generated from onedr0p/cluster-template
-
Notifications
You must be signed in to change notification settings - Fork 0
116 lines (102 loc) · 3.93 KB
/
terraform-diff.yaml
File metadata and controls
116 lines (102 loc) · 3.93 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
---
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: "Terraform Diff"
on:
workflow_dispatch:
pull_request:
branches: ["main"]
paths: ["terraform/**"]
concurrency:
group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
cancel-in-progress: true
jobs:
changed-terraform:
name: Changed Terraform
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.changed-terraform.outputs.all_changed_and_modified_files }}
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Get Changed Terraform
id: changed-terraform
uses: bjw-s-labs/action-changed-files@015416e33c709af88f84a4496f4030c1f0ef212e # v0.5.0
with:
patterns: terraform/**/*
include_only_directories: true
max_depth: 2
- name: List All Changed Terraform
run: echo ${{ steps.changed-terraform.outputs.all_changed_and_modified_files }}
sync:
name: Terraform Diff
runs-on: [home-ops-runner] #Backend is stored on local RGW with no external ingress
needs: ["changed-terraform"]
strategy:
matrix:
paths: ${{ fromJSON(needs.changed-terraform.outputs.matrix) }}
max-parallel: 4
fail-fast: false
steps:
- name: Get Secrets
uses: akeyless-community/akeyless-github-action@0ac7f752544b2bfc0c60e415bafc2ecf6aa45971 # v1.1.4
with:
access-id: ${{ secrets.AKEYLESS_ACCESS_ID }}
access-key: ${{ secrets.AKEYLESS_ACCESS_KEY }}
access-type: access_key
export-secrets-to-environment: true
static-secrets: |
- name: /rook-ceph
key: RGW_ADMIN_OPS_USER_ACCESS_KEY
output-name: RGW_ACCESS_KEY
- name: /rook-ceph
key: RGW_ADMIN_OPS_USER_SECRET_KEY
output-name: RGW_SECRET_KEY
parse-json-secrets: true
- name: Generate Token
uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
id: app-token
with:
app-id: ${{ secrets.BOT_APP_ID }}
private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
token: ${{ steps.app-token.outputs.token }}
- name: Install Opentofu
uses: opentofu/setup-opentofu@fc711fa910b93cba0f3fbecaafc9f42fd0c411cb # v2.0.0
with:
tofu_wrapper: false
- name: Tofu fmt
id: fmt
working-directory: ${{ matrix.paths }}
run: tofu fmt -check
continue-on-error: true
- name: Tofu Init
id: init
working-directory: ${{ matrix.paths }}
env:
AWS_ACCESS_KEY_ID: ${{ env.RGW_ACCESS_KEY }}
AWS_SECRET_ACCESS_KEY: ${{ env.RGW_SECRET_KEY }}
run: |
tofu init \
-backend-config="access_key=$AWS_ACCESS_KEY_ID" \
-backend-config="secret_key=$AWS_SECRET_ACCESS_KEY"
- name: Tofu Validate
id: validate
working-directory: ${{ matrix.paths }}
run: tofu validate -no-color
- name: Tofu Plan
working-directory: ${{ matrix.paths }}
run: tofu plan -lock=false -var "access_id=${{ secrets.AKEYLESS_ACCESS_ID }}" -var "access_key=${{ secrets.AKEYLESS_ACCESS_KEY }}" -out .planfile | grep -v "Refreshing state...\|Reading...\|Read complete after"
- name: Post PR comment
if: github.event_name == 'pull_request'
continue-on-error: true
uses: borchero/terraform-plan-comment@d177dfb833ccfb6ef6022700796190dfe54830f1 # v3.0.0
with:
token: ${{ steps.app-token.outputs.token }}
planfile: .planfile
terraform-cmd: tofu
header: "📝 Terraform Plan for ${{ matrix.paths }}"
working-directory: ${{ matrix.paths }}