Setup a server by Terraform #15
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Setup a server by Terraform | |
on: | |
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_dispatch | |
workflow_dispatch: | |
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions | |
permissions: | |
contents: read # for "git clone" | |
defaults: | |
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#defaultsrun | |
run: | |
# Enable fail-fast behavior using set -eo pipefail | |
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference | |
shell: bash | |
jobs: | |
setup-server: | |
name: Setup a server | |
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Clone source code | |
uses: actions/checkout@v4.2.2 # https://github.com/actions/checkout | |
with: | |
# Whether to configure the token or SSH key with the local git config. Default: true | |
persist-credentials: false | |
- name: Checkout terraform data to a subdirectory | |
working-directory: infra/terraform | |
run: | | |
git fetch --depth=1 origin generated-terraform | |
git worktree add terraform-data generated-terraform | |
# https://github.com/tfutils/tfenv#manual | |
- name: Install tfenv | |
uses: actions/checkout@v4.2.2 | |
with: | |
# https://github.com/actions/checkout#checkout-multiple-repos-nested | |
repository: tfutils/tfenv | |
path: tfenv | |
ref: v3.0.0 | |
# Whether to configure the token or SSH key with the local git config. Default: true | |
persist-credentials: false | |
# https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#adding-a-system-path | |
- name: Add tfenv directory to PATH | |
run: echo "$GITHUB_WORKSPACE/tfenv/bin" >> $GITHUB_PATH | |
# https://github.com/tfutils/tfenv#tfenv-install-version | |
# https://github.com/tfutils/tfenv#tfenv-use-version | |
- name: Install terraform | |
working-directory: infra/terraform | |
run: | | |
tfenv install | |
tfenv use | |
- name: Install ansible-vault | |
# The command pip3 install --user ansible==2.10.17 doesn't work as we have an old version | |
# See https://docs.ansible.com/ansible/2.10/installation_guide/intro_installation.html#installing-devel-from-github-with-pip | |
# NOTE: during version bump don't forget to update in other places: deploy.yml and provisioning-by-ansible.yml | |
run: python3 -m pip install --user https://github.com/ansible/ansible/archive/refs/tags/v2.10.17.tar.gz | |
- name: Show tools versions | |
env: | |
# https://developer.hashicorp.com/terraform/cli/commands#upgrade-and-security-bulletin-checks | |
CHECKPOINT_DISABLE: true | |
run: | | |
tfenv --version | |
terraform -version | |
ansible-vault --version | |
- name: Decrypt terraform files | |
working-directory: infra/terraform | |
env: | |
# https://docs.github.com/en/actions/security-guides/encrypted-secrets#using-encrypted-secrets-in-a-workflow | |
VAULT_PASSWORD: ${{ secrets.VAULT_PASSWORD }} | |
run: | | |
printf '%s' "$VAULT_PASSWORD" >vault-pass.txt | |
for FILENAME in terraform.tfstate terraform.tfvars; do | |
echo "Decrypting ${FILENAME}.enc to $FILENAME" | |
ansible-vault decrypt \ | |
--vault-password-file vault-pass.txt \ | |
--output "terraform-data/$FILENAME" \ | |
"terraform-data/${FILENAME}.enc" | |
done | |
- name: Run terraform init | |
working-directory: infra/terraform | |
env: | |
# https://developer.hashicorp.com/terraform/cli/config/environment-variables#tf_in_automation | |
TF_IN_AUTOMATION: true | |
run: terraform init | |
- name: Run terraform plan | |
working-directory: infra/terraform | |
env: | |
# https://developer.hashicorp.com/terraform/cli/config/environment-variables#tf_in_automation | |
TF_IN_AUTOMATION: true | |
run: >- | |
terraform plan \ | |
-detailed-exitcode \ | |
-var-file terraform-data/terraform.tfvars \ | |
-state terraform-data/terraform.tfstate \ | |
-out terraform-data/terraform.tfplan | |
- name: Cleanup | |
if: always() | |
working-directory: infra/terraform | |
run: | | |
for FILE in vault-pass.txt terraform-data/terraform.tfplan terraform-data/terraform.tfstate terraform-data/terraform.tfstate.backup terraform-data/terraform.tfvars; do | |
[ ! -f "$FILE" ] || rm -fv "$FILE" | |
done | |
[ ! -d terraform-data ] || git worktree remove terraform-data |