-
Notifications
You must be signed in to change notification settings - Fork 34
132 lines (117 loc) · 5.53 KB
/
provision-by-terraform.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: Setup a server by Terraform
on:
push:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpull_requestpull_request_targetbranchesbranches-ignore
branches:
- master
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore
paths:
- .github/workflows/provision-by-terraform.yml
- 'infra/terraform/**'
- '!infra/terraform/*.example'
- '!infra/terraform/*.md'
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_dispatch
workflow_dispatch:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read # for "git clone"
defaults:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#defaultsrun
run:
# Enable fail-fast behavior using set -eo pipefail
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
jobs:
setup-server:
name: Setup a server
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on
runs-on: ubuntu-22.04
steps:
- name: Clone source code
uses: actions/[email protected] # https://github.com/actions/checkout
with:
# Whether to configure the token or SSH key with the local git config. Default: true
persist-credentials: false
- name: Checkout terraform data to a subdirectory
working-directory: infra/terraform
run: |
git fetch --depth=1 origin generated-terraform
git worktree add terraform-data generated-terraform
- name: Install mise to set up Terraform
uses: jdx/[email protected] # https://github.com/jdx/mise-action
with:
version: 2025.4.8 # [default: latest] mise version to install
install: true # [default: true] run `mise install`
cache: true # [default: true] cache mise using GitHub's cache
log_level: info # [default: info] log level
working_directory: infra/terraform # [default: .] directory to run mise in
env:
# Workaround: don't install parent's dependencies as we don't use them
# See: https://github.com/jdx/mise-action/issues/183
# https://mise.jdx.dev/configuration/settings.html#disable_tools
MISE_DISABLE_TOOLS: java,maven
- name: Install ansible-vault
working-directory: infra/ansible
env:
# Don't install some dependencies that we don't use (java, maven) or don't want (python)
# https://mise.jdx.dev/configuration/settings.html#disable_tools
MISE_DISABLE_TOOLS: java,maven,python
run: mise install
- name: Show tools versions
env:
# https://developer.hashicorp.com/terraform/cli/commands#upgrade-and-security-bulletin-checks
CHECKPOINT_DISABLE: true
run: |
terraform -version
ansible-vault --version
- name: Decrypt terraform files
working-directory: infra/terraform
env:
# https://docs.github.com/en/actions/security-guides/encrypted-secrets#using-encrypted-secrets-in-a-workflow
VAULT_PASSWORD: ${{ secrets.VAULT_PASSWORD }}
run: |
printf '%s' "$VAULT_PASSWORD" >vault-pass.txt
for FILENAME in terraform.tfstate terraform.tfvars; do
echo "Decrypting ${FILENAME}.enc to $FILENAME"
ansible-vault decrypt \
--vault-password-file vault-pass.txt \
--output "$FILENAME" \
"terraform-data/${FILENAME}.enc"
done
- name: Run terraform init
working-directory: infra/terraform
env:
# https://developer.hashicorp.com/terraform/cli/config/environment-variables#tf_in_automation
TF_IN_AUTOMATION: true
# https://developer.hashicorp.com/terraform/cli/config/environment-variables#tf_input
# https://developer.hashicorp.com/terraform/tutorials/automation/automate-terraform#automated-terraform-cli-workflow
TF_INPUT: false
run: terraform init
- name: Check whether there are no modified files
run: >-
MODIFIED_FILES="$(git status --short)";
if [ -n "$MODIFIED_FILES" ]; then
echo >&2 "ERROR: the following files have been modified:";
echo >&2 "$MODIFIED_FILES";
exit 1;
fi
- name: Run terraform plan
working-directory: infra/terraform
env:
# https://developer.hashicorp.com/terraform/cli/config/environment-variables#tf_in_automation
TF_IN_AUTOMATION: true
# https://developer.hashicorp.com/terraform/cli/config/environment-variables#tf_input
# https://developer.hashicorp.com/terraform/tutorials/automation/automate-terraform#automated-terraform-cli-workflow
TF_INPUT: false
run: >-
terraform plan \
-detailed-exitcode \
-out terraform.tfplan
- name: Cleanup
if: always()
working-directory: infra/terraform
run: |
for FILE in vault-pass.txt terraform.tfplan terraform.tfstate terraform.tfstate.backup terraform.tfvars; do
[ ! -f "$FILE" ] || rm -fv "$FILE"
done
[ ! -d terraform-data ] || git worktree remove terraform-data