Skip to content

Commit

Permalink
Initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
@galargh
galargh committed Mar 9, 2022
0 parents commit 41d8271
Show file tree
Hide file tree
Showing 25 changed files with 1,539 additions and 0 deletions.
10 changes: 10 additions & 0 deletions .github/actions/git-config-user/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
name: Configure git user
description: Configure git user

runs:
using: composite
steps:
- run: |
git config --global user.email '${{ github.actor }}@users.noreply.github.com>'
git config --global user.name '${{ github.actor }}'
shell: bash
39 changes: 39 additions & 0 deletions .github/actions/git-push/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
name: Push to a git branch
description: Push to a git branch

inputs:
suffix:
description: Branch name suffix
required: true
working-directory:
description: Working directory
required: false
default: ${{ github.workspace }}

runs:
using: composite
steps:
- run: |
protected="$(gh api 'repos/{owner}/{repo}/branches/${{ github.ref_name }}' --jq '.protected')"
if [[ "$protected" == 'true' ]]; then
git_branch='${{ github.ref_name }}-${{ inputs.suffix }}'
else
git_branch='${{ github.ref_name }}'
fi
git checkout -B "$git_branch"
if [[ "$protected" == 'true' ]]; then
git push origin "$git_branch" --force
if [[ ! -z "$(git diff --name-only 'origin/${{ github.ref_name }}')" ]]; then
state="$(gh pr view "$git_branch" --json state --jq .state 2> /dev/null || echo '')"
if [[ "$state" != 'OPEN' ]]; then
gh pr create --body 'The changes in this PR were made by a bot. Please review carefully.' --head "$git_branch" --base '${{ github.ref_name }}' --fill
fi
fi
else
git push origin "$git_branch"
fi
shell: bash
working-directory: ${{ inputs.working-directory }}
95 changes: 95 additions & 0 deletions .github/workflows/apply.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
name: Apply

on:
push:
workflow_dispatch:

jobs:
prepare:
if: github.ref_name == github.event.repository.default_branch &&
github.event.repository.is_template == false
permissions:
contents: read
issues: read
pull-requests: read
name: Prepare
runs-on: ubuntu-latest
outputs:
workspaces: ${{ steps.workspaces.outputs.this }}
sha: ${{ steps.sha.outputs.this }}
defaults:
run:
shell: bash
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Discover workspaces
id: workspaces
run: echo "::set-output name=this::$(ls github | jq --raw-input '[.]' | jq -sc add)"
- name: Find pull request number
id: pull_request
if: github.event_name == 'push'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
uses: protocol/github-api-action-library/find-content-by-query@v1
with:
query: repository:${{ github.repository }} ${{ github.sha }}
- name: Find sha for plan
id: sha
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
if [[ '${{ github.event_name }}' == 'push' ]]; then
number="$(jq -r '.[0].number // ""' <<< '${{ steps.pull_request.outputs.issues-or-pull-requests }}')"
if [[ ! -z "$number" ]]; then
sha="$(gh pr view "$number" --json commits --jq '.commits[-1].oid')"
fi
else
sha='${{ github.sha }}'
fi
echo "::set-output name=this::$sha"
apply:
needs: [prepare]
if: needs.prepare.outputs.sha != '' && needs.prepare.outputs.workspaces != ''
permissions:
actions: read
contents: read
strategy:
fail-fast: false
matrix:
workspace: ${{ fromJson(needs.prepare.outputs.workspaces) }}
name: Apply
runs-on: ubuntu-latest
env:
TF_IN_AUTOMATION: 1
TF_INPUT: 0
TF_WORKSPACE: ${{ matrix.workspace }}
AWS_ACCESS_KEY_ID: ${{ secrets.RW_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.RW_AWS_SECRET_ACCESS_KEY }}
GITHUB_APP_ID: ${{ secrets.RW_GITHUB_APP_ID }}
GITHUB_APP_INSTALLATION_ID: ${{ secrets[format('RW_GITHUB_APP_INSTALLATION_ID_{0}', matrix.workspace)] }}
GITHUB_APP_PEM_FILE: ${{ secrets.RW_GITHUB_APP_PEM_FILE }}
TF_VAR_write_delay_ms: 300
defaults:
run:
shell: bash
working-directory: terraform
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Setup terraform
uses: hashicorp/setup-terraform@3d8debd658c92063839bc97da5c2427100420dec # v1.3.2
with:
terraform_version: 1.1.4
- name: Initialize terraform
run: terraform init
- name: Retrieve targets from config
id: target
run: echo "::set-output name=this::$(jq -r 'split(" ")[:-1] | map("-target=github_\(sub(".json$"; "")).this") | join(" ")' <<< '"'"$(ls | tr '\n' ' ')"'"')"
working-directory: github/${{ env.TF_WORKSPACE }}
- name: Terraform Plan Download
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh run download -n ${{ env.TF_WORKSPACE }}_${{ needs.prepare.outputs.sha }}.tfplan --repo ${{ github.repository }}
- name: Terraform Apply
run: terraform apply -auto-approve -lock-timeout=0s -no-color ${{ env.TF_WORKSPACE }}.tfplan
171 changes: 171 additions & 0 deletions .github/workflows/plan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,171 @@
name: Plan

on:
workflow_run:
workflows:
- "Plan (pre)"
types:
- completed
workflow_dispatch:

jobs:
prepare:
if: (github.event_name == 'workflow_dispatch' &&
github.ref_name == github.event.repository.default_branch) ||
(github.event_name == 'workflow_run' &&
github.event.workflow_run.conclusion == 'success')
permissions:
actions: read
contents: read
statuses: write
name: Prepare
runs-on: ubuntu-latest
outputs:
workspaces: ${{ steps.workspaces.outputs.this }}
repository: ${{ steps.github.outputs.repository }}
sha: ${{ steps.github.outputs.sha }}
number: ${{ steps.github.outputs.number }}
defaults:
run:
shell: bash
steps:
- name: Find repository and sha to checkout
id: github
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
if [[ '${{ github.event_name }}' == 'workflow_dispatch' ]]; then
repository='${{ github.repository }}'
sha='${{ github.sha }}'
elif [[ '${{ github.event_name }}' == 'workflow_run' ]]; then
repository='${{ github.event.workflow_run.head_repository.full_name }}'
sha='${{ github.event.workflow_run.head_commit.id }}'
number="$(gh api '/repos/${{ github.repository }}/actions/runs/${{ github.event.workflow_run.id }}' --jq '.pull_requests[0].number')"
fi
echo "::set-output name=repository::$repository"
echo "::set-output name=sha::$sha"
echo "::set-output name=number::$number"
- run: sha=${{ steps.github.outputs.sha }}
- env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh api 'repos/${{ github.repository }}/statuses/${{ steps.github.outputs.sha }}' -f context='Plan' -f state='pending' -f target_url='${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}'
- name: Checkout
uses: actions/checkout@v2
with:
repository: ${{ steps.github.outputs.repository }}
ref: ${{ steps.github.outputs.sha }}
- name: Discover workspaces
id: workspaces
run: echo "::set-output name=this::$(ls github | jq --raw-input '[.]' | jq -sc add)"
plan:
needs: [prepare]
if: needs.prepare.outputs.workspaces != ''
permissions:
contents: read
strategy:
fail-fast: false
matrix:
workspace: ${{ fromJson(needs.prepare.outputs.workspaces) }}
name: Plan
runs-on: ubuntu-latest
env:
TF_IN_AUTOMATION: 1
TF_INPUT: 0
TF_WORKSPACE: ${{ matrix.workspace }}
AWS_ACCESS_KEY_ID: ${{ secrets.RO_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.RO_AWS_SECRET_ACCESS_KEY }}
GITHUB_APP_ID: ${{ secrets.RO_GITHUB_APP_ID }}
GITHUB_APP_INSTALLATION_ID: ${{ secrets[format('RO_GITHUB_APP_INSTALLATION_ID_{0}', matrix.workspace)] }}
GITHUB_APP_PEM_FILE: ${{ secrets.RO_GITHUB_APP_PEM_FILE }}
TF_VAR_write_delay_ms: 300
defaults:
run:
shell: bash
working-directory: terraform
steps:
- name: Checkout
uses: actions/checkout@v2
with:
repository: ${{ needs.prepare.outputs.repository }}
ref: ${{ needs.prepare.outputs.sha }}
- name: Setup terraform
uses: hashicorp/setup-terraform@3d8debd658c92063839bc97da5c2427100420dec # v1.3.2
with:
terraform_version: 1.1.4
- name: Initialize terraform
run: terraform init
- name: Check terraform lock
if: github.event_name == 'workflow_run'
run: git diff --exit-code .terraform.lock.hcl
- name: Format terraform
run: terraform fmt -check
- name: Validate terraform
run: terraform validate -no-color
- name: Retrieve targets from config
id: target
run: echo "::set-output name=this::$(jq -r 'split(" ")[:-1] | map("-target=github_\(sub(".json$"; "")).this") | join(" ")' <<< '"'"$(ls | tr '\n' ' ')"'"')"
working-directory: github/${{ env.TF_WORKSPACE }}
- name: Plan terraform
id: plan
run: terraform plan ${{ steps.target.outputs.this }} -refresh=false -lock=false -out=${{ env.TF_WORKSPACE }}.tfplan -no-color
- name: Upload terraform plan
uses: actions/upload-artifact@v2
with:
name: ${{ env.TF_WORKSPACE }}_${{ needs.prepare.outputs.sha }}.tfplan
path: terraform/${{ env.TF_WORKSPACE }}.tfplan
if-no-files-found: error
retention-days: 90
comment:
needs: [prepare, plan]
if: github.event_name == 'workflow_run'
permissions:
contents: read
pull-requests: write
name: Comment
runs-on: ubuntu-latest
env:
AWS_ACCESS_KEY_ID: ${{ secrets.RO_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.RO_AWS_SECRET_ACCESS_KEY }}
defaults:
run:
shell: bash
working-directory: terraform
steps:
- name: Checkout
uses: actions/checkout@v2
with:
repository: ${{ needs.prepare.outputs.repository }}
ref: ${{ needs.prepare.outputs.sha }}
- name: Setup terraform
uses: hashicorp/setup-terraform@3d8debd658c92063839bc97da5c2427100420dec # v1.3.2
with:
terraform_version: 1.1.4
terraform_wrapper: false
- name: Initialize terraform
run: terraform init
- name: Download terraform plans
uses: actions/download-artifact@v2
with:
path: terraform
- name: Show terraform plans
run: |
echo 'COMMENT<<EOF' >> $GITHUB_ENV
for plan in $(find . -type f -name '*.tfplan'); do
echo "<details><summary>$(basename "$plan" '.tfplan')</summary>" >> $GITHUB_ENV
echo '' >> $GITHUB_ENV
echo '```' >> $GITHUB_ENV
echo "$(terraform show -no-color "$plan" 2>&1)" >> $GITHUB_ENV
echo '```' >> $GITHUB_ENV
echo '' >> $GITHUB_ENV
echo '</details>' >> $GITHUB_ENV
done
echo 'EOF' >> $GITHUB_ENV
- name: Comment on pull request
uses: marocchino/sticky-pull-request-comment@39c5b5dc7717447d0cba270cd115037d32d28443 # v2.2.0
with:
number: ${{ needs.prepare.outputs.number }}
message: |
Before merge, verify that all the following plans are correct. They will be applied as-is after the merge.
#### Terraform plans
${{ env.COMMENT }}
26 changes: 26 additions & 0 deletions .github/workflows/plan_post.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: "Plan (post)"

on:
workflow_run:
workflows:
- Plan
types:
- completed

jobs:
notify:
permissions:
actions: read
statuses: write
name: "Notify"
runs-on: ubuntu-latest
defaults:
run:
shell: bash
steps:
- env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
sha="$(gh api '/repos/${{ github.repository }}/actions/runs/${{ github.event.workflow_run.id }}/jobs' --jq '.jobs[] | .steps[] | .name | select(startswith("Run sha="))')"
sha="${sha#Run sha=}"
gh api "repos/${{ github.repository }}/statuses/$sha" -f context='Plan' -f state='${{ github.event.workflow_run.conclusion }}' -f target_url='${{ github.event.workflow_run.html_url }}'
13 changes: 13 additions & 0 deletions .github/workflows/plan_pre.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
name: "Plan (pre)"

on:
pull_request:

jobs:
trigger:
if: github.event.pull_request.base.ref == github.event.repository.default_branch &&
github.event.repository.is_template == false
name: "Trigger"
runs-on: ubuntu-latest
steps:
- run: "true"
Loading

0 comments on commit 41d8271

Please sign in to comment.