terraform-azurerm-avm-template/avm at main · Azure/terraform-azurerm-avm-template · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
#!/usr/bin/env bash

set -e

usage () {
  echo "Usage: avm <make target>"
}

# We need to do this because bash doesn't like it when a script is updated in place.
if [ -z ${AVM_SCRIPT_FORKED} ]; then
  # If AVM_SCRIPT_FORKED is not set, we are running the script from the original repository
  # Set AVM_SCRIPT_FORKED to true to avoid running this block again
  export AVM_SCRIPT_FORKED=true

  # Make a copy of this script in the current directory
  # and run that copy.
  cp "$0" .avm
  chmod +x .avm
  exec ./.avm "$@"
fi

# Default values for environment variables
CONTAINER_RUNTIME=${CONTAINER_RUNTIME:-"docker"}
CONTAINER_IMAGE=${CONTAINER_IMAGE:-"mcr.microsoft.com/azterraform:avm-latest"}
CONTAINER_PULL_POLICY=${CONTAINER_PULL_POLICY:-"always"}
AVM_MAKEFILE_REF=${AVM_MAKEFILE_REF:-"main"}
AVM_PORCH_REF=${AVM_PORCH_REF:-"main"}

if [ ! "$(command -v "${CONTAINER_RUNTIME}")" ] && [ -z "${AVM_IN_CONTAINER}" ]; then
    echo "Error: ${CONTAINER_RUNTIME} is not installed. Please install ${CONTAINER_RUNTIME} first."
    exit 1
fi

if [ -z "$1" ]; then
    echo "Error: Please provide a make target. See https://github.com/Azure/avm-terraform-governance/blob/main/Makefile for available targets."
    echo
    usage
    exit 1
fi

# Check if AZURE_CONFIG_DIR is set, if not, set it to ~/.azure
if [ -z "${AZURE_CONFIG_DIR}" ]; then
  AZURE_CONFIG_DIR="${HOME}/.azure"
fi

# Check if AZURE_CONFIG_DIR exists, if it does, mount it to the container
if [ -d "${AZURE_CONFIG_DIR}" ]; then
  AZURE_CONFIG_MOUNT="-v ${AZURE_CONFIG_DIR}:/home/runtimeuser/.azure"
fi

# Check if AVM_TMP_DIR is set, if so mount it to /tmp
if [ -z "${AVM_TMP_DIR}" ] && [ -n "${RUNNER_TEMP}" ]; then
  AVM_TMP_DIR="${RUNNER_TEMP}"
fi

if [ -n "${AVM_TMP_DIR}" ]; then
  TMP_MOUNT="-v ${AVM_TMP_DIR}:/tmp"
fi

# If the host Docker socket exists, mount it into the container so the container can talk to the host docker daemon
if [ -S /var/run/docker.sock ]; then
  DOCKER_SOCK_MOUNT="-v /var/run/docker.sock:/var/run/docker.sock"
fi

# If we are in GitHub Copilot Coding Agent, we need to mount the SSL certificates from the host
SSL_CERT_MOUNTS=""
if [ -n "${COPILOT_AGENT_ACTION}" ]; then
  # Mount host's CA bundle to container's expected paths
  SSL_CERT_MOUNTS="${SSL_CERT_MOUNTS} -v /etc/ssl/certs/ca-certificates.crt:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro"
  SSL_CERT_MOUNTS="${SSL_CERT_MOUNTS} -v /etc/ssl/certs/ca-certificates.crt:/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt:ro"
fi

# New: allow overriding TUI behavior with PORCH_FORCE_TUI and PORCH_NO_TUI environment variables.
# - If PORCH_FORCE_TUI is set, force TUI and interactive mode (even in GH Actions).
# - If PORCH_NO_TUI is set, explicitly disable TUI.
# - Otherwise, fallback to previous behavior: enable TUI only when not in GitHub Actions and NO_COLOR is not set.
if [ -n "${PORCH_FORCE_TUI}" ]; then
  TUI="--tui"
  DOCKER_INTERACTIVE="-it"
  export FORCE_COLOR=1
elif [ -n "${PORCH_NO_TUI}" ]; then
  # Explicitly disable TUI and interactive flags
  TUI=""
  DOCKER_INTERACTIVE=""
else
  # If we are not in GitHub Actions and NO_COLOR is not set, we want to use TUI and interactive mode
  if [ -z "${GITHUB_RUN_ID}" ] && [ -z "${NO_COLOR}" ]; then
    TUI="--tui"
    DOCKER_INTERACTIVE="-it"
    export FORCE_COLOR=1
  fi
fi

# if AVM_PORCH_BASE_URL is set, we want to add it to the make command
if [ -n "${AVM_PORCH_BASE_URL}" ]; then
  PORCH_BASE_URL_MAKE_ADD="PORCH_BASE_URL=${AVM_PORCH_BASE_URL}"
fi

# Get the repo specific environment variables from avm.config if it exists
LOCAL_ENVIRONMENT_VARIABLES=""
if [ -f "avm.config.json" ]; then
  declare -A variables
  eval "$(cat "avm.config.json" | jq -r 'to_entries[] | @sh "variables[\(.key|tostring)]=\(.value|tostring)"')"

  for key in "${!variables[@]}"; do
    export "$key"="${variables[$key]}"
    LOCAL_ENVIRONMENT_VARIABLES="${LOCAL_ENVIRONMENT_VARIABLES}-e $key "
    echo "Set environment variable: $key"="${variables[$key]}"
  done
fi

# Check if we are running in a container
# If we are then just run make directly
if [ -z "${AVM_IN_CONTAINER}" ]; then
  ${CONTAINER_RUNTIME} run \
    --pull "${CONTAINER_PULL_POLICY}" \
    --user "$(id -u):$(id -g)" \
    --rm \
    ${DOCKER_INTERACTIVE} \
    -v "$(pwd)":/src \
    ${AZURE_CONFIG_MOUNT:-} \
    ${DOCKER_SOCK_MOUNT:-} \
    ${SSL_CERT_MOUNTS:-} \
    ${TMP_MOUNT:-} \
    -e ARM_CLIENT_ID \
    -e ARM_OIDC_REQUEST_TOKEN \
    -e ARM_OIDC_REQUEST_URL \
    -e ARM_SUBSCRIPTION_ID \
    -e ARM_TENANT_ID \
    -e ARM_USE_OIDC \
    -e FORCE_COLOR \
    -e GITHUB_TOKEN \
    -e NO_COLOR \
    -e PORCH_LOG_LEVEL \
    -e TF_IN_AUTOMATION=1 \
    ${LOCAL_ENVIRONMENT_VARIABLES} \
    --env-file <(env | grep '^TF_VAR_') \
    --env-file <(env | grep '^AVM_') \
    "${CONTAINER_IMAGE}" \
    make \
    TUI="${TUI}" \
    AVM_PORCH_STDOUT="${AVM_PORCH_STDOUT}" \
    AVM_MAKEFILE_REF="${AVM_MAKEFILE_REF}" \
    "${PORCH_BASE_URL_MAKE_ADD}" \
    AVM_PORCH_REF="${AVM_PORCH_REF}" \
    "$1"
else
  make TUI="${TUI}" AVM_MAKEFILE_REF="${AVM_MAKEFILE_REF}" ${PORCH_BASE_URL_MAKE_ADD} AVM_PORCH_REF="${AVM_PORCH_REF}" "$1"
fi