Skip to content
OpenTofu Check Schedule

OpenTofu Check Schedule #1

Sign in to view logs

OpenTofu Check Schedule

OpenTofu Check Schedule #1

Workflow file for this run

.github/workflows/opentofu-check-schedule.yml at 89107a5
---
# Copyright The Linux Foundation and each contributor.
# SPDX-License-Identifier: MIT
name: "OpenTofu Check Schedule"
on:
workflow_call:
inputs:
environment:
description: 'Name of the environment to use'
required: true
type: string
opentofu_workspace:
description: 'Name of the OpenTofu workspace to use'
required: false
default: ''
type: string
opentofu_variables:
description: 'Variables to pass to OpenTofu'
required: false
default: ''
type: string
opentofu_backend_config:
description: 'Backend configuration for OpenTofu'
required: false
default: ''
type: string
opentofu_plan_label:
description: 'Label for the OpenTofu plan output'
required: false
default: ''
type: string
opentofu_var_file:
description: 'List of var file paths, one per line'
required: false
default: ''
type: string
opentofu_path:
description: 'Path to the OpenTofu directory'
required: false
default: '.'
type: string
oidc_role_arn:
description: 'ARN of the IAM role to assume with OIDC'
required: false
default: 'arn:aws:iam::391835788720:role/terraform-deploy-oidc'
type: string
oidc_audience:
description: 'OIDC audience to authenticate against'
required: false
default: 'sts.amazonaws.com'
type: string
oidc_export_variables:
description: 'Whether to export OIDC variables'
required: false
default: true
type: boolean
trigger_check:
description: 'Whether to trigger the OpenTofu check job'
required: false
default: true
type: boolean
env:
description: 'Extra environment variables'
required: false
type: string
secrets_manager_keys:
description: 'List of keys to fetch from AWS Secrets Manager'
required: false
type: string
artifact_name:
description: "The artifact name to download"
required: false
type: string
artifact_path:
description: "The artifact path to download"
required: false
type: string
secrets:
env_secret:
description: 'Extra secret environment variables'
required: false
opentofu_secret_variables:
description: 'Variables that contains secrets to pass to OpenTofu'
required: false
opentofu_http_credentials:
description: 'Credentials that will be used for fetching modules sources'
required: false
schedule:
# Runs at 9:00 AM PST every Tuesday
# Note: GitHub Actions uses UTC time
# 9:00 AM PST = 17:00 UTC (during standard time)
- cron: '0 17 * * 2'
permissions:
id-token: write
contents: read
pull-requests: write
jobs:
opentofu_check_drift:
name: "OpenTofu Check - ${{ matrix.environment }}"
strategy:
matrix:
environment:
- dev
- prod
runs-on: ubuntu-latest
if: ${{ github.event_name == 'schedule' }}
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set Environment Variables
id: set-env
run: |
echo -e "${{ inputs.env }}" >> "$GITHUB_ENV"
for val in $(echo -e "${{ secrets.env_secret }}" | cut -d'=' -f2-); do echo ::add-mask::"$val" ; done
for val in $(echo -e "${{ secrets.opentofu_secret_variables }}" | cut -d'=' -f2-); do echo ::add-mask::"$val" ; done
echo -e "${{ secrets.env_secret }}" >> "$GITHUB_ENV"
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
with:
audience: sts.amazonaws.com
role-to-assume: arn:aws:iam::391835788720:role/terraform-deploy-oidc
aws-region: us-west-2
# This is used to fetch build time secrets from AWS Secrets Manager
- name: Read secrets from AWS Secrets Manager into environment variables
uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 # v2.0.10
if: ${{ vars.SECRETS_MANAGER_KEYS != '' }}
with:
secret-ids: ${{ vars.SECRETS_MANAGER_KEYS }}
name-transformation: none
- name: OpenTofu Check
uses: dflook/tofu-check@906f68064a99656755c320d74959150782d42757 # v1.49.0
with:
workspace: ${{ vars.OPENTOFU_WORKSPACE || matrix.environment }}
backend_config: ${{ vars.OPENTOFU_BACKEND_CONFIG || '' }}
var_file: ${{ vars.OPENTOFU_VAR_FILE || '' }}
path: ${{ vars.OPENTOFU_PATH || '.' }}
variables: |
${{ vars.OPENTOFU_VARIABLES || '' }}
${{ secrets.opentofu_secret_variables }}
env:
OPENTOFU_HTTP_CREDENTIALS: ${{ secrets.opentofu_http_credentials }}
OPENTOFU_VERSION: 1.10.3
opentofu_check:
runs-on: ubuntu-latest
name: "OpenTofu Check - ${{ inputs.environment }}"
if: ${{ github.event_name == 'workflow_call' && inputs.trigger_check }}
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set Environment Variables
id: set-env
run: |
echo -e '${{ inputs.env }}' >> "$GITHUB_ENV"
for val in $(echo -e '${{ secrets.env_secret }}' | cut -d'=' -f2-); do echo ::add-mask::"$val" ; done
for val in $(echo -e '${{ secrets.opentofu_secret_variables }}' | cut -d'=' -f2-); do echo ::add-mask::"$val" ; done
echo -e '${{ secrets.env_secret }}' >> "$GITHUB_ENV"
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
with:
audience: ${{ inputs.oidc_audience }}
role-to-assume: ${{ inputs.oidc_role_arn }}
aws-region: us-west-2
- name: Read secrets from AWS Secrets Manager into environment variables
uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 # v2.0.10
if: ${{ inputs.secrets_manager_keys != '' }}
with:
secret-ids: ${{ inputs.secrets_manager_keys }}
name-transformation: none
# Conditionally download the artifact if the artifact_name input is provided
- name: Download artifact
if: ${{ inputs.artifact_name != '' }}
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: ${{ inputs.artifact_name }}
path: ${{ inputs.artifact_path || '.' }}
- name: OpenTofu Check
uses: dflook/tofu-check@906f68064a99656755c320d74959150782d42757 # v1.49.0
with:
workspace: ${{ inputs.opentofu_workspace || inputs.environment }}
backend_config: ${{ inputs.opentofu_backend_config }}
var_file: ${{ inputs.opentofu_var_file }}
path: ${{ inputs.opentofu_path }}
variables: |
${{ inputs.opentofu_variables }}
${{ secrets.opentofu_secret_variables }}
env:
OPENTOFU_HTTP_CREDENTIALS: ${{ secrets.opentofu_http_credentials }}
OPENTOFU_VERSION: 1.10.3