gpg --in is ambiguous
#86
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'Terraform' | |
| on: | |
| push: | |
| branches: | |
| - production | |
| pull_request: | |
| workflow_dispatch: | |
| env: | |
| GITHUB_OWNER: condime | |
| PRIVATE_KEY_PASSWORD: ${{ secrets.PRIVATE_KEY_PASSWORD }} # .secrets/private_key.pem.gpg decryption password | |
| CONSUL_HTTP_TOKEN: ${{ secrets.CONSUL_HTTP_TOKEN }} # Repository specific, contact @bencord0 to rotate | |
| ARTIFACT_SECRET_KEY: ${{ secrets.ARTIFACT_SECRET_KEY }} # Random, e.g. $(uuidgen); not stored, free to rotate at any time | |
| permissions: | |
| id-token: write | |
| jobs: | |
| terraform-plan: | |
| name: 'Terraform Plan' | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Checkout the repository to the GitHub Actions runner | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| # Install the latest version of Terraform CLI | |
| - name: Setup Terraform | |
| run: ./scripts/setup_terraform.sh | |
| # https://github.blog/changelog/2021-10-27-github-actions-secure-cloud-deployments-with-openid-connect/ | |
| - name: Configure AWS Credentials | |
| run: | | |
| ./scripts/setup_aws_credentials.py \ | |
| --role-arn "arn:aws:iam::055237546114:role/meta-terraform-plans-ro" | |
| # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. | |
| - name: Terraform Init | |
| run: terraform init | |
| # Checks that all Terraform configuration files adhere to a canonical format | |
| - name: Terraform Format | |
| run: terraform fmt -check | |
| # Generates an execution plan for Terraform | |
| - name: Terraform Plan | |
| run: | | |
| ./scripts/decrypt_secrets.sh | |
| terraform plan -out ./tfplan.zip | |
| ./scripts/encrypt_artifact.sh | |
| # Saves the plan as an artifact | |
| - name: Save Encrypted Plan | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: terraform-plan | |
| path: './tfplan.enc' | |
| retention-days: 1 | |
| terraform-apply: | |
| name: 'Terraform Apply' | |
| runs-on: ubuntu-latest | |
| environment: production | |
| needs: terraform-plan | |
| if: github.ref == 'refs/heads/production' | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| steps: | |
| # Checkout the repository to the GitHub Actions runner | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| # Retrieve the prepared plan | |
| - name: Download Plan | |
| uses: actions/download-artifact@v2 | |
| with: | |
| name: terraform-plan | |
| path: '.' | |
| # Use openssl symmetric decryption, as github action artifacts are public | |
| - name: Decrypt Archived Plan | |
| run: | | |
| ./scripts/decrypt_artifact.sh | |
| # Install the latest version of Terraform CLI | |
| - name: Setup Terraform | |
| run: ./scripts/setup_terraform.sh | |
| # Terraform init (again), reload the providers | |
| - name: Terraform Init | |
| run: terraform init | |
| # On push to production or manual change reset infrastructure according to Terraform configuration files | |
| - name: Terraform Apply | |
| if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' | |
| run: | | |
| ./scripts/decrypt_secrets.sh | |
| terraform apply ./tfplan.zip |