terraform-google-wafgateway-mx/.github/workflows/terraform-apply.yml at a61273c62f9371d35cc6fd93b3c5b3f3f3220ed5 · imperva/terraform-google-wafgateway-mx · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
on:
  pull_request:
    branches:
      - main
  issue_comment:
    types: [edited, created]

permissions:
  contents: read

jobs:
  terraform:
    name: 'Terraform Apply'
    runs-on: self-hosted
    if: |
      github.event_name == 'issue_comment' &&
      github.event.issue.pull_request &&
      (contains(github.event.comment.body, '/test') ||
      contains(github.event.comment.body, '/rc_test'))

    steps:
    - name: Checkout
      uses: actions/checkout@v3

    - name: Set Workspace Paths
      id: paths
      run: |
        REPO_NAME="${{ github.event.repository.name }}"
        PR_NUMBER="${{ github.event.pull_request.number }}"
        RUN_NUMBER="${{ github.run_number }}"

        STATE_DIR="/home/ubuntu/terraform/state/${REPO_NAME}/pr-${PR_NUMBER}-run-${RUN_NUMBER}"
        OUTPUT_DIR="/home/ubuntu/terraform/outputs/${REPO_NAME}/pr-${PR_NUMBER}-run-${RUN_NUMBER}"

        mkdir -p "$STATE_DIR"
        mkdir -p "$OUTPUT_DIR"

        echo "state_file=$STATE_DIR/terraform.tfstate"        >> $GITHUB_OUTPUT
        echo "output_file=$OUTPUT_DIR/terraform_outputs.json" >> $GITHUB_OUTPUT

    - name: Terraform Init
      run: terraform init
      env:
        GOOGLE_CREDENTIALS: ${{ secrets.GOOGLE_CREDENTIALS }}

    - name: Terraform Apply
      run: |
        terraform apply \
          -auto-approve \
          -input=false \
          -state="${{ steps.paths.outputs.state_file }}"
      env:
        GOOGLE_CREDENTIALS: ${{ secrets.GOOGLE_CREDENTIALS }}
        TF_VAR_project_id: ${{ vars.PROJECT_ID }}
        TF_VAR_region: ${{ vars.REGION }}
        TF_VAR_mx_password: ${{ secrets.MX_PASSWORD }}
        TF_VAR_vpc_network: ${{ vars.VPC_NETWORK }}
        TF_VAR_subnet_name: ${{ vars.SUBNET_NAME }}
        TF_VAR_zone: ${{ vars.ZONE }}
        TF_VAR_instance_type: ${{ vars.INSTANCE_TYPE }}
        TF_VAR_waf_version: ${{ vars.WAF_VERSION }}
        TF_VAR_timezone: ${{ vars.TIMEZONE }}
        TF_VAR_ssh_access_source_ranges: ${{ vars.SSH_ACCESS_SOURCE_RANGES }}
        TF_VAR_ui_access_source_ranges: ${{ vars.UI_ACCESS_SOURCE_RANGES }}
        TF_VAR_deployment_name: "gh-${{ github.event.pull_request.number }}-${{ github.run_number }}"
        TF_VAR_instance_name: ${{ vars.INSTANCE_NAME }}

    - name: Save Terraform Outputs
      run: |
        terraform output \
          -state="${{ steps.paths.outputs.state_file }}" \
          -json \
          | jq 'to_entries | map({(.key): .value.value}) | add' \
          > "${{ steps.paths.outputs.output_file }}"
        echo "--- Saved outputs ---"
        cat "${{ steps.paths.outputs.output_file }}"

    - name: Terraform Destroy
      run: |
        terraform destroy \
          -auto-approve \
          -input=false \
          -state="${{ steps.paths.outputs.state_file }}"
      if: |
        github.event_name == 'pull_request' ||
        (github.event_name == 'issue_comment' &&
        contains(github.event.comment.body, '/test'))
      env:
        GOOGLE_CREDENTIALS: ${{ secrets.GOOGLE_CREDENTIALS }}
        TF_VAR_project_id: ${{ vars.PROJECT_ID }}
        TF_VAR_region: ${{ vars.REGION }}
        TF_VAR_mx_password: ${{ secrets.MX_PASSWORD }}
        TF_VAR_vpc_network: ${{ vars.VPC_NETWORK }}
        TF_VAR_subnet_name: ${{ vars.SUBNET_NAME }}
        TF_VAR_zone: ${{ vars.ZONE }}
        TF_VAR_instance_type: ${{ vars.INSTANCE_TYPE }}
        TF_VAR_waf_version: ${{ vars.WAF_VERSION }}
        TF_VAR_timezone: ${{ vars.TIMEZONE }}
        TF_VAR_ssh_access_source_ranges: ${{ vars.SSH_ACCESS_SOURCE_RANGES }}
        TF_VAR_ui_access_source_ranges: ${{ vars.UI_ACCESS_SOURCE_RANGES }}
        TF_VAR_deployment_name: "gh-${{ github.event.pull_request.number }}-${{ github.run_number }}"
        TF_VAR_instance_name: ${{ vars.INSTANCE_NAME }}

    ## Note: if workflow is cancelled, destroy. TO BE TESTED
    # - name: Terraform Destroy on Cancel
    #   if: cancelled()
    #   run: |
    #     terraform destroy \
    #       -auto-approve \
    #       -input=false \
    #       -state="${{ steps.paths.outputs.state_file }}"
    #   env:
    #     GOOGLE_CREDENTIALS: ${{ secrets.GOOGLE_CREDENTIALS }}
    #     TF_VAR_project_id: ${{ vars.PROJECT_ID }}
    #     TF_VAR_region: ${{ vars.REGION }}
    #     TF_VAR_mx_password: ${{ secrets.MX_PASSWORD }}
    #     TF_VAR_vpc_network: ${{ vars.VPC_NETWORK }}
    #     TF_VAR_subnet_name: ${{ vars.SUBNET_NAME }}
    #     TF_VAR_zone: ${{ vars.ZONE }}
    #     TF_VAR_instance_type: ${{ vars.INSTANCE_TYPE }}
    #     TF_VAR_waf_version: ${{ vars.WAF_VERSION }}
    #     TF_VAR_timezone: ${{ vars.TIMEZONE }}
    #     TF_VAR_ssh_access_source_ranges: ${{ vars.SSH_ACCESS_SOURCE_RANGES }}
    #     TF_VAR_ui_access_source_ranges: ${{ vars.UI_ACCESS_SOURCE_RANGES }}
    #     TF_VAR_deployment_name: "gh-${{ github.event.pull_request.number }}-${{ github.run_number }}"
    #     TF_VAR_instance_name: ${{ vars.INSTANCE_NAME }}