add roles to service accounts #227
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Terraform Workflow | |
on: | |
push: | |
branches: | |
- main | |
paths: | |
- 'terraform/**' | |
- '.github/workflows/**' | |
- '!**/README.md' | |
- '!argocd-app/**' | |
- 'argocd-app/values.yaml' | |
pull_request: | |
branches: | |
- main | |
paths: | |
- 'terraform/**' | |
- '.github/workflows/**' | |
- '!**/README.md' | |
- '!argocd-app/**' | |
- 'argocd-app/values.yaml' | |
workflow_dispatch: | |
inputs: | |
destroy: | |
description: 'Destroy the infrastructure?' | |
type: boolean | |
required: true | |
default: false | |
jobs: | |
terraform: | |
runs-on: ubuntu-latest | |
defaults: | |
run: | |
shell: bash | |
working-directory: ./terraform | |
env: | |
WORKING_DIR: ./terraform | |
permissions: | |
contents: 'read' | |
id-token: 'write' | |
pull-requests: 'write' | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- id: 'auth' | |
name: 'Authenticate to Google Cloud' | |
uses: 'google-github-actions/auth@v1' | |
with: | |
# Replace with values from setup.sh | |
workload_identity_provider: 'projects/734911192367/locations/global/workloadIdentityPools/deb-pool/providers/github-actions' | |
service_account: 'deb-sa@wizeline-deb.iam.gserviceaccount.com' | |
- name: Setup Terraform | |
uses: hashicorp/setup-terraform@v2 | |
with: | |
terraform_version: '1.5.7' | |
terraform_wrapper: false | |
- name: Terraform Init | |
id: init | |
run: terraform init | |
- name: Terraform Format | |
id: fmt | |
if: github.event_name != 'workflow_dispatch' | |
run: terraform fmt -check | |
- name: Terraform Validate | |
id: validate | |
if: github.event_name != 'workflow_dispatch' | |
run: terraform validate | |
- name: Terraform Plan | |
id: plan | |
if: github.event_name != 'workflow_dispatch' | |
run: | | |
terraform plan \ | |
-no-color \ | |
-input=false | |
continue-on-error: true | |
# Add a comment to pull requests with plan results | |
- name: Add Plan Comment | |
if: github.event_name == 'pull_request' | |
uses: actions/github-script@v6 | |
env: | |
PLAN: "terraform\n${{ steps.plan.outputs.stdout }}" | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
// 1. Retrieve existing bot comments for the PR | |
const { data: comments } = await github.rest.issues.listComments({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
issue_number: context.issue.number, | |
}) | |
const botComment = comments.find(comment => { | |
return comment.user.type === 'Bot' && comment.body.includes('Terraform Format and Style') | |
}) | |
// 2. Prepare format of the comment | |
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` | |
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` | |
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\` | |
<details><summary>Validation Output</summary> | |
\`\`\`\n | |
${{ steps.validate.outputs.stdout }} | |
\`\`\` | |
</details> | |
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\` | |
<details><summary>Show Plan</summary> | |
\`\`\`\n | |
${process.env.PLAN} | |
\`\`\` | |
</details> | |
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.WORKING_DIR }}\`, Workflow: \`${{ github.workflow }}\`*`; | |
// 3. If we have a comment, update it, otherwise create a new one | |
if (botComment) { | |
github.rest.issues.updateComment({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
comment_id: botComment.id, | |
body: output | |
}) | |
} else { | |
github.rest.issues.createComment({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
body: output | |
}) | |
} | |
- name: Check Plan Outcome | |
if: steps.plan.outcome == 'failure' | |
run: exit 1 | |
- name: Terraform Apply | |
if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
run: | | |
terraform apply \ | |
-input=false \ | |
-auto-approve | |
- name: Set up Cloud SDK | |
if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
uses: 'google-github-actions/setup-gcloud@v1' | |
- name: Install Required Plugin for kubectl | |
if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
run: gcloud components install gke-gcloud-auth-plugin | |
- name: Set GKE credentials as env variables | |
id: set_gke_creds | |
if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
run: | | |
echo "GKE_CLUSTER_NAME=$(terraform output -raw gke_cluster_name)" >> $GITHUB_OUTPUT | |
echo "GKE_CLUSTER_LOCATION=$(terraform output -raw gke_cluster_location)" >> $GITHUB_OUTPUT | |
- name: Get GKE credentials | |
if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
run: | | |
gcloud container clusters get-credentials \ | |
${{ steps.set_gke_creds.outputs.GKE_CLUSTER_NAME }} \ | |
--location=${{ steps.set_gke_creds.outputs.GKE_CLUSTER_LOCATION }} | |
- name: Apply ArgoCD ApplicationSet | |
if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
run: | | |
kubectl apply -f ../argocd-app/multi-app/applicationset.yaml -n argocd | |
- name: Terraform Destroy (Manual Trigger) | |
if: github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main' && github.event.inputs.destroy == 'true' | |
run: | | |
terraform destroy \ | |
-input=false \ | |
-auto-approve |