-
Notifications
You must be signed in to change notification settings - Fork 3
77 lines (70 loc) · 2.96 KB
/
preview-pulumi.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
name: Pulumi Preview
on:
pull_request:
paths:
- pulumi/**
workflow_dispatch: null
jobs:
preview:
runs-on: ubuntu-latest
strategy:
fail-fast: false
# This IAM Matrix should have a name with the stack name, awsAccountID, and iamRole
# with access to deploy AWS resources in you account. The easiest method is attaching AdministratorAccess Policy to role
# See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services for details on implementing OIDC with Github Actions
matrix:
arrays: [
stack: {name: "hub", awsAccountID: "AWS_ACCOUNT_ID", iamRole: "AWS_DEPLOY_ROLE"},
stack: {name: "dev", awsAccountID: "AWS_ACCOUNT_ID", iamRole: "AWS_DEPLOY_ROLE"},
stack: {name: "prod", awsAccountID: "AWS_ACCOUNT_ID", iamRole: "AWS_DEPLOY_ROLE"},
]
permissions:
id-token: write
contents: read
name: Pulumi Preview ${{ matrix.arrays.stack.name }}
steps:
- name: Checkout 🛎️
uses: actions/checkout@v4
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
## the following creates an ARN based on the values entered into github secrets
role-to-assume: arn:aws:iam::${{ secrets[matrix.arrays.stack.awsAccountID] }}:role/${{ secrets[matrix.arrays.stack.iamRole] }}
role-session-name: myGitHubActions
- name: 📦️ Pulumi Install 📦️
uses: pulumi/actions@v5
- name: Overrides Pulumi Config 🔨
working-directory: pulumi
env:
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
run: |
pulumi stack select ${{ matrix.arrays.stack.name }}
pulumi config set githubOrg ${GITHUB_REPOSITORY_OWNER}
pulumi config set githubRepo $(echo "${GITHUB_REPOSITORY}" | cut -d '/' -f2)
pulumi config set veleroBucketPrefix ${{ secrets.VELERO_BACKUP_BUCKET }}
if [ ${{ matrix.arrays.stack.name }} != "hub" ]; then
pulumi config set hubStackName ${{ secrets.PULUMI_ACCOUNT }}/${{ secrets.PULUMI_PROJECT }}/hub
fi
cat stacks/Pulumi.${{ matrix.arrays.stack.name }}.yaml
- name: Setup Node LTS ✨
uses: actions/setup-node@v4
with:
node-version: lts/*
cache: npm
cache-dependency-path: pulumi/src/package-lock.json
- name: Installing dependencies 📦️
run: |
cd ./pulumi/src
npm install
- name: Preview infrastructure 🚀
uses: pulumi/actions@v5
with:
command: preview
work-dir: ./pulumi
stack-name: ${{ matrix.arrays.stack.name }}
comment-on-summary: true
diff: true
env:
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
GITHUB_TOKEN: ${{ secrets.PULUMI_GITHUB_TOKEN }}