Skip to content

Switch to GitHub App authentication #79

Switch to GitHub App authentication

Switch to GitHub App authentication #79

Workflow file for this run

name: 'Terraform'
on:
push:
branches:
- production
pull_request:
workflow_dispatch:
env:
GITHUB_OWNER: condime
PRIVATE_KEY_PASSWORD: ${{ secrets.PRIVATE_KEY_PASSWORD }} # .secrets/private_key.pem.gpg decryption password
CONSUL_HTTP_TOKEN: ${{ secrets.CONSUL_HTTP_TOKEN }} # Repository specific, contact @bencord0 to rotate
ARTIFACT_SECRET_KEY: ${{ secrets.ARTIFACT_SECRET_KEY }} # Random, e.g. $(uuidgen); not stored, free to rotate at any time
permissions:
id-token: write
jobs:
terraform-plan:
name: 'Terraform Plan'
runs-on: ubuntu-latest
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v2
# Install the latest version of Terraform CLI
- name: Setup Terraform
run: ./scripts/setup_terraform.sh
# https://github.blog/changelog/2021-10-27-github-actions-secure-cloud-deployments-with-openid-connect/
- name: Configure AWS Credentials
run: |
./scripts/setup_aws_credentials.py \
--role-arn "arn:aws:iam::055237546114:role/meta-terraform-plans-ro"
# Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
- name: Terraform Init
run: terraform init
# Checks that all Terraform configuration files adhere to a canonical format
- name: Terraform Format
run: terraform fmt -check
# Generates an execution plan for Terraform
- name: Terraform Plan
run: |
./scripts/decrypt_secrets.sh
terraform plan -out ./tfplan.zip
./scripts/encrypt_artifact.sh
# Saves the plan as an artifact
- name: Save Encrypted Plan
uses: actions/upload-artifact@v2
with:
name: terraform-plan
path: './tfplan.enc'
retention-days: 1
terraform-apply:
name: 'Terraform Apply'
runs-on: ubuntu-latest
environment: production
needs: terraform-plan
if: github.ref == 'refs/heads/production'
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v2
# Retrieve the prepared plan
- name: Download Plan
uses: actions/download-artifact@v2
with:
name: terraform-plan
path: '.'
# Use openssl symmetric decryption, as github action artifacts are public
- name: Decrypt Archived Plan
run: |
./scripts/decrypt_artifact.sh
# Install the latest version of Terraform CLI
- name: Setup Terraform
run: ./scripts/setup_terraform.sh
# Terraform init (again), reload the providers
- name: Terraform Init
run: terraform init
# On push to production or manual change reset infrastructure according to Terraform configuration files
- name: Terraform Apply
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
run: |
./scripts/decrypt_secrets.sh
terraform apply ./tfplan.zip