generated from cds-snc/project-template
-
Notifications
You must be signed in to change notification settings - Fork 2
141 lines (121 loc) · 4.63 KB
/
tf-apply.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
name: "Terraform Apply"
on:
push:
branches:
- main
env:
AWS_REGION: "ca-central-1"
TERRAFORM_VERSION: 1.7.2
TERRAGRUNT_VERSION: 0.55.1
CONFTEST_VERSION: 0.49.0
permissions:
id-token: write
contents: read
jobs:
terragrunt-apply-account:
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- account_folder: org_account
module: main
account: 659087519042
assume_role_name: "assume_apply"
la_customer_id: LA_CUSTOMER_ID
la_shared_key: LA_SHARED_KEY
la_customer_ids: LA_CUSTOMER_IDS
role: cds-aws-lz-apply
- account_folder: org_account
module: spend_notifier
account: 659087519042
assume_role_name: "assume_apply"
spend_notifier_hook: SPEND_NOTIFIER_HOOK
weekly_spend_notifier_hook: WEEKLY_SPEND_NOTIFIER_HOOK
role: cds-aws-lz-apply
- account_folder: org_account
module: roles
account: 659087519042
assume_role_name: "assume_apply"
admin_sso_role_arn: ADMIN_SSO_ROLE_ARN
role: cds-aws-lz-apply
- account_folder: org_account
module: aft
account: 659087519042
role: cds-aws-lz-apply
- account_folder: org_account
module: sentinel_oidc
account: 659087519042
role: cds-aws-lz-apply
- account_folder: org_account
module: organization
account: 659087519042
role: cds-aws-lz-apply
- account_folder: org_account
module: cost_usage_report
account: 659087519042
role: cds-aws-lz-apply
- account_folder: org_account
module: iam_identity_center
account: 659087519042
role: cds-aws-lz-apply
- account_folder: log_archive
module: main
account: 274536870005
role: cds-aws-lz-apply
- account_folder: log_archive
module: legacy_archives
account: 274536870005
role: cds-aws-lz-apply
- account_folder: log_archive
module: sre_bot
account: 274536870005
assume_role_name: "assume_apply"
admin_sso_role_arn: ADMIN_SSO_ROLE_ARN
role: cds-aws-lz-apply
- account_folder: audit
module: main
account: 886481071419
role: cds-aws-lz-apply
- account_folder: audit
module: sre_bot
account: 886481071419
assume_role_name: "assume_apply"
admin_sso_role_arn: ADMIN_SSO_ROLE_ARN
role: cds-aws-lz-apply
- account_folder: aft
module: main
account: 137554749751
lz_webhook_key: LZ_CHANNEL_WEBHOOK
role: cds-aws-lz-apply
- account_folder: aft
module: notifications
account: 137554749751
role: cds-aws-lz-apply
aft_notifications_hook: AFT_NOTIFICATIONS_HOOK
steps:
- name: Checkout
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: setup terraform tools
uses: cds-snc/terraform-tools-setup@v1
- name: Configure aws credentials using OIDC
uses: aws-actions/configure-aws-credentials@master
with:
role-to-assume: arn:aws:iam::${{ matrix.account }}:role/${{ matrix.role }}
role-session-name: ${{matrix.account}}-${{matrix.module}}-apply
aws-region: ${{ env.AWS_REGION }}
- name: Terraform apply ${{matrix.account_folder}}/${{ matrix.module }}
working-directory: terragrunt/${{ matrix.account_folder }}/${{ matrix.module }}
env:
TF_VAR_aft_slack_webhook: ${{ secrets[matrix.lz_webhook_key] }}
TF_VAR_assume_role_name: ${{ matrix.assume_role_name }}
TF_VAR_lw_customer_id: ${{ secrets[matrix.la_customer_id] }}
TF_VAR_lw_shared_key: ${{ secrets[matrix.la_shared_key] }}
TF_VAR_lw_customer_ids: ${{ secrets[matrix.la_customer_ids] }}
TF_VAR_daily_spend_notifier_hook: ${{ secrets[matrix.spend_notifier_hook] }}
TF_VAR_weekly_spend_notifier_hook: ${{ secrets[matrix.weekly_spend_notifier_hook]}}
TF_VAR_aft_notifications_hook: ${{ secrets[matrix.aft_notifications_hook]}}
TF_VAR_admin_sso_role_arn: ${{ secrets[matrix.admin_sso_role_arn] }}
run: |
terragrunt apply --terragrunt-non-interactive -auto-approve