-
Notifications
You must be signed in to change notification settings - Fork 33
134 lines (117 loc) · 5.29 KB
/
provision-by-terraform.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: Setup a server by Terraform
on:
push:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpull_requestpull_request_targetbranchesbranches-ignore
branches:
- master
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore
paths:
- .github/workflows/provision-by-terraform.yml
- 'infra/terraform/**'
- '!infra/terraform/*.example'
- '!infra/terraform/*.md'
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_dispatch
workflow_dispatch:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read # for "git clone"
defaults:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#defaultsrun
run:
# Enable fail-fast behavior using set -eo pipefail
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
jobs:
setup-server:
name: Setup a server
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on
runs-on: ubuntu-20.04
steps:
- name: Clone source code
uses: actions/[email protected] # https://github.com/actions/checkout
with:
# Whether to configure the token or SSH key with the local git config. Default: true
persist-credentials: false
- name: Checkout terraform data to a subdirectory
working-directory: infra/terraform
run: |
git fetch --depth=1 origin generated-terraform
git worktree add terraform-data generated-terraform
# https://github.com/tfutils/tfenv#manual
- name: Install tfenv
uses: actions/[email protected]
with:
# https://github.com/actions/checkout#checkout-multiple-repos-nested
repository: tfutils/tfenv
path: tfenv
ref: v3.0.0
# Whether to configure the token or SSH key with the local git config. Default: true
persist-credentials: false
# https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#adding-a-system-path
- name: Add tfenv directory to PATH
run: echo "$GITHUB_WORKSPACE/tfenv/bin" >> $GITHUB_PATH
# https://github.com/tfutils/tfenv#tfenv-install-version
# https://github.com/tfutils/tfenv#tfenv-use-version
- name: Install terraform
working-directory: infra/terraform
run: |
tfenv install
tfenv use
- name: Install ansible-vault
# The command pip3 install --user ansible==2.10.17 doesn't work as we have an old version
# See https://docs.ansible.com/ansible/2.10/installation_guide/intro_installation.html#installing-devel-from-github-with-pip
# NOTE: during version bump don't forget to update in other places: deploy.yml and provisioning-by-ansible.yml
run: python3 -m pip install --user https://github.com/ansible/ansible/archive/refs/tags/v2.10.17.tar.gz
- name: Show tools versions
env:
# https://developer.hashicorp.com/terraform/cli/commands#upgrade-and-security-bulletin-checks
CHECKPOINT_DISABLE: true
run: |
tfenv --version
terraform -version
ansible-vault --version
- name: Decrypt terraform files
working-directory: infra/terraform
env:
# https://docs.github.com/en/actions/security-guides/encrypted-secrets#using-encrypted-secrets-in-a-workflow
VAULT_PASSWORD: ${{ secrets.VAULT_PASSWORD }}
run: |
printf '%s' "$VAULT_PASSWORD" >vault-pass.txt
for FILENAME in terraform.tfstate terraform.tfvars; do
echo "Decrypting ${FILENAME}.enc to $FILENAME"
ansible-vault decrypt \
--vault-password-file vault-pass.txt \
--output "$FILENAME" \
"terraform-data/${FILENAME}.enc"
done
- name: Run terraform init
working-directory: infra/terraform
env:
# https://developer.hashicorp.com/terraform/cli/config/environment-variables#tf_in_automation
TF_IN_AUTOMATION: true
run: terraform init
- name: Check whether there are no modified files
run: >-
MODIFIED_FILES="$(git status --short)";
if [ -n "$MODIFIED_FILES" ]; then
echo >&2 "ERROR: the following files have been modified:";
echo >&2 "$MODIFIED_FILES";
exit 1;
fi
- name: Run terraform plan
working-directory: infra/terraform
env:
# https://developer.hashicorp.com/terraform/cli/config/environment-variables#tf_in_automation
TF_IN_AUTOMATION: true
run: >-
terraform plan \
-detailed-exitcode \
-out terraform.tfplan
- name: Cleanup
if: always()
working-directory: infra/terraform
run: |
for FILE in vault-pass.txt terraform.tfplan terraform.tfstate terraform.tfstate.backup terraform.tfvars; do
[ ! -f "$FILE" ] || rm -fv "$FILE"
done
[ ! -d terraform-data ] || git worktree remove terraform-data