deploy with github

Author: daniel-cit

0-bootstrap/outputs_github..tf.example renamed to 0-bootstrap/outputs_github.tf.example

@@ -68,7 +68,7 @@ default_region_kms = "us"
 #  to prevent saving the `gh_token` in plain text in this file,
 #  export the GitHub fine grained access token in the command line
 #  as an environment variable before running terraform.
-#  Run the following commnad in your shell:
+#  Run the following command in your shell:
 #   export TF_VAR_gh_token="YOUR-FINE-GRAINED-ACCESS-TOKEN"
 
 

0-bootstrap/terraform.example.tfvars

@@ -26,7 +26,7 @@ REGISTRY_URL := gcr.io/cloud-foundation-cicd
 .PHONY: docker_test_lint
 docker_test_lint:
 	docker run --rm -it \
-		-e ENABLE_PARALLEL=1 \
+		-e ENABLE_PARALLEL=0 \
 		-e DISABLE_TFLINT=1 \
 		-e EXCLUDE_LINT_DIRS \
 		-v $(CURDIR):/workspace \

0-bootstrap/variables_github..tf.example renamed to 0-bootstrap/variables_github.tf.example

@@ -0,0 +1,66 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: "tf-plan-all"
+on:
+  push:
+    branches:
+      - "plan"
+
+env:
+  PROJECT_ID: ${{ secrets.PROJECT_ID }}
+  TF_BACKEND: ${{ secrets.TF_BACKEND }}
+  TF_VAR_gh_token: ${{ secrets.TF_VAR_gh_token }}
+  TF_IN_AUTOMATION: "true"
+
+jobs:
+  run:
+    runs-on: "ubuntu-latest"
+    permissions:
+      contents: "read"
+      id-token: "write"
+      issues: "write"
+      pull-requests: "write"
+
+    steps:
+      - uses: "actions/checkout@v4"
+
+      - id: "auth"
+        uses: "google-github-actions/auth@v2"
+        with:
+          token_format: "access_token"
+          workload_identity_provider: ${{ secrets.WIF_PROVIDER_NAME }}
+          service_account: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
+
+      - uses: "google-github-actions/setup-gcloud@v2"
+        with:
+          install_components: "beta,terraform-tools"
+
+      - uses: "hashicorp/setup-terraform@v3"
+        with:
+          terraform_version: "1.5.7"
+
+      - id: setup
+        shell: bash
+        run: |
+          echo "Adding bucket information to backends"
+          for i in `find . -name 'backend.tf'`
+          do
+            sed -i'' -e "s/UPDATE_ME/${TF_BACKEND}/" $i
+            sed -i'' -e "s/UPDATE_PROJECTS_BACKEND/${TF_BACKEND}/" $i
+          done
+
+      - id: plan-validate-all
+        run: |
+          ${GITHUB_WORKSPACE}/tf-wrapper.sh plan_validate_all "${GITHUB_REF_NAME}" "${GITHUB_WORKSPACE}/policy-library" "${PROJECT_ID}" "FILESYSTEM" "GITHUB"

0-bootstrap/versions_github..tf.example renamed to 0-bootstrap/versions_github.tf.example

@@ -29,15 +29,16 @@ SA="$3"
 # System folder to save the temporary files
 SAVE_PATH="$4"
 
-# TODO
+# Save the OIDC token to a file.
+# gcloud requires the OIDC token to be passed as a file.
 echo "${OIDC_TOKEN}" > "${SAVE_PATH}"/.ci_job_token_file
 
-# TODO
+# Exchange the OIDC token for a Google Cloud credential.
 gcloud iam workload-identity-pools \
 create-cred-config "${WIF_PROVIDER}" \
 --service-account="${SA}" \
 --output-file="${SAVE_PATH}"/.gcp_generated_credentials.json \
 --credential-source-file="${SAVE_PATH}"/.ci_job_token_file \
 
-# TODO
+# Authenticate using the generated credential.
 gcloud auth login --cred-file="${SAVE_PATH}"/.gcp_generated_credentials.json --update-adc