-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: added the gitops workflow pipeline
- Loading branch information
Showing
1 changed file
with
146 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,146 @@ | ||
name: GitOps Workflow | ||
on: | ||
pull_request: | ||
branches: | ||
- master | ||
push: | ||
branches: | ||
- master | ||
workflow_dispatch: | ||
defaults: | ||
run: | ||
working-directory: ./tf-variables/ | ||
env: | ||
TERRAFORM_VER: 1.8.0 | ||
TERRAFORM_DIR: "./tf-variables/" | ||
CLOUDSDK_VER: 480.0.0 | ||
permissions: | ||
pull-requests: write | ||
jobs: | ||
infrastructure-deployment: | ||
name: Infrastructure Deployment | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
id-token: write | ||
pull-requests: write | ||
steps: | ||
# Checkout the repository code | ||
- name: Code checkout | ||
id: code_checkout | ||
uses: actions/checkout@v2 | ||
|
||
# Scan the repo for any sensitive information like secrets etc | ||
- name: Secret Scanning | ||
uses: trufflesecurity/trufflehog@main | ||
with: | ||
path: ./ # Code repository path | ||
base: main # Start scanning from here (usually main branch). | ||
head: HEAD # Scan commits until here (usually dev branch). | ||
|
||
# Static code analysis using aqua security's tfsec | ||
- name: Run tfsec scan | ||
id: static_code_analysis | ||
uses: aquasecurity/tfsec-action@v1.0.3 | ||
with: | ||
working_directory: ${{ env.TERRAFORM_DIR }} | ||
|
||
# Install the latest version of Google Cloud SDK | ||
- id: cloud_sdk_installation | ||
name: Set up Cloud SDK | ||
uses: google-github-actions/setup-gcloud@v0.3.0 | ||
with: | ||
version: ${{ env.CLOUDSDK_VER }} | ||
|
||
# Setup the authentication for the Google Cloud using WIF | ||
- id: gcp_auth | ||
name: Authenticate to GCP | ||
uses: google-github-actions/auth@v0.3.1 | ||
with: | ||
create_credentials_file: 'true' | ||
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER_ID }} | ||
service_account: ${{ secrets.SERVICE_ACCOUNT }} | ||
|
||
# Install the specified version of Terraform CLI | ||
- id: tf_installation | ||
name: Terraform Installation | ||
uses: hashicorp/setup-terraform@v3 | ||
with: | ||
terraform_version: ${{ env.TERRAFORM_VER }} | ||
|
||
# Checks that Terraform configuration files adhere to a canonical format | ||
- name: Terraform fmt | ||
id: tf_fmt | ||
run: terraform fmt -check | ||
continue-on-error: true | ||
|
||
# Initialize the Terraform working directory | ||
- name: Terraform Init | ||
id: tf_init | ||
run: terraform init | ||
|
||
# Validate the terraform configuration files | ||
- name: Terraform Validate | ||
id: tf_validate | ||
run: terraform validate -no-color | ||
|
||
# Generates an execution plan for Terraform | ||
- name: Terraform Plan | ||
id: tf_plan | ||
run: terraform plan -no-color | ||
continue-on-error: true | ||
|
||
# Comments the terraform plan output on pull request | ||
- id: comment_output | ||
name: Comment Terraform Plan Output | ||
uses: actions/github-script@v7 | ||
if: github.event_name == 'pull_request' | ||
env: | ||
PLAN: "terraform\n${{ steps.plan.outputs.stdout }}" | ||
with: | ||
script: | | ||
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` | ||
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` | ||
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\` | ||
<details><summary>Validation Output</summary> | ||
\`\`\`\n | ||
${{ steps.validate.outputs.stdout }} | ||
\`\`\` | ||
|
||
</details> | ||
|
||
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\` | ||
|
||
<details><summary>Show Plan</summary> | ||
|
||
\`\`\`\n | ||
${process.env.PLAN} | ||
\`\`\` | ||
|
||
</details> | ||
|
||
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.tf_actions_working_dir }}\`, Workflow: \`${{ github.workflow }}\`*`; | ||
|
||
github.rest.issues.createComment({ | ||
issue_number: context.issue.number, | ||
owner: context.repo.owner, | ||
repo: context.repo.repo, | ||
body: output | ||
}) | ||
|
||
# Executes the apply operation to deploy the actual infrastructure | ||
- name: Terraform Apply | ||
id: tf_apply | ||
if: github.ref == 'refs/heads/"master"' && github.event_name == 'push' | ||
run: terraform apply -auto-approve | ||
|
||
- name: Notify success | ||
if: success() # this step runs only if the previous steps succeeded. | ||
run: echo "[SUCCESS] The build is successful without any errors." | ||
|
||
- name: Notify failure | ||
if: failure() # this step runs only if any of the previous steps failed. | ||
run: | | ||
echo "[FAILED] This job has been failed due to earlier errors." | ||
echo "An eamil notification can be setup later sometime." |