playground-stackit/.github/workflows/terraform-deploy-stackit.yaml at main · cloudeteer/playground-stackit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
name: deploy

on:
  workflow_call:
    inputs:
      directory:
        type: string
        required: true
      terraform-force-unlock:
        default: false
        description: Terraform force unlock
        required: false
        type: boolean
      terraform-force-unlock-id:
        description: Terraform LOCK_ID
        required: false
        type: string
      env:
        required: false
        type: string
      environment:
        required: false
        type: string
        default: prod-stackit
    secrets:
      env:
        required: false
      stackit_service_account_key:
        required: true
      backend_s3_secret_key:
        required: true
      backend_s3_access_key:
        required: true

env:
  # StackIT
  TF_VAR_stackit_service_account_key: ${{ secrets.stackit_service_account_key }}
  AWS_ACCESS_KEY_ID: ${{ secrets.backend_s3_access_key }}
  AWS_SECRET_ACCESS_KEY: ${{ secrets.backend_s3_secret_key }}

  # Working directory
  CDT_IAC_WORKING_DIRECTORY: ${{ inputs.directory }}

  # Terraform Paramaters
  TF_IN_AUTOMATION: true
  TF_INPUT: false
  TF_VERSION: ~1.10.0

  # https://developer.hashicorp.com/terraform/cli/commands#upgrade-and-security-bulletin-checks
  CHECKPOINT_DISABLE: true

concurrency:
  group: ${{ github.workflow }}

permissions:
  contents: read
  id-token: write

jobs:
  plan:
    name: Plan
    environment: ${{ inputs.environment }} (plan)
    runs-on: ubuntu-latest
    outputs:
      exitcode: ${{ steps.plan.outputs.exitcode }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Cache Setup
        uses: actions/cache@v4
        with:
          key: iac-deployment-framework:~/${{ env.CDT_IAC_WORKING_DIRECTORY }}#${{ hashFiles(format('{0}/{1}', env.CDT_IAC_WORKING_DIRECTORY, '/.terraform.lock.hcl')) }}@${{ runner.os }}
          path: |
            ${{ env.CDT_IAC_WORKING_DIRECTORY }}/.terraform
      - name: Set environment variables from input
        uses: cloudeteer/actions/set-env@main
        with:
          env: ${{ inputs.env }}
      - name: Set environment variables from secrets
        uses: cloudeteer/actions/set-env@main
        with:
          env: ${{ secrets.env }}
      - name: Terraform Setup
        uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: ${{ env.TF_VERSION }}
          terraform_wrapper: false
      - name: Terraform Init
        working-directory: ${{ env.CDT_IAC_WORKING_DIRECTORY }}
        run: terraform init
      - name: Terraform State Force-Unlock
        if: github.event_name == 'workflow_dispatch' && inputs.terraform-force-unlock == true
        working-directory: ${{ env.CDT_IAC_WORKING_DIRECTORY }}
        env:
          LOCK_ID: ${{ inputs.terraform-force-unlock-id }}
        run: |
          if [ -z "$LOCK_ID" ]; then
            echo "::debug::Workflow input 'terraform-force-unlock-id' is empty. Please provide a valid Terraform LOCK_ID."
            exit 1
          fi
          terraform force-unlock -force "$LOCK_ID"
          echo "::notice::Terraform state file successfully unlocked."
      - name: Terraform Plan
        id: plan
        working-directory: ${{ env.CDT_IAC_WORKING_DIRECTORY }}
        run: |
          set +e
          terraform plan -out terraform.tfplan -detailed-exitcode
          exitcode=$?
          [ "$exitcode" -ne 2 ] && [ "$exitcode" -ne 0 ] && exit $exitcode
          echo "exitcode=$exitcode" >> $GITHUB_OUTPUT
      - name: Upload Artifact terraform.tfplan
        uses: actions/upload-artifact@v4
        with:
          name: terraform.tfplan
          path: ${{ env.CDT_IAC_WORKING_DIRECTORY }}/terraform.tfplan
      - name: Print status
        run: |
          if [ "${{ github.event.pull_request.draft }}" = "false" ] ; then
            echo "::notice::The GitHub pull request that triggered this action is in draft status. As a result, the next apply step will be skipped."
          fi

          if [ "${{ steps.plan.outputs.exitcode }}" == "0" ] ; then
            echo "::notice::No changes. Your infrastructure matches the configuration."
          fi
  apply:
    if: ${{ !cancelled() && !failure() && github.event.pull_request.draft == false && needs.plan.outputs.exitcode == 2 }}
    name: Apply
    needs: plan
    environment: ${{ inputs.environment }}
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Cache Setup
        uses: actions/cache@v4
        with:
          key: iac-deployment-framework:~/${{ env.CDT_IAC_WORKING_DIRECTORY }}#${{ hashFiles(format('{0}/{1}', env.CDT_IAC_WORKING_DIRECTORY, '/.terraform.lock.hcl')) }}@${{ runner.os }}
          path: |
            ${{ env.CDT_IAC_WORKING_DIRECTORY }}/.terraform
      - name: Set environment variables from input
        uses: cloudeteer/actions/set-env@main
        with:
          env: ${{ inputs.env }}
      - name: Set environment variables from secrets
        uses: cloudeteer/actions/set-env@main
        with:
          env: ${{ secrets.env }}
      - name: Terraform Setup
        uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: ${{ env.TF_VERSION }}
          terraform_wrapper: false
      - name: Download Artifact terraform.tfplan
        uses: actions/download-artifact@v4
        with:
          name: terraform.tfplan
          path: ${{ env.CDT_IAC_WORKING_DIRECTORY }}
      - name: Terraform Init
        working-directory: ${{ env.CDT_IAC_WORKING_DIRECTORY }}
        run: terraform init
      - name: Terraform Apply
        working-directory: ${{ env.CDT_IAC_WORKING_DIRECTORY }}
        run: terraform apply terraform.tfplan