github-workflow-library/.github/workflows/plan-terraform.yml at master · code42/github-workflow-library · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: "Reusable workflow for Terraform Plan"
on:
  workflow_call:
    inputs:
      working_dir:
        description: '(Terraform) Directory to execute plan against'
        required: true
        type: string
      tf_version:
        description: 'Terraform version to use'
        required: false
        type: string
        default: latest
      backend_key:
        description: 'Path to the state file inside the S3 Bucket'
        required: true
        type: string
      backend_region:
        description: 'AWS Region of the S3 Bucket and DynamoDB Table'
        required: true
        type: string
      backend_profile:
        description: 'Name of an AWS cli profile to use'
        required: true
        type: string
      tf_var_files:
        description: 'Terraform variable definitions files (Comma seperated string eg. "defaults.tfvars, sandbox-02.tfvars")'
        required: true
        type: string
    secrets:
      backend_table:
        description: 'DynamoDB table used for state locking'
        required: true
      backend_bucket:
        description: 'S3 Bucket used to hold state files'
        required: true
      aws_access_key_id:
        description: 'AWS access key associated with an IAM role of target account'
        required: true
      aws_secret_access_key:
        description: 'Secret key associated with AWS access key'
        required: true
      aws_security_token:
        description: 'Security token associated with our short-lived credentials'
        required: true

jobs:
  build-plan:
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ${{ inputs.working_dir }}
    env:
      # Inputs
      TF_VERSION: ${{ inputs.tf_version }}
      BACKEND_KEY: ${{ inputs.backend_key }}
      BACKEND_REGION: ${{ inputs.backend_region }}
      BACKEND_PROFILE: ${{ inputs.backend_profile }}
      TF_KEY: ${{ inputs.tf_key }}
      TF_VAR_FILES: ${{ inputs.tf_var_files }}
      # Secrets
      BACKEND_BUCKET:  ${{ secrets.backend_bucket }}
      BACKEND_TABLE: ${{ secrets.backend_table }}
      AWS_ACCESS_KEY_ID: ${{ secrets.aws_access_key_id }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.aws_secret_access_key }}
      AWS_SECURITY_TOKEN: ${{ secrets.aws_security_token }}

    steps:
      - name: Checkout
        uses: actions/checkout@v3.1.0

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v2.0.0
        with:
          terraform_version: ${{ inputs.tf_version }}

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1.7.0
        with:
          aws-access-key-id: "${{ env.AWS_ACCESS_KEY_ID }}"
          aws-secret-access-key: "${{ env.AWS_SECRET_ACCESS_KEY }}"
          aws-session-token: "${{ env.AWS_SECURITY_TOKEN }}"
          aws-region: ${{ env.BACKEND_REGION }}

      - name: Terraform Format
        id: fmt
        run: terraform fmt --check

      - name: Terraform Init
        id: init
        run: |
          terraform init -backend-config="bucket=${{ env.BACKEND_BUCKET }}" \
            -backend-config="key=${{ env.BACKEND_KEY }}" \
            -backend-config=encrypt=true -backend-config="region=${{ env.BACKEND_REGION }}" \
            -backend-config="dynamodb_table=${{ env.BACKEND_TABLE }}" -backend-config="profile=${{ env.BACKEND_PROFILE }}"

      - name: Terraform Validate
        id: validate
        run: terraform validate

      - name: Terraform Plan
        id: plan
        run: files=($(echo $TF_VAR_FILES | tr ", " "\n")); terraform plan `for file in $files; do echo "--var-file=$file"; done` --out=plan.tfplan

      - name: Create PR comment with Plan output
        uses: actions/github-script@v6.1.0
        if: github.event_name == 'pull_request'
        env:
          PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
            #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
            #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
            #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`

            <details><summary>Show Plan</summary>

            \`\`\`\n
            ${process.env.PLAN}
            \`\`\`

            </details>

            *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;

            github.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: output
            })