ci: update Terraform to 1.11.2 #38
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Setup a server by Terraform | |
| on: | |
| push: | |
| # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpull_requestpull_request_targetbranchesbranches-ignore | |
| branches: | |
| - master | |
| # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore | |
| paths: | |
| - .github/workflows/provision-by-terraform.yml | |
| - 'infra/terraform/**' | |
| - '!infra/terraform/*.example' | |
| - '!infra/terraform/*.md' | |
| # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_dispatch | |
| workflow_dispatch: | |
| # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions | |
| permissions: | |
| contents: read # for "git clone" | |
| defaults: | |
| # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#defaultsrun | |
| run: | |
| # Enable fail-fast behavior using set -eo pipefail | |
| # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference | |
| shell: bash | |
| jobs: | |
| setup-server: | |
| name: Setup a server | |
| # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - name: Clone source code | |
| uses: actions/[email protected] # https://github.com/actions/checkout | |
| with: | |
| # Whether to configure the token or SSH key with the local git config. Default: true | |
| persist-credentials: false | |
| - name: Checkout terraform data to a subdirectory | |
| working-directory: infra/terraform | |
| run: | | |
| git fetch --depth=1 origin generated-terraform | |
| git worktree add terraform-data generated-terraform | |
| - name: Install mise to set up Terraform | |
| uses: jdx/[email protected] # https://github.com/jdx/mise-action | |
| with: | |
| version: 2025.3.2 # [default: latest] mise version to install | |
| install: true # [default: true] run `mise install` | |
| cache: true # [default: true] cache mise using GitHub's cache | |
| log_level: info # [default: info] log level | |
| working_directory: infra/terraform # [default: .] directory to run mise in | |
| env: | |
| # Workaround: don't install parent's dependencies as we don't use them | |
| # See: https://github.com/jdx/mise-action/issues/183 | |
| # https://mise.jdx.dev/configuration/settings.html#disable_tools | |
| MISE_DISABLE_TOOLS: java,maven | |
| - name: Install ansible-vault | |
| # NOTE: during version bump don't forget to update in other places: deploy.yml and provisioning-by-ansible.yml | |
| run: pip3 install ansible==3.4.0 | |
| - name: Show tools versions | |
| env: | |
| # https://developer.hashicorp.com/terraform/cli/commands#upgrade-and-security-bulletin-checks | |
| CHECKPOINT_DISABLE: true | |
| run: | | |
| terraform -version | |
| ansible-vault --version | |
| - name: Decrypt terraform files | |
| working-directory: infra/terraform | |
| env: | |
| # https://docs.github.com/en/actions/security-guides/encrypted-secrets#using-encrypted-secrets-in-a-workflow | |
| VAULT_PASSWORD: ${{ secrets.VAULT_PASSWORD }} | |
| run: | | |
| printf '%s' "$VAULT_PASSWORD" >vault-pass.txt | |
| for FILENAME in terraform.tfstate terraform.tfvars; do | |
| echo "Decrypting ${FILENAME}.enc to $FILENAME" | |
| ansible-vault decrypt \ | |
| --vault-password-file vault-pass.txt \ | |
| --output "$FILENAME" \ | |
| "terraform-data/${FILENAME}.enc" | |
| done | |
| - name: Run terraform init | |
| working-directory: infra/terraform | |
| env: | |
| # https://developer.hashicorp.com/terraform/cli/config/environment-variables#tf_in_automation | |
| TF_IN_AUTOMATION: true | |
| # https://developer.hashicorp.com/terraform/cli/config/environment-variables#tf_input | |
| # https://developer.hashicorp.com/terraform/tutorials/automation/automate-terraform#automated-terraform-cli-workflow | |
| TF_INPUT: false | |
| run: terraform init | |
| - name: Check whether there are no modified files | |
| run: >- | |
| MODIFIED_FILES="$(git status --short)"; | |
| if [ -n "$MODIFIED_FILES" ]; then | |
| echo >&2 "ERROR: the following files have been modified:"; | |
| echo >&2 "$MODIFIED_FILES"; | |
| exit 1; | |
| fi | |
| - name: Run terraform plan | |
| working-directory: infra/terraform | |
| env: | |
| # https://developer.hashicorp.com/terraform/cli/config/environment-variables#tf_in_automation | |
| TF_IN_AUTOMATION: true | |
| # https://developer.hashicorp.com/terraform/cli/config/environment-variables#tf_input | |
| # https://developer.hashicorp.com/terraform/tutorials/automation/automate-terraform#automated-terraform-cli-workflow | |
| TF_INPUT: false | |
| run: >- | |
| terraform plan \ | |
| -detailed-exitcode \ | |
| -out terraform.tfplan | |
| - name: Cleanup | |
| if: always() | |
| working-directory: infra/terraform | |
| run: | | |
| for FILE in vault-pass.txt terraform.tfplan terraform.tfstate terraform.tfstate.backup terraform.tfvars; do | |
| [ ! -f "$FILE" ] || rm -fv "$FILE" | |
| done | |
| [ ! -d terraform-data ] || git worktree remove terraform-data |