-
Notifications
You must be signed in to change notification settings - Fork 1
133 lines (114 loc) · 4.01 KB
/
terraform-plan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: terraform plan
on:
pull_request:
branches:
- main
- develop
paths:
- .github/workflows/terraform-plan.yml
- terraform/**
- cloudformation/**
workflow_dispatch:
inputs:
environment:
description: "Target environment"
required: true
default: "test"
type: choice
options:
- test
workflow_call:
inputs:
environment:
required: true
default: "test"
type: string
store_plan:
required: false
type: boolean
jobs:
plan:
runs-on: ubuntu-24.04
# Related
# - https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
# - https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps
permissions:
id-token: write # Required for aws-actions/configure-aws-credentials
contents: read # Required for aws-actions/configure-aws-credentials
pull-requests: write # Required for actions/github-script
environment: terraform-${{ inputs.environment || 'test' }}
steps:
- uses: actions/checkout@v4.2.2
- name: Read .terraform-version
id: terraform_version
run: echo "value=$(cat .terraform-version)" >> $GITHUB_OUTPUT
working-directory: terraform
- uses: hashicorp/setup-terraform@v3.1.2
with:
terraform_version: "${{ steps.terraform_version.outputs.value }}"
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4.0.2
with:
role-to-assume: ${{ vars.IAM_ROLE_ARN }}
aws-region: eu-central-1
- name: terraform init
run: terraform init -backend-config=${{ inputs.environment || 'test' }}.s3.tfbackend
working-directory: terraform
- name: terraform plan
run: terraform plan -no-color -out=tfplan
working-directory: terraform
id: plan
continue-on-error: true
env:
TF_VAR_cloudflare_api_token: ${{ secrets.CLOUDFLARE_API_TOKEN }}
TF_VAR_api_subdomain: ${{ vars.API_SUBDOMAIN }}
TF_VAR_email_function_parameters: ${{ secrets.EMAIL_FUNCTION_PARAMETERS }}
- uses: actions/github-script@v7.0.1
if: github.event_name == 'pull_request'
env:
PLAN: ${{ steps.plan.outputs.stdout }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
// 1. Retrieve existing bot comments for the PR
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
})
const botComment = comments.find(comment => {
return comment.user.type === 'Bot' && comment.body.includes('Terraform Plan')
})
// 2. Prepare format of the comment
const output = `#### Terraform Plan 📖 \`${{ steps.plan.outcome }}\`
<details><summary>Show Plan</summary>
\`\`\`\n
${process.env.PLAN}
\`\`\`
</details>`
// 3. If we have a comment, update it, otherwise create a new one
if (botComment) {
github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: output
})
} else {
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
}
- name: Break on terraform plan failure
if: steps.plan.outcome == 'failure'
run: exit 1
- name: Store artifact
uses: actions/upload-artifact@v4.6.0
if: inputs.store_plan || false
with:
name: tfplan
path: terraform/tfplan
retention-days: 1