-
Notifications
You must be signed in to change notification settings - Fork 10
146 lines (125 loc) · 4.73 KB
/
gitops.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
name: GitOps Workflow
on:
pull_request:
branches:
- master
push:
branches:
- master
workflow_dispatch:
defaults:
run:
working-directory: ./tf-variables/
env:
TERRAFORM_VER: 1.8.0
TERRAFORM_DIR: "./tf-variables/"
CLOUDSDK_VER: 480.0.0
permissions:
pull-requests: write
jobs:
infrastructure-deployment:
name: Infrastructure Deployment
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
pull-requests: write
steps:
# Checkout the repository code
- name: Code checkout
id: code_checkout
uses: actions/checkout@v2
# Scan the repo for any sensitive information like secrets etc
- name: Secret Scanning
uses: trufflesecurity/trufflehog@main
with:
path: ./ # Code repository path
base: main # Start scanning from here (usually main branch).
head: HEAD # Scan commits until here (usually dev branch).
# Static code analysis using aqua security's tfsec
- name: Run tfsec scan
id: static_code_analysis
uses: aquasecurity/tfsec-action@v1.0.3
with:
working_directory: ${{ env.TERRAFORM_DIR }}
# Install the latest version of Google Cloud SDK
- id: cloud_sdk_installation
name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v0.3.0
with:
version: ${{ env.CLOUDSDK_VER }}
# Setup the authentication for the Google Cloud using WIF
- id: gcp_auth
name: Authenticate to GCP
uses: google-github-actions/auth@v0.3.1
with:
create_credentials_file: 'true'
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER_ID }}
service_account: ${{ secrets.SERVICE_ACCOUNT }}
# Install the specified version of Terraform CLI
- id: tf_installation
name: Terraform Installation
uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ env.TERRAFORM_VER }}
# Checks that Terraform configuration files adhere to a canonical format
- name: Terraform fmt
id: tf_fmt
run: terraform fmt -check
continue-on-error: true
# Initialize the Terraform working directory
- name: Terraform Init
id: tf_init
run: terraform init
# Validate the terraform configuration files
- name: Terraform Validate
id: tf_validate
run: terraform validate -no-color
# Generates an execution plan for Terraform
- name: Terraform Plan
id: tf_plan
run: terraform plan -no-color
continue-on-error: true
# Comments the terraform plan output on pull request
- id: comment_output
name: Comment Terraform Plan Output
uses: actions/github-script@v7
if: github.event_name == 'pull_request'
env:
PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
with:
script: |
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
<details><summary>Validation Output</summary>
\`\`\`\n
${{ steps.validate.outputs.stdout }}
\`\`\`
</details>
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
<details><summary>Show Plan</summary>
\`\`\`\n
${process.env.PLAN}
\`\`\`
</details>
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.tf_actions_working_dir }}\`, Workflow: \`${{ github.workflow }}\`*`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
# Executes the apply operation to deploy the actual infrastructure
- name: Terraform Apply
id: tf_apply
if: github.ref == 'refs/heads/master' && github.event_name == 'push'
run: terraform apply -auto-approve
- name: Notify success
if: success() # this step runs only if the previous steps succeeded.
run: echo "[SUCCESS] The build is successful without any errors."
- name: Notify failure
if: failure() # this step runs only if any of the previous steps failed.
run: |
echo "[FAILED] This job has been failed due to earlier errors."
echo "An eamil notification can be setup later sometime."