-
Notifications
You must be signed in to change notification settings - Fork 33
125 lines (109 loc) · 4.99 KB
/
provision-by-terraform.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
name: Setup a server by Terraform
on:
push:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpull_requestpull_request_targetbranchesbranches-ignore
branches:
- master
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore
paths:
- .github/workflows/provision-by-terraform.yml
- 'infra/terraform/**'
- '!infra/terraform/*.example'
- '!infra/terraform/*.md'
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_dispatch
workflow_dispatch:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read # for "git clone"
defaults:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#defaultsrun
run:
# Enable fail-fast behavior using set -eo pipefail
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
jobs:
setup-server:
name: Setup a server
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on
runs-on: ubuntu-20.04
steps:
- name: Clone source code
uses: actions/checkout@v4.2.2 # https://github.com/actions/checkout
with:
# Whether to configure the token or SSH key with the local git config. Default: true
persist-credentials: false
- name: Checkout terraform data to a subdirectory
working-directory: infra/terraform
run: |
git fetch --depth=1 origin generated-terraform
git worktree add terraform-data generated-terraform
# https://github.com/tfutils/tfenv#manual
- name: Install tfenv
uses: actions/checkout@v4.2.2
with:
# https://github.com/actions/checkout#checkout-multiple-repos-nested
repository: tfutils/tfenv
path: tfenv
ref: v3.0.0
# Whether to configure the token or SSH key with the local git config. Default: true
persist-credentials: false
# https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#adding-a-system-path
- name: Add tfenv directory to PATH
run: echo "$GITHUB_WORKSPACE/tfenv/bin" >> $GITHUB_PATH
# https://github.com/tfutils/tfenv#tfenv-install-version
# https://github.com/tfutils/tfenv#tfenv-use-version
- name: Install terraform
working-directory: infra/terraform
run: |
tfenv install
tfenv use
- name: Install ansible-vault
# The command pip3 install --user ansible==2.10.17 doesn't work as we have an old version
# See https://docs.ansible.com/ansible/2.10/installation_guide/intro_installation.html#installing-devel-from-github-with-pip
# NOTE: during version bump don't forget to update in other places: deploy.yml and provisioning-by-ansible.yml
run: python3 -m pip install --user https://github.com/ansible/ansible/archive/refs/tags/v2.10.17.tar.gz
- name: Show tools versions
env:
# https://developer.hashicorp.com/terraform/cli/commands#upgrade-and-security-bulletin-checks
CHECKPOINT_DISABLE: true
run: |
tfenv --version
terraform -version
ansible-vault --version
- name: Decrypt terraform files
working-directory: infra/terraform
env:
# https://docs.github.com/en/actions/security-guides/encrypted-secrets#using-encrypted-secrets-in-a-workflow
VAULT_PASSWORD: ${{ secrets.VAULT_PASSWORD }}
run: |
printf '%s' "$VAULT_PASSWORD" >vault-pass.txt
for FILENAME in terraform.tfstate terraform.tfvars; do
echo "Decrypting ${FILENAME}.enc to $FILENAME"
ansible-vault decrypt \
--vault-password-file vault-pass.txt \
--output "$FILENAME" \
"terraform-data/${FILENAME}.enc"
done
- name: Run terraform init
working-directory: infra/terraform
env:
# https://developer.hashicorp.com/terraform/cli/config/environment-variables#tf_in_automation
TF_IN_AUTOMATION: true
run: terraform init
- name: Run terraform plan
working-directory: infra/terraform
env:
# https://developer.hashicorp.com/terraform/cli/config/environment-variables#tf_in_automation
TF_IN_AUTOMATION: true
run: >-
terraform plan \
-detailed-exitcode \
-out terraform.tfplan
- name: Cleanup
if: always()
working-directory: infra/terraform
run: |
for FILE in vault-pass.txt terraform.tfplan terraform.tfstate terraform.tfstate.backup terraform.tfvars; do
[ ! -f "$FILE" ] || rm -fv "$FILE"
done
[ ! -d terraform-data ] || git worktree remove terraform-data