fix: apply Sandbox OU Guardrails (#215) #164
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Terraform Apply" | |
on: | |
push: | |
branches: | |
- main | |
env: | |
AWS_REGION: "ca-central-1" | |
TERRAFORM_VERSION: 1.1.7 | |
TERRAGRUNT_VERSION: 0.36.3 | |
CONFTEST_VERSION: 0.30.0 | |
permissions: | |
id-token: write | |
contents: read | |
jobs: | |
terragrunt-apply-account: | |
if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- account_folder: org_account | |
module: main | |
account: 659087519042 | |
assume_role_name: "assume_apply" | |
la_customer_id: LA_CUSTOMER_ID | |
la_shared_key: LA_SHARED_KEY | |
role: cds-aws-lz-apply | |
- account_folder: org_account | |
module: spend_notifier | |
account: 659087519042 | |
assume_role_name: "assume_apply" | |
spend_notifier_hook: SPEND_NOTIFIER_HOOK | |
weekly_spend_notifier_hook: WEEKLY_SPEND_NOTIFIER_HOOK | |
role: cds-aws-lz-apply | |
- account_folder: org_account | |
module: roles | |
account: 659087519042 | |
assume_role_name: "assume_apply" | |
admin_sso_role_arn: ADMIN_SSO_ROLE_ARN | |
role: cds-aws-lz-apply | |
- account_folder: org_account | |
module: aft | |
account: 659087519042 | |
role: cds-aws-lz-apply | |
- account_folder: org_account | |
module: sentinel_oidc | |
account: 659087519042 | |
role: cds-aws-lz-apply | |
- account_folder: org_account | |
module: organization | |
account: 659087519042 | |
role: cds-aws-lz-apply | |
- account_folder: log_archive | |
module: main | |
account: 274536870005 | |
role: cds-aws-lz-apply | |
- account_folder: log_archive | |
module: legacy_archives | |
account: 274536870005 | |
role: cds-aws-lz-apply | |
- account_folder: log_archive | |
module: sre_bot | |
account: 274536870005 | |
assume_role_name: "assume_apply" | |
admin_sso_role_arn: ADMIN_SSO_ROLE_ARN | |
role: cds-aws-lz-apply | |
- account_folder: audit | |
module: main | |
account: 886481071419 | |
role: cds-aws-lz-apply | |
- account_folder: audit | |
module: sre_bot | |
account: 886481071419 | |
assume_role_name: "assume_apply" | |
admin_sso_role_arn: ADMIN_SSO_ROLE_ARN | |
role: cds-aws-lz-apply | |
- account_folder: aft | |
module: main | |
account: 137554749751 | |
lz_webhook_key: LZ_CHANNEL_WEBHOOK | |
role: cds-aws-lz-apply | |
- account_folder: aft | |
module: notifications | |
account: 137554749751 | |
role: cds-aws-lz-apply | |
aft_notifications_hook: AFT_NOTIFICATIONS_HOOK | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: setup terraform tools | |
uses: cds-snc/terraform-tools-setup@v1 | |
- name: Configure aws credentials using OIDC | |
uses: aws-actions/configure-aws-credentials@master | |
with: | |
role-to-assume: arn:aws:iam::${{ matrix.account }}:role/${{ matrix.role }} | |
role-session-name: ${{matrix.account}}-${{matrix.module}}-apply | |
aws-region: ${{ env.AWS_REGION }} | |
- name: Terraform apply ${{matrix.account_folder}}/${{ matrix.module }} | |
working-directory: terragrunt/${{ matrix.account_folder }}/${{ matrix.module }} | |
env: | |
TF_VAR_aft_slack_webhook: ${{ secrets[matrix.lz_webhook_key] }} | |
TF_VAR_assume_role_name: ${{ matrix.assume_role_name }} | |
TF_VAR_lw_customer_id: ${{ secrets[matrix.la_customer_id] }} | |
TF_VAR_lw_shared_key: ${{ secrets[matrix.la_shared_key] }} | |
TF_VAR_daily_spend_notifier_hook: ${{ secrets[matrix.spend_notifier_hook] }} | |
TF_VAR_weekly_spend_notifier_hook: ${{ secrets[matrix.weekly_spend_notifier_hook]}} | |
TF_VAR_aft_notifications_hook: ${{ secrets[matrix.aft_notifications_hook]}} | |
TF_VAR_admin_sso_role_arn: ${{ secrets[matrix.admin_sso_role_arn] }} | |
run: | | |
terragrunt apply --terragrunt-non-interactive -auto-approve |