Terraform plan dev42 by @shanice-skylight #86
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Terraform Plan | ||
| run-name: Terraform plan ${{ inputs.workspace }}${{ inputs.id }} by @${{ github.actor }} | ||
| on: | ||
| workflow_dispatch: | ||
| inputs: | ||
| workspace: | ||
| description: "The workspace to terraform against" | ||
| required: true | ||
| type: choice | ||
| options: | ||
| - dev | ||
| - prod | ||
| id: | ||
| description: "Unique id for environment (optional, PR number, issue number etc.)" | ||
| required: true | ||
| type: string | ||
| dibbs-ecr-viewer-version: | ||
| description: "dibbs-ecr-viewer docker image tag" | ||
| required: true | ||
| type: string | ||
| default: "8.2.1" | ||
| dibbs-ecr-viewer-config-name: | ||
| description: "Sets CONFIG_NAME on dibbs-ecr-viewer" | ||
| required: true | ||
| type: choice | ||
| options: | ||
| - AWS_PG_NON_INTEGRATED | ||
| - AWS_PG_DUAL | ||
| - AWS_SQLSERVER_NON_INTEGRATED | ||
| - AWS_SQLSERVER_DUAL | ||
| - AWS_INTEGRATED | ||
| dibbs-ecr-viewer-auth-provider: | ||
| description: "Sets AUTH_PROVIDER on dibbs-ecr-viewer" | ||
| required: true | ||
| type: choice | ||
| options: | ||
| - ad | ||
| - none | ||
| concurrency: | ||
| group: ${{ inputs.workspace }}${{ inputs.id }}-terraform | ||
| cancel-in-progress: false | ||
| permissions: | ||
| id-token: write | ||
| contents: read | ||
| env: | ||
| workspace: ${{ inputs.workspace }} | ||
| jobs: | ||
| terraform: | ||
| name: Run Terraform | ||
| runs-on: ubuntu-latest | ||
| if: ${{ inputs.workspace }} == 'dev' || ${{ inputs.workspace }} == 'prod' | ||
|
Check warning on line 56 in .github/workflows/deployment_plan.yaml
|
||
| defaults: | ||
| run: | ||
| shell: bash | ||
| # this may need to be updated if you change the directory you are working with | ||
| # ./terraform/implementation/dev || ./terraform/implementation/prod for example | ||
| # this practice is recommended to keep the terraform code organized while reducing the risk of conflicts | ||
| working-directory: ./terraform/implementation/ecs | ||
| steps: | ||
| - name: Check Out Changes | ||
| uses: actions/checkout@v4 | ||
| - name: Setup Terraform | ||
| uses: hashicorp/setup-terraform@v3 | ||
| with: | ||
| terraform_version: "1.9.8" | ||
| - name: configure aws credentials | ||
| if: ${{ inputs.workspace }} == 'prod' | ||
|
Check warning on line 74 in .github/workflows/deployment_plan.yaml
|
||
| uses: aws-actions/configure-aws-credentials@v4 | ||
| with: | ||
| role-to-assume: ${{ secrets.AWS_ROLE_ARN }} | ||
| role-session-name: githubDeploymentWorkflow | ||
| aws-region: ${{ vars.AWS_REGION }} | ||
| - name: configure aws credentials | ||
| if: ${{ inputs.workspace }} == 'dev' | ||
|
Check warning on line 82 in .github/workflows/deployment_plan.yaml
|
||
| uses: aws-actions/configure-aws-credentials@v4 | ||
| with: | ||
| role-to-assume: ${{ secrets.AWS_DEV_ROLE_ARN }} | ||
| role-session-name: githubDeploymentWorkflow | ||
| aws-region: ${{ vars.AWS_REGION }} | ||
| - name: Set auth secrets for AD | ||
| if: ${{ inputs.dibbs-ecr-viewer-auth-provider == 'ad' }} | ||
| run: | | ||
| echo "AUTH_PROVIDER=ad" >> $GITHUB_ENV | ||
| echo "AUTH_CLIENT_ID=${{ secrets.AD_AUTH_CLIENT_ID }}" >> $GITHUB_ENV | ||
| echo "AUTH_ISSUER=${{ secrets.AD_AUTH_ISSUER }}" >> $GITHUB_ENV | ||
| echo "AUTH_SECRET=${{ secrets.AD_AUTH_SECRET }}" >> $GITHUB_ENV | ||
| echo "AUTH_CLIENT_SECRET=${{ secrets.AD_AUTH_CLIENT_SECRET }}" >> $GITHUB_ENV | ||
| - name: Set auth secrets for Keycloak | ||
| if: ${{ inputs.dibbs-ecr-viewer-auth-provider == 'keycloak' }} | ||
| run: | | ||
| echo "AUTH_PROVIDER=keycloak" >> $GITHUB_ENV | ||
| echo "AUTH_CLIENT_ID=${{ secrets.KEYCLOAK_AUTH_CLIENT_ID }}" >> $GITHUB_ENV | ||
| echo "AUTH_ISSUER=${{ secrets.KEYCLOAK_AUTH_ISSUER }}" >> $GITHUB_ENV | ||
| echo "AUTH_SECRET=${{ secrets.KEYCLOAK_AUTH_SECRET }}" >> $GITHUB_ENV | ||
| echo "AUTH_CLIENT_SECRET=${{ secrets.KEYCLOAK_AUTH_CLIENT_SECRET }}" >> $GITHUB_ENV | ||
| - name: Terraform | ||
| env: | ||
| BUCKET: ${{ secrets.TFSTATE_BUCKET }} | ||
| DYNAMODB_TABLE: ${{ secrets.TFSTATE_DYNAMODB_TABLE }} | ||
| OWNER: ${{ vars.OWNER }} | ||
| PROJECT: ${{ vars.PROJECT }} | ||
| REGION: ${{ vars.AWS_REGION }} | ||
| SSH_KEY_NAME: "GITHUB_ACTIONS" | ||
| ROUTE53_HOSTED_ZONE_ID: ${{ secrets.ROUTE53_HOSTED_ZONE_ID }} | ||
| WORKSPACE: ${{ env.workspace }}${{ inputs.id }} | ||
| DIBBS_ECR_VIEWER_VERSION: ${{ inputs.dibbs-ecr-viewer-version }} | ||
| DIBBS_CONFIG_NAME: ${{ inputs.dibbs-ecr-viewer-config-name }} | ||
| METADATA_DATABASE_MIGRATION_SECRET: ${{ secrets.METADATA_DATABASE_MIGRATION_SECRET }} | ||
| VPC_CIDR: "176.${{ inputs.id }}.0.0/16" | ||
| shell: bash | ||
| run: | | ||
| echo "owner = \"$OWNER\"" >> $WORKSPACE.tfvars | ||
| echo "project = \"$PROJECT\"" >> $WORKSPACE.tfvars | ||
| echo "region = \"$REGION\"" >> $WORKSPACE.tfvars | ||
| echo "private_subnets = [\"176.${{ inputs.id }}.1.0/24\",\"176.${{ inputs.id }}.3.0/24\"]" >> $WORKSPACE.tfvars | ||
| echo "public_subnets = [\"176.${{ inputs.id }}.2.0/24\",\"176.${{ inputs.id }}.4.0/24\"]" >> $WORKSPACE.tfvars | ||
| echo "vpc_cidr = \"$VPC_CIDR\"" >> $WORKSPACE.tfvars | ||
| echo "route53_hosted_zone_id = \"$ROUTE53_HOSTED_ZONE_ID\"" >> $WORKSPACE.tfvars | ||
| echo "phdi_version = \"$DIBBS_ECR_VIEWER_VERSION\"" >> $WORKSPACE.tfvars | ||
| echo "dibbs_config_name = \"$DIBBS_CONFIG_NAME\"" >> $WORKSPACE.tfvars | ||
| echo "secrets_manager_metadata_database_migration_secret_version = \"$METADATA_DATABASE_MIGRATION_SECRET\"" >> $WORKSPACE.tfvars | ||
| if [ $DIBBS_CONFIG_NAME == "AWS_PG_NON_INTEGRATED" ] || [ $DIBBS_CONFIG_NAME == "AWS_PG_DUAL" ]; then | ||
| echo "database_type = \"postgresql\"" >> $WORKSPACE.tfvars | ||
| elif [ $DIBBS_CONFIG_NAME == "AWS_SQLSERVER_NON_INTEGRATED" ] || [ $DIBBS_CONFIG_NAME == "AWS_SQLSERVER_DUAL" ]; then | ||
| echo "database_type = \"sqlserver\"" >> $WORKSPACE.tfvars | ||
| fi | ||
| if [ $DIBBS_CONFIG_NAME == "AWS_PG_NON_INTEGRATED" ] || [ $DIBBS_CONFIG_NAME == "AWS_SQLSERVER_NON_INTEGRATED" ] || [ $DIBBS_CONFIG_NAME == "AWS_PG_DUAL" ] || [ $DIBBS_CONFIG_NAME == "AWS_SQLSERVER_DUAL" ]; then | ||
| echo "auth_provider = \"$AUTH_PROVIDER\"" >> $WORKSPACE.tfvars | ||
| echo "auth_client_id = \"$AUTH_CLIENT_ID\"" >> $WORKSPACE.tfvars | ||
| echo "auth_issuer = \"$AUTH_ISSUER\"" >> $WORKSPACE.tfvars | ||
| echo "auth_url = \"https://$WORKSPACE.dibbs.cloud/ecr-viewer/api/auth\"" >> $WORKSPACE.tfvars | ||
| echo "secrets_manager_auth_secret_version = \"$AUTH_SECRET\"" >> $WORKSPACE.tfvars | ||
| echo "secrets_manager_auth_client_secret_version = \"$AUTH_CLIENT_SECRET\"" >> $WORKSPACE.tfvars | ||
| elif [ $DIBBS_CONFIG_NAME == "AWS_INTEGRATED" ]; then | ||
| echo "secrets_manager_auth_secret_version = \"$AUTH_SECRET\"" >> $WORKSPACE.tfvars | ||
| echo "secrets_manager_auth_client_secret_version = \"$AUTH_CLIENT_SECRET\"" >> $WORKSPACE.tfvars | ||
| fi | ||
| terraform init \ | ||
| -var-file="$WORKSPACE.tfvars" \ | ||
| -backend-config "bucket=$BUCKET" \ | ||
| -backend-config "dynamodb_table=$DYNAMODB_TABLE" \ | ||
| -backend-config "region=$REGION" \ | ||
| || (echo "terraform init failed, exiting..." && exit 1) | ||
| terraform workspace new "$WORKSPACE" || terraform workspace select "$WORKSPACE" | ||
| terraform plan -var-file="$WORKSPACE.tfvars" | ||
