pipelines-workflows/.github/workflows/pipelines-delegated.yml at 874eae5212553092ccb4eaf97efd87ab32055bdf · gruntwork-io/pipelines-workflows · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
name: Pipelines Execute
run-name: Run Gruntwork Pipelines
on:
  workflow_call:
    inputs:
      # This field can be overriden to customize the runner used for pipelines
      # workflows.
      #
      # IMPORTANT: To use self-hosted runners this workflow must be hosted in
      # the same GitHub organization as your infra-live repository.
      # See https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-self-hosted-runners
      #
      # The value must be an escaped JSON string that will be decoded to the
      # jobs.runs-on field
      # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on
      #
      # For example:
      # - A simple github runner: "\"ubuntu-22.04\""
      # - A list of labels: "[\"self-hosted\", \"linux\"]"
      # - A map: "{group: \"ubuntu-runners\", labels: \"ubuntu-20.04-16core\"}"
      runner:
        type: string
        default: "\"ubuntu-latest\""
    secrets:
      PIPELINES_READ_TOKEN:
        required: true

env:
  PIPELINES_CLI_VERSION: v0.10.1
  PIPELINES_ACTIONS_VERSION: v1.3.3
  BOILERPLATE_VERSION: v0.5.16
  GRUNTWORK_INSTALLER_VERSION: v0.0.40

jobs:
  detect_changes:
    name: Detect Infrastructure Changes
    runs-on: ${{ fromJSON(inputs.runner) }}
    steps:
      - name: Checkout Pipelines Actions
        uses: actions/checkout@v4
        with:
          path: pipelines-actions
          repository: gruntwork-io/pipelines-actions
          ref: ${{ env.PIPELINES_ACTIONS_VERSION }}
          token: ${{ secrets.PIPELINES_READ_TOKEN }}

      - name: Check out repo code
        uses: actions/checkout@v4
        with:
          path: infra-live-repo
          fetch-depth: 0

      - name: Preflight Checks
        uses: ./pipelines-actions/.github/actions/pipelines-preflight-action
        with:
          PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}

      - name: Pipelines Orchestrate
        id: orchestrate
        uses: ./pipelines-actions/.github/actions/pipelines-orchestrate
        with:
          token: ${{ secrets.PIPELINES_READ_TOKEN || secrets.GITHUB_TOKEN }}

    outputs:
      pipelines_jobs: ${{ steps.orchestrate.outputs.jobs }}

  pipelines_determine:
    name: ${{ contains(matrix.jobs.Action.Command, 'plan') && 'Plan' || 'Apply' }} - ${{ matrix.jobs.ChangeType }} - ${{ matrix.jobs.WorkingDirectory }}
    needs: [detect_changes]
    runs-on: ${{ fromJSON(inputs.runner) }}
    # GHA can't check for length, so we just check if there is an item in the 0 index
    if: fromJson(needs.detect_changes.outputs.pipelines_jobs)[0] != null
    strategy:
      fail-fast: false
      matrix:
        jobs: ${{ fromJson(needs.detect_changes.outputs.pipelines_jobs) }}
    steps:
      - name: Checkout Pipelines Actions
        uses: actions/checkout@v4
        with:
          path: pipelines-actions
          repository: gruntwork-io/pipelines-actions
          ref: ${{ env.PIPELINES_ACTIONS_VERSION }}
          token: ${{ secrets.PIPELINES_READ_TOKEN }}

      - name: Check out repo code
        uses: actions/checkout@v4
        with:
          path: infra-live-repo
          fetch-depth: 0

      - name: Bootstrap Workflow
        id: bootstrap
        uses: ./pipelines-actions/.github/actions/pipelines-bootstrap
        with:
          token: ${{ secrets.PIPELINES_READ_TOKEN }}
          change_type: ${{ matrix.jobs.ChangeType }}
          branch: ${{ matrix.jobs.Ref }}
          working_directory: ${{ matrix.jobs.WorkingDirectory }}
          account_id: ${{ matrix.jobs.AccountId }}
          terragrunt_command: ${{ matrix.jobs.Action.Command }} ${{ matrix.jobs.Action.Args }}
          additional_data: ${{ toJson(matrix.jobs.AdditionalData) }}
          child_account_id: ${{ matrix.jobs.AdditionalData.ChildAccountId }}
          account_names: ${{ matrix.jobs.AdditionalData.AccountNames }}

      - name: "Run terragrunt ${{ steps.bootstrap.outputs.terragrunt_command }} in ${{ steps.bootstrap.outputs.working_directory }}"
        id: terragrunt
        uses: ./pipelines-actions/.github/actions/pipelines-aws-execute
        with:
          PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
          account_id: ${{ steps.bootstrap.outputs.account_id }}
          account_role_name: ${{ steps.bootstrap.outputs.role_name }}
          role_session_name: ${{ steps.bootstrap.outputs.role_session_name }}
          working_directory: ${{ steps.bootstrap.outputs.working_directory }}
          gruntwork_context: ${{ toJson(steps.bootstrap.outputs) }}

      - name: Update comment
        if: always()
        uses: ./pipelines-actions/.github/actions/pipelines-status-update
        with:
          step_name: ${{ matrix.jobs.ChangeType }}
          step_working_directory: ${{ matrix.jobs.WorkingDirectory }}
          step_status: ${{ steps.terragrunt.conclusion == 'success' && 'success' || 'failed' }}
          step_details: ${{ steps.terragrunt.outputs.formatted_plan_output || 'Check the logs for more details.' }}
          step_details_extended_log: ${{ steps.terragrunt.outputs.execute_stdout_log }}
          pull_request_number: ${{ steps.bootstrap.outputs.pr_number }}

    outputs:
      account_id: ${{ matrix.jobs.AccountId }}
      branch: ${{ steps.bootstrap.outputs.branch }}
      action: ${{ steps.bootstrap.outputs.action }}
      working_directory: ${{ steps.bootstrap.outputs.working_directory }}
      terragrunt_command: ${{ steps.bootstrap.outputs.terragrunt_command }}
      additional_data: ${{ steps.bootstrap.outputs.additional_data }}
      child_account_id: ${{ steps.bootstrap.outputs.child_account_id }}

  pipelines_cleanup:
    name: "Pipelines Matrix Cleanup"
    needs: [detect_changes, pipelines_determine]
    runs-on: ${{ fromJSON(inputs.runner) }}
    steps:
      - name: Checkout Pipelines Actions
        uses: actions/checkout@v4
        with:
          path: pipelines-actions
          repository: gruntwork-io/pipelines-actions
          ref: ${{ env.PIPELINES_ACTIONS_VERSION }}
          token: ${{ secrets.PIPELINES_READ_TOKEN }}

      - name: Update comment
      # The idea here is that there is a race condition in the updating of the jobs in the matrix:
      # if one job is uploading its state artifact WHILST another is downloading, then the downloader
      # will miss the state update from the uploader, and if the downloader is the last job, there's nobody
      # to come later and grab the uploader's update.
        uses: ./pipelines-actions/.github/actions/pipelines-status-update