refactor pulumi gitops-bridge #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Pulumi Preview | |
on: | |
pull_request: | |
paths: | |
- pulumi/** | |
workflow_dispatch: null | |
jobs: | |
preview: | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
# This IAM Matrix should have a name with the stack name, awsAccountID, and iamRole | |
# with access to deploy AWS resources in you account. The easiest method is attaching AdministratorAccess Policy to role | |
# See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services for details on implementing OIDC with Github Actions | |
matrix: | |
arrays: [ | |
stack: {name: "hub", awsAccountID: "AWS_ACCOUNT_ID", iamRole: "AWS_DEPLOY_ROLE"}, | |
stack: {name: "dev", awsAccountID: "AWS_ACCOUNT_ID", iamRole: "AWS_DEPLOY_ROLE"}, | |
stack: {name: "prod", awsAccountID: "AWS_ACCOUNT_ID", iamRole: "AWS_DEPLOY_ROLE"}, | |
] | |
permissions: | |
id-token: write | |
contents: read | |
name: Pulumi Preview ${{ matrix.arrays.stack.name }} | |
steps: | |
- name: Checkout 🛎️ | |
uses: actions/checkout@v4 | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-region: ${{ secrets.AWS_DEFAULT_REGION }} | |
## the following creates an ARN based on the values entered into github secrets | |
role-to-assume: arn:aws:iam::${{ secrets[matrix.arrays.stack.awsAccountID] }}:role/${{ secrets[matrix.arrays.stack.iamRole] }} | |
role-session-name: myGitHubActions | |
- name: 📦️ Pulumi Install 📦️ | |
uses: pulumi/actions@v5 | |
- name: Overrides Pulumi Config 🔨 | |
working-directory: pulumi | |
env: | |
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} | |
run: | | |
pulumi stack select ${{ matrix.arrays.stack.name }} | |
pulumi config set githubOrg ${GITHUB_REPOSITORY_OWNER} | |
pulumi config set githubRepo $(echo "${GITHUB_REPOSITORY}" | cut -d '/' -f2) | |
pulumi config set veleroBucketPrefix ${{ secrets.VELERO_BACKUP_BUCKET }} | |
if [ ${{ matrix.arrays.stack.name }} != "hub" ]; then | |
pulumi config set hubStackName ${{ secrets.PULUMI_ACCOUNT }}/${{ secrets.PULUMI_PROJECT }}/hub | |
fi | |
cat stacks/Pulumi.${{ matrix.arrays.stack.name }}.yaml | |
- name: Setup Node LTS ✨ | |
uses: actions/setup-node@v4 | |
with: | |
node-version: lts/* | |
cache: npm | |
cache-dependency-path: pulumi/src/package-lock.json | |
- name: Installing dependencies 📦️ | |
run: | | |
cd ./pulumi/src | |
npm install | |
- name: Preview infrastructure 🚀 | |
uses: pulumi/actions@v5 | |
with: | |
command: preview | |
work-dir: ./pulumi | |
stack-name: ${{ matrix.arrays.stack.name }} | |
comment-on-summary: true | |
diff: true | |
env: | |
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} | |
GITHUB_TOKEN: ${{ secrets.PULUMI_GITHUB_TOKEN }} |