Gh actions addition #11
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: GitOps Implementation | |
| on: | |
| pull_request: | |
| branches: | |
| - master | |
| push: | |
| branches: | |
| - master | |
| workflow_dispatch: | |
| defaults: | |
| run: | |
| working-directory: ./tf-variables/ | |
| env: | |
| TERRAFORM_VER: 1.8.0 | |
| TERRAFORM_DIR: "./tf-variables/" | |
| CLOUDSDK_VER: 480.0.0 | |
| permissions: | |
| pull-requests: write | |
| jobs: | |
| infrastructure-deployment: | |
| name: Infrastructure Deployment | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| id-token: write | |
| pull-requests: write | |
| steps: | |
| # Checkout the repository code | |
| - name: Code checkout | |
| id: code_checkout | |
| uses: actions/checkout@v2 | |
| # Scan the repo for any sensitive information like secrets etc | |
| - name: Secret Scanning | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ # Code repository path | |
| base: main # Start scanning from here (usually main branch). | |
| head: HEAD # Scan commits until here (usually dev branch). | |
| # Static code analysis using aqua security's tfsec | |
| - name: Run tfsec scan | |
| id: static_code_analysis | |
| uses: aquasecurity/tfsec-action@v1.0.3 | |
| with: | |
| working_directory: ${{ env.TERRAFORM_DIR }} | |
| # Install the latest version of Google Cloud SDK | |
| - id: cloud_sdk_installation | |
| name: Set up Cloud SDK | |
| uses: google-github-actions/setup-gcloud@v0.3.0 | |
| with: | |
| version: ${{ env.CLOUDSDK_VER }} | |
| # Setup the authentication for the Google Cloud using WIF | |
| - id: gcp_auth | |
| name: Authenticate to GCP | |
| uses: google-github-actions/auth@v0.3.1 | |
| with: | |
| create_credentials_file: 'true' | |
| workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER_ID }} | |
| service_account: ${{ secrets.SERVICE_ACCOUNT }} | |
| # Install the specified version of Terraform CLI | |
| - id: tf_installation | |
| name: Terraform Installation | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: ${{ env.TERRAFORM_VER }} | |
| # Checks that Terraform configuration files adhere to a canonical format | |
| - name: Terraform fmt | |
| id: tf_fmt | |
| run: terraform fmt -check | |
| continue-on-error: true | |
| # Initialize the Terraform working directory | |
| - name: Terraform Init | |
| id: tf_init | |
| run: terraform init | |
| # Validate the terraform configuration files | |
| - name: Terraform Validate | |
| id: tf_validate | |
| run: terraform validate -no-color | |
| # Generates an execution plan for Terraform | |
| - name: Terraform Plan | |
| id: tf_plan | |
| run: terraform plan -no-color | |
| continue-on-error: true | |
| # Comments the terraform plan output on pull request | |
| - id: comment_output | |
| name: Comment Terraform Plan Output | |
| uses: actions/github-script@v7 | |
| if: github.event_name == 'pull_request' | |
| env: | |
| PLAN: "terraform\n${{ steps.plan.outputs.stdout }}" | |
| with: | |
| script: | | |
| const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` | |
| #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` | |
| #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\` | |
| <details><summary>Validation Output</summary> | |
| \`\`\`\n | |
| ${{ steps.validate.outputs.stdout }} | |
| \`\`\` | |
| </details> | |
| #### Terraform Plan 📖\`${{ steps.plan.outcome }}\` | |
| <details><summary>Show Plan</summary> | |
| \`\`\`\n | |
| ${process.env.PLAN} | |
| \`\`\` | |
| </details> | |
| *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.tf_actions_working_dir }}\`, Workflow: \`${{ github.workflow }}\`*`; | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: output | |
| }) | |
| # Executes the apply operation to deploy the actual infrastructure | |
| - name: Terraform Apply | |
| id: tf_apply | |
| if: github.ref == 'refs/heads/"master"' && github.event_name == 'push' | |
| run: terraform apply -auto-approve | |
| - name: Notify success | |
| if: success() # this step runs only if the previous steps succeeded. | |
| run: echo "[SUCCESS] The build is successful without any errors." | |
| - name: Notify failure | |
| if: failure() # this step runs only if any of the previous steps failed. | |
| run: | | |
| echo "[FAILED] This job has been failed due to earlier errors." | |
| echo "An eamil notification can be setup later sometime." |