secured ssh_user #31
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Terraform CI/CD | |
| on: | |
| push: | |
| branches: [ master ] | |
| pull_request: | |
| branches: [ master ] | |
| permissions: | |
| contents: read | |
| id-token: write | |
| env: | |
| ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} | |
| ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} | |
| ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} | |
| ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} | |
| jobs: | |
| terraform: | |
| name: Terraform | |
| runs-on: ubuntu-latest | |
| environment: qa | |
| steps: | |
| - name: 📦 Checkout code | |
| uses: actions/checkout@v3 | |
| - name: ⚙️ Setup Terraform | |
| uses: hashicorp/setup-terraform@v2 | |
| with: | |
| terraform_version: 1.5.0 | |
| - name: 🔐 Azure Login with Service Principal | |
| uses: azure/login@v1 | |
| with: | |
| creds: >- | |
| { | |
| "clientId": "${{ secrets.ARM_CLIENT_ID }}", | |
| "clientSecret": "${{ secrets.ARM_CLIENT_SECRET }}", | |
| "subscriptionId": "${{ secrets.ARM_SUBSCRIPTION_ID }}", | |
| "tenantId": "${{ secrets.ARM_TENANT_ID }}" | |
| } | |
| - name: 🧪 Verify Azure login | |
| run: az account show | |
| - name: 🏗️ Ensure Terraform remote backend exists | |
| run: | | |
| az group create --name soft-tfstate-rg --location eastus | |
| az storage account create \ | |
| --name softsastate \ | |
| --resource-group soft-tfstate-rg \ | |
| --location eastus \ | |
| --sku Standard_LRS \ | |
| --encryption-services blob | |
| az storage container create \ | |
| --name tfstate \ | |
| --account-name softsastate | |
| - name: 📥 Terraform Init | |
| run: | | |
| terraform -chdir=infra init \ | |
| -backend-config="resource_group_name=soft-tfstate-rg" \ | |
| -backend-config="storage_account_name=softsastate" \ | |
| -backend-config="container_name=tfstate" \ | |
| -backend-config="key=terraform.tfstate" | |
| - name: 🧹 Optional Unlock (if lock is active) | |
| run: | | |
| terraform -chdir=infra init | |
| LOCK_FILE=".terraform/terraform.tfstate.lock.info" | |
| if [ -f "infra/$LOCK_FILE" ]; then | |
| LOCK_ID=$(jq -r '.ID' "infra/$LOCK_FILE") | |
| echo "🔓 Lock found: $LOCK_ID. Attempting to unlock..." | |
| terraform -chdir=infra force-unlock -force "$LOCK_ID" | |
| else | |
| echo "✅ No lock file found. Continuing..." | |
| fi | |
| - name: 🧹 Terraform Format | |
| run: | | |
| terraform -chdir=infra fmt -check -diff -recursive -no-color || true | |
| - name: 📝 Generate terraform.tfvars | |
| run: | | |
| cat > infra/terraform.tfvars <<EOF | |
| subscription_id = "${{ secrets.ARM_SUBSCRIPTION_ID }}" | |
| client_id = "${{ secrets.ARM_CLIENT_ID }}" | |
| client_secret = "${{ secrets.ARM_CLIENT_SECRET }}" | |
| tenant_id = "${{ secrets.ARM_TENANT_ID }}" | |
| allowed_ssh_ip = "${{ secrets.MY_IP_ADDRESS }}" | |
| mysql_user = "${{ secrets.MYSQL_USER }}" | |
| mysql_admin_password = "${{ secrets.MYSQL_ADMIN_PASSWORD }}" | |
| ssh_public_key = "${{ secrets.VM_SSH_PUB_KEY }}" | |
| EOF | |
| - name: 🔍 Terraform Validate | |
| run: terraform -chdir=infra validate | |
| - name: 📋 Terraform Plan | |
| run: terraform -chdir=infra plan -input=false -var-file=terraform.tfvars | |
| - name: 🚀 Terraform Apply | |
| if: github.ref == 'refs/heads/master' | |
| run: terraform -chdir=infra apply -auto-approve -input=false -var-file=terraform.tfvars | |
| - name: 📄 Generate Terraform outputs | |
| run: | | |
| terraform -chdir=infra output -json > infra/tf_outputs.json | |
| - name: 📦 Upload inventory.ini as artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: inventory | |
| path: ansible/inventory.ini | |
| - name: 🔑 Configure SSH for jumpbox | |
| run: | | |
| mkdir -p ~/.ssh | |
| echo "${{ secrets.VM_SSH_KEY }}" > ~/.ssh/vm_ssh_key | |
| chmod 600 ~/.ssh/vm_ssh_key | |
| echo -e "Host *\n\tStrictHostKeyChecking no\n" >> ~/.ssh/config | |