-
Notifications
You must be signed in to change notification settings - Fork 1
134 lines (112 loc) · 4.4 KB
/
terraform-github.yml
File metadata and controls
134 lines (112 loc) · 4.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
---
name: Terraform GitHub
"on":
push:
branches: [main]
paths:
- ".github/workflows/terraform-github.yml"
- "terraform/github/**"
pull_request:
branches: [main]
paths:
- ".github/workflows/terraform-github.yml"
- "terraform/github/**"
workflow_dispatch:
env:
TF_VAR_GITHUB_APP_PEM_FILE: ${{ secrets.TF_VAR_GITHUB_APP_PEM_FILE }}
AWS_ACCESS_KEY_ID: ${{ secrets.TF_S3_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.TF_S3_SECRET_ACCESS_KEY }}
jobs:
terraform:
name: Terraform
runs-on: ubuntu-latest
defaults:
run:
working-directory: "./terraform/github/"
steps:
- name: Checkout Repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup Terraform
uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
- name: Terraform fmt
id: fmt
run: terraform fmt -check
continue-on-error: true
- name: Terraform Init
id: init
run: terraform init -upgrade
- name: Terraform Validate
id: validate
run: terraform validate -no-color
- name: Terraform Plan
id: plan
run: |
terraform plan -out=plan.tmp
terraform show -no-color plan.tmp >${GITHUB_WORKSPACE}/plan.out
continue-on-error: true
- name: Install fs module
run: npm install fs
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
if: github.event_name == 'pull_request'
with:
github-token: ${{ secrets.repository_configuration_token }}
script: |
const { readFile } = require("fs/promises")
const data = await readFile('plan.out')
const plan = "terraform\n" + data.length > 65000 ? `${data.substring(0, 65000)}...` : data
// 1. Retrieve existing bot comments for the PR
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
})
const botComment = comments.find(comment => {
return comment.user.login === 'stackhpc-ci' && comment.body.includes('Terraform Format and Style')
})
// 2. Prepare format of the comment
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
<details><summary>Validation Output</summary>
\`\`\`\n
${{ steps.validate.outputs.stdout }}
\`\`\`
</details>
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
<details><summary>Show Plan</summary>
\`\`\`\n
${process.env.PLAN}
\`\`\`
</details>
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.tf_actions_working_dir }}\`, Workflow: \`${{ github.workflow }}\`*`;
// 3. If we have a comment, update it, otherwise create a new one
if (botComment) {
github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: output
})
} else {
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
}
- name: Terraform Format Status
if: steps.fmt.outcome == 'failure'
run: exit 1
- name: Terraform Plan Status
if: steps.plan.outcome == 'failure'
run: exit 1
- name: Terraform Apply
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
run: terraform apply -auto-approve -input=false
- name: Send message to Slack via Workflow Builder
uses: ./.github/actions/slack-alert
with:
slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
slack-channel-id: ${{ vars.SLACK_CHANNEL_ID }}
if: failure() && github.ref == 'refs/heads/main' && github.event_name == 'push'