TF-via-PR/.github/workflows/test_terragrunt.yaml at 3bda4a2ec294399b6affee0007dcacf6dd7584fc · OP5dev/TF-via-PR · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
---
name: Test Terragrunt

on:
  pull_request: # Plan.
    paths: [tests/terragrunt/**, .github/workflows/test_terragrunt.yaml]
    types: [opened, synchronize, reopened, labeled]
  merge_group: # Apply.
    types: [checks_requested]
  workflow_dispatch:
    inputs:
      command:
        description: 'Infrastructure command to run'
        required: true
        default: 'plan'
        type: choice
        options:
          - plan
          - apply
          - destroy

env:
  TF_VERSION: "1.5.0"
  TG_VERSION: "0.48.0"
  AWS_REGION: "us-west-1"

jobs:
  Target:
    runs-on: ubuntu-24.04

    permissions:
      issues: write # Required to add PR label.
      pull-requests: write # Required to add PR comment.

    outputs:
      targets: ${{ steps.changed.outputs.targets }}

    steps:
      - name: Changed files
        id: changed
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PR_NUMBER: ${{ github.event.number }}
        run: |
          # Add link to PR during apply job summary.
          if [[ "${{ github.event_name }}" == "merge_group" ]]; then
            PR_NUMBER=$(echo "${{ github.ref_name }}" | sed -n 's/.*pr-\([0-9]*\)-.*/\1/p')
            echo "View PR [#${PR_NUMBER}](https://github.com/${{ github.repository }}/pull/${PR_NUMBER}) to review planned proposal." >> $GITHUB_STEP_SUMMARY
          fi
          # Remove "tg-plan" PR label if it exists.
          if [[ "${{ github.event.action }}" == "labeled" ]]; then gh api /repos/${{ github.repository }}/issues/${PR_NUMBER}/labels/tg-plan --method DELETE --silent; fi
          # Output changed targets.
          changed=$(gh api /repos/${{ github.repository }}/pulls/${PR_NUMBER}/files --paginate --jq '.[].filename')
          echo "targets=$(echo "$changed" | jq -R 'select(test("^tests/terragrunt/live/")) | split("/")[4]' | jq -c -s 'unique | sort')" >> $GITHUB_OUTPUT

  TG:
    runs-on: ubuntu-24.04
    needs: [Target]
    if: ${{ needs.Target.outputs.targets != '[]' || github.event_name == 'workflow_dispatch' }}

    permissions:
      actions: read # Required to identify workflow run.
      checks: write # Required to add status summary.
      contents: read # Required to checkout repository.
      id-token: write # Required to authenticate via OIDC.
      issues: write # Required to add PR label.
      pull-requests: write # Required to add PR comment.

    strategy:
      fail-fast: false
      matrix:
        target: ${{ fromJson(needs.Target.outputs.targets) }}

    concurrency:
      cancel-in-progress: false
      group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name}}-${{ matrix.target }}

    environment: ${{ matrix.target }}

    steps:
      - name: Authenticate AWS
        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
        with:
          aws-region: ${{ vars.AWS_REGION }}
          role-to-assume: ${{ vars.AWS_ROLE }}
          role-session-name: tg-via-pr-${{ github.run_id }}-${{ github.run_attempt }}

      - name: Authenticate GitHub
        env:
          GH_TOKEN: ${{ github.token }}
          PR_NUMBER: ${{ github.event.number }}
        run: |
          # Authenticate with GitHub token.
          git config --global url."https://token:${GH_TOKEN}@github.com".insteadOf "https://github.com"
          # Add the target name as a PR label if it does not exist.
          if [[ "${{ github.event_name }}" == "pull_request" && "${{ !contains(github.event.pull_request.labels.*.name, matrix.target) }}" == "true" ]]; then
            gh api /repos/${{ github.repository }}/issues/${PR_NUMBER}/labels --method POST --field "labels[]=${{ matrix.target }}" --silent
          fi

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: ${{ env.TF_VERSION }}

      - name: Setup Terragrunt
        run: |
          wget https://github.com/gruntwork-io/terragrunt/releases/download/v${{ env.TG_VERSION }}/terragrunt_linux_amd64
          chmod +x terragrunt_linux_amd64
          sudo mv terragrunt_linux_amd64 /usr/local/bin/terragrunt

      - name: Checkout PR
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

      - name: Provision TG
        id: tg
        uses: ./
        with:
          working-directory: tests/terragrunt/live/project/${{ matrix.target }}
          tool: terragrunt
          command: ${{ github.event_name == 'merge_group' && 'apply' || (github.event_name == 'workflow_dispatch' && github.event.inputs.command || 'plan') }}
          arg-lock-timeout: 3m
          plan-encrypt: secrets.TF_ENCRYPTION
          plan-parity: true
          retention-days: 1
          expand-diff: true
          tag-actor: never
          arg-auto-approve: ${{ github.event_name == 'workflow_dispatch' && (github.event.inputs.command == 'apply' || github.event.inputs.command == 'destroy') }}

      - name: Troubleshoot TG
        if: ${{ failure() && github.event_name == 'merge_group' }}
        uses: op5dev/prompt-ai@4cacb93e4a1e101f3a89650b31a3582321f2461d # v2.0.0
        with:
          model: openai/gpt-4.1-mini
          system-prompt: You are a helpful DevOps assistant and expert at troubleshooting Terragrunt errors.
          user-prompt: Troubleshoot the following Terragrunt output; ${{ steps.tg.outputs.result }}

      - name: Clear directory
        if: ${{ failure() && github.event_name == 'merge_group' }}
        run: find ${{ github.workspace }} -mindepth 1 -delete

      - name: Checkout main
        if: ${{ failure() && github.event_name == 'merge_group' }}
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          ref: main
          persist-credentials: false

      - name: Rollback TG
        if: ${{ failure() && github.event_name == 'merge_group' }}
        uses: ./
        with:
          working-directory: tests/terragrunt/live/project/${{ matrix.target }}
          tool: terragrunt
          command: apply
          arg-auto-approve: true
          arg-lock-timeout: 3m
          comment-pr: never

# Todo:  Will uncomment when this workflow is fully implemented.
  Notify:
    runs-on: [ubuntu-24.04]
    needs: [Target, TG]
    if: ${{ !cancelled() }}

    permissions:
      actions: read # Required to identify workflow run.

    steps:
      - name: Notify Slack on failure
        if: ${{ github.event_name == 'merge_group' && contains(needs.*.result, 'failure') }}
        uses: gamesight/slack-workflow-status@68bf00d0dbdbcb206c278399aa1ef6c14f74347a # v1.3.0
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          slack_webhook_url: https://hooks.slack.com/services/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

      - name: Exit status
        run: exit ${{ contains(needs.*.result, 'failure') && 1 || 0 }}