/[email protected]
with:
entry: main.w
target: 'tf-aws'
Example of OIDC IAM role trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::11111111111:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
"token.actions.githubusercontent.com:sub": [
"repo:OWNER/REPO:pull_request",
"repo:OWNER/REPO:ref:refs/heads/main"
]
}
}
}
]
}
TF_BACKEND_BUCKET
: The name of your S3 bucket used for the Terraform backend.TF_BACKEND_BUCKET_REGION
: The region of your S3 bucket.AWS_ACCESS_KEY_ID
: The AWS Access Key ID for your account.AWS_SECRET_ACCESS_KEY
: The AWS Secret Access Key for your account.
Note: If you're using the s3
backend, the TF_BACKEND_BUCKET
and TF_BACKEND_BUCKET_REGION
environment variables need to be set with appropriate values. These credentials must have access to the specified S3 bucket.
For better security, it is recommended to use GitHub's OpenID Connect service with Amazon Web Services. It is a security-hardened service for getting temporary credentials. You can find more about it here: Configuring OpenID Connect in Amazon Web Services and configure-aws-credentials.
This Action runs in a Docker container with Node v18.
Dependencies are automatically installed via NPM. Not yet implemented: Please make sure to add the packageManager
field to your package.json
file if you're using anything else than NPM.
{
"packageManager": "[email protected]"
}
This Action includes a recent version of Terraform (v1.5.0).
Setup:
- a working Docker setup
- act for local Action testing
npm install
npm run all
act -j test ./.github/workflows/test.yml -s AWS_SECRET_ACCESS_KEY=<value> -s AWS_ACCESS_KEY_ID=<value>