-
Notifications
You must be signed in to change notification settings - Fork 0
147 lines (145 loc) · 5.75 KB
/
_reusable_terraform_plan_apply_destroy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# A reusable workflow for deploying terrafrom
# Expects a var file from the file system and the name of a SSM param containing tf vars in JSON to download - these are passed in second and thus have the highest priority
# terraform -detailed-exitcode flag is used. This returns 2 if a plan detects changes. If a plan has no changes the approval stage, artefacting and plan stage are skipped.
# If a plan has changes and user has requested an apply, it will be stored as an artefact
# USAGE
# Environment Vars:
# ROLE_ARN = full arn of the role the runner should assume
# TERRAFORM_VERSION = Version of Terraform to use e.g. 1.4.6
# APPROVERS = a comma delimited string of GitHub users name who can approve the step
# For parameters see the descriptions below
name: Reusable Terraform plan, apply, destroy
permissions:
id-token: write
contents: read
issues: write
on:
workflow_call:
inputs:
ref:
description: Git Ref to checkout, leave blank for main
required: false
type: string
workspace:
description: Terraform workspace to use
required: true
type: string
environment:
description: Github environment to use
type: string
required: true
scm_vars_file:
description: Path of tfvars to use
required: true
type: string
ssm_vars_file:
description: Name of param to download for additional vars
required: true
type: string
needs_approval:
description: set to raise a manual approval after plan
type: boolean
required: false
default: true
run_apply:
description: Run terraform apply?
required: false
type: boolean
default: false
run_destroy:
description: Run terraform destroy?
type: boolean
default: false
run_system_tests:
description: Run system tests?
type: boolean
default: false
system_test_tags:
description: Tags for system tests
required: false
type: string
default: ""
secrets:
TESTING_PRIVATE_KEY:
required: true
TESTING_SOURCE_ROLE:
required: true
TESTING_TARGET_ROLE:
required: true
jobs:
terraform:
environment: ${{ inputs.environment }}
runs-on: ubuntu-22.04
steps:
- name: Setup AWS
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: ${{ vars.ROLE_ARN }}
aws-region: eu-west-2
- run: aws sts get-caller-identity
- name: Checkout
uses: actions/checkout@v3
with:
ref: ${{ inputs.ref }}
- name: Get vars from SSM
run: |
aws ssm get-parameters --name ${{ inputs.ssm_vars_file }} \
--with-decryption --query "Parameters[*].Value" \
--output text > ssm.tfvars.json
cat "ssm.tfvars.json"
- uses: hashicorp/setup-terraform@v2
with:
terraform_version: ${{ vars.TERRAFORM_VERSION }}
terraform_wrapper: true
- name: Terraform init
run: |
terraform init -reconfigure --backend-config=backend.conf
terraform workspace list
terraform workspace select ${{ inputs.workspace }}
- name: Terraform plan
if: inputs.run_destroy == false
id: terraform_plan
run: |
terraform plan -input=false -detailed-exitcode -var-file ${{ inputs.scm_vars_file }} -var-file ssm.tfvars.json -out=tfplan.out
# - run: echo "Wrapper exitcode was ${{ steps.terraform_plan.outputs.exitcode }}"
# Always store the plan if terraform plan detects changes and user has requested an apply
- name: Store apply plan
if: ${{ inputs.run_apply && steps.terraform_plan.outputs.exitcode == 2 }}
uses: actions/upload-artifact@v3
with:
name: tfplan-${{ inputs.environment }}.out
path: tfplan.out
- name: wait-for-approval
if: ${{ inputs.needs_approval && inputs.run_apply && steps.terraform_plan.outputs.exitcode == 2}}
uses: trstringer/manual-approval@v1
timeout-minutes: 90
with:
secret: ${{ github.TOKEN }}
approvers: ${{ vars.APPROVERS }}
minimum-approvals: 1
issue-title: "Please approve plan for ${{ inputs.environment }}"
issue-body: "Please approve or deny the deployment of TREv2 to ${{ inputs.environment }}"
- name: Terraform apply
if: ${{ inputs.run_apply && steps.terraform_plan.outputs.exitcode == 2}}
run: |
terraform apply -input=false -auto-approve tfplan.out
echo "### Deployed $(git log -1 '--format=format:%H') to ${{ inputs.workspace }} :tada:" >> $GITHUB_STEP_SUMMARY
- name: Get environment name for systems tests
if: inputs.run_system_tests == true
run: |
TESTING_ENVIRONMENT=$(jq -r '.environment_name' ssm.tfvars.json)
echo "TESTING_ENVIRONMENT=$TESTING_ENVIRONMENT" >> $GITHUB_ENV
- name: Run system tests
if: ${{ inputs.run_system_tests && steps.terraform_plan.outputs.exitcode == 2 }}
uses: nationalarchives/da-tre-github-actions/.github/actions/run-system-tests@0.0.19
with:
source_role: ${{ secrets.TESTING_SOURCE_ROLE }}
target_role: ${{ secrets.TESTING_TARGET_ROLE }}
testing_ssh_key: ${{ secrets.TESTING_PRIVATE_KEY }}
environment_name: ${{ env.TESTING_ENVIRONMENT }}
system_test_tags: ${{ inputs.system_test_tags }}
- name: Terraform Destroy Plan
if: ${{ inputs.run_destroy }}
run: |
terraform destroy -input=false -auto-approve -var-file ${{ inputs.scm_vars_file }} -var-file ssm.tfvars.json
echo "### Destroyed ${{ inputs.workspace }} :boom:" >> $GITHUB_STEP_SUMMARY