Skip to content

Latest commit

 

History

History

pull-request-diff

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

wing-github-action status

Winglang Pull Request Diff Github Action

Note: This is an alpha version! Interface is likely to change. Recommended usage for testing purposes only.

The 'Winglang Pull Request Diff Github Action' is a powerful tool that allows you to see diffs to the currently deployed infrastructure of the Pull Requests's base branch

Usage

To use the 'Winglang Deployment Github Action' in your workflow, add the following step:

steps:
  - name: Deploy Winglang App
    uses: winglang/wing-github-action/actions/pull-request-diff@main
    with:
      entry: 'main.wing' # Required, replace this with your entry file if different
      target: 'tf-aws' # Required, the target to deploy to. e.g. tf-aws, tf-gcp, tf-azure or awscdk.
      version: 'latest' # Optional, specify a different version of the Winglang CLI if required
      working-directory: '' # Optional, the working directory to use. e.g. ./examples/with-dependencies. Will set backend-scope to the relative path of the working directory.
      backend: 's3' # Optional, currently only 's3' is supported
      backendScope: '' # Optional, allows setting a postfix to the generated state file name. Useful if multiple wing apps are deployed from the same repo
      github-token: '' # Required, e.g. ${{ secrets.GITHUB_TOKEN }}
    env:
      TF_BACKEND_BUCKET: '<your-bucket-name>' # required, only required if s3 backend is
      TF_BACKEND_BUCKET_REGION: '<your-bucket-region>' #  required, only required if s3 backend is

A minimal working config for AWS with OIDC could look like this and deploy a main.w Wing application.

on:
  push:
    branches:
      - main

permissions:
  id-token: write # This is required for requesting the JWT
  contents: read  # This is required for actions/checkout
  pull-requests: write # required for posting comments to pull requests

env:
  AWS_REGION: ${{ secrets.AWS_REGION }}
  TF_BACKEND_BUCKET: ${{ secrets.TF_BACKEND_BUCKET }}
  TF_BACKEND_BUCKET_REGION: ${{ secrets.AWS_REGION }}

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v3
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
          role-session-name: gh-actions-winglang
          aws-region: ${{ env.AWS_REGION}}
      - name: Terraform Plan
        uses: winglang/wing-github-action/actions/[email protected]
        with:
          entry: main.w
          target: 'tf-aws'

Example of OIDC IAM role trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::11111111111:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
          "token.actions.githubusercontent.com:sub": [
              "repo:OWNER/REPO:pull_request",
              "repo:OWNER/REPO:ref:refs/heads/main"
          ]
        }
      }
    }
  ]
}

Environment Variables

  • TF_BACKEND_BUCKET: The name of your S3 bucket used for the Terraform backend.
  • TF_BACKEND_BUCKET_REGION: The region of your S3 bucket.
  • AWS_ACCESS_KEY_ID: The AWS Access Key ID for your account.
  • AWS_SECRET_ACCESS_KEY: The AWS Secret Access Key for your account.

Note: If you're using the s3 backend, the TF_BACKEND_BUCKET and TF_BACKEND_BUCKET_REGION environment variables need to be set with appropriate values. These credentials must have access to the specified S3 bucket.

For better security, it is recommended to use GitHub's OpenID Connect service with Amazon Web Services. It is a security-hardened service for getting temporary credentials. You can find more about it here: Configuring OpenID Connect in Amazon Web Services and configure-aws-credentials.

Node Dependencies

This Action runs in a Docker container with Node v18.

Dependencies are automatically installed via NPM. Not yet implemented: Please make sure to add the packageManager field to your package.json file if you're using anything else than NPM.

{
  "packageManager": "[email protected]"
}

Terraform

This Action includes a recent version of Terraform (v1.5.0).

Development

Setup:

  • a working Docker setup
  • act for local Action testing
npm install
npm run all
act -j test ./.github/workflows/test.yml -s AWS_SECRET_ACCESS_KEY=<value> -s AWS_ACCESS_KEY_ID=<value>