module-repo-setup #163
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: module-repo-setup | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| force-apply: | |
| description: "If true, force apply the terraform plan." | |
| required: false | |
| type: boolean | |
| default: false | |
| unlock-lock-id: | |
| description: "If non-empty, forcefully unlock terraform state by ID." | |
| required: false | |
| type: string | |
| default: "" | |
| create_repo: # Define create_repo as an input | |
| description: "(optional) Enter Terraform Module Repository Name to create." | |
| required: false | |
| type: string | |
| default: "" | |
| pull_request: | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| paths: | |
| - .github/workflows/module-repo-setup.yml | |
| - terraform/** | |
| env: | |
| ARM_TENANT_ID: ${{ secrets.ORGA_CDT_TENANT_ID }} | |
| ARM_SUBSCRIPTION_ID: ${{ vars.ARM_SUBSCRIPTION_ID }} | |
| ARM_CLIENT_ID: ${{ vars.TERRAFORM_OSS_AZURE_CLIENT_ID }} | |
| ARM_USE_OIDC: "true" | |
| ARM_USE_CLI: "false" | |
| TF_IN_AUTOMATION: true | |
| TF_INPUT: false | |
| # renovate: github=opentofu/opentofu | |
| TF_VERSION: v1.8.0 | |
| # https://developer.hashicorp.com/terraform/cli/commands#upgrade-and-security-bulletin-checks | |
| CHECKPOINT_DISABLE: true | |
| GITHUB_TOKEN: ${{ secrets.MANAGE_REPOS_GITHUB_TOKEN }} | |
| TF_VAR_create_repo: ${{ inputs.create_repo }} | |
| # secret MANAGE_REPOS_GITHUB_TOKEN == Keeper/GitHub cloudeteerbot/terraform-governance-managed-repos (https://keepersecurity.eu/vault/#detail/4y33tgsK_Yuv8mJUXDUPrQ) | |
| concurrency: | |
| group: terraform | |
| permissions: | |
| contents: read | |
| id-token: write | |
| jobs: | |
| plan: | |
| name: Plan | |
| environment: "Terraform (Plan)" | |
| runs-on: ubuntu-latest | |
| outputs: | |
| exit-code: ${{ steps.plan.outputs.exit-code }} | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - uses: opentofu/setup-opentofu@ae80d4ecaab946d8f5ff18397fbf6d0686c6d46a # v1.0.3 | |
| with: | |
| tofu_version: ${{ env.TF_VERSION }} | |
| tofu_wrapper: false | |
| - run: tofu init | |
| working-directory: terraform/ | |
| - name: tofu force-unlock | |
| if: ${{ inputs.unlock-lock-id }} | |
| run: tofu force-unlock "${{ inputs.unlock-lock-id }}" -force | |
| - name: tofu plan | |
| #language=bash | |
| run: |- | |
| set +e | |
| tofu plan -out terraform.tfplan -detailed-exitcode | |
| EXIT_CODE=$? | |
| if [ $EXIT_CODE -ne 2 ] && [ $EXIT_CODE -ne 0 ]; then | |
| exit $EXIT_CODE | |
| fi | |
| echo "exit-code=$EXIT_CODE" >> $GITHUB_OUTPUT | |
| id: plan | |
| working-directory: terraform/ | |
| - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
| with: | |
| name: terraform.tfplan | |
| path: terraform/terraform.tfplan | |
| apply: | |
| if: ${{ !cancelled() && !failure() && (inputs.force-apply || github.event.pull_request.draft == false && needs.plan.outputs.exit-code == 2) }} | |
| name: Apply | |
| environment: Terraform | |
| runs-on: ubuntu-latest | |
| needs: [plan] | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - uses: opentofu/setup-opentofu@ae80d4ecaab946d8f5ff18397fbf6d0686c6d46a # v1.0.3 | |
| with: | |
| tofu_version: ${{ env.TF_VERSION }} | |
| tofu_wrapper: false | |
| - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
| with: | |
| name: terraform.tfplan | |
| path: terraform | |
| - run: tofu init | |
| working-directory: terraform/ | |
| - name: tofu apply | |
| run: tofu apply terraform.tfplan | |
| working-directory: terraform/ |