diff --git a/.github/workflows/terraform-dev.yml b/.github/workflows/terraform-dev.yml new file mode 100644 index 0000000..f93951e --- /dev/null +++ b/.github/workflows/terraform-dev.yml @@ -0,0 +1,72 @@ +name: "[DEV] - Terraform Deployment" + +on: + push: + branches: + - develop + +permissions: + id-token: write + contents: read + +jobs: + terraform: + runs-on: ubuntu-latest + + defaults: + run: + shell: bash + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.8.3 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::179916804929:role/BuildRun-GithubActions-Role + role-session-name: GitHub_to_AWS_via_FederatedOIDC + aws-region: ${{ vars.AWS_REGION }} + + - name: Read destroy configuration + id: read-destroy-config + run: | + DESTROY_DEV="$(jq -r '.dev' ./infra/destroy_config.json)" + echo "destroy_dev=$(echo $DESTROY_DEV)" >> $GITHUB_OUTPUT + + - name: Terraform Init + run: | + cd infra && terraform init \ + -backend-config="bucket=${{ vars.TERRAFORM_S3_STATEFILE_BUCKET }}" \ + -backend-config="key=${{ github.event.repository.name }}" \ + -backend-config="region=${{ env.AWS_REGION }}" \ + -backend-config="dynamodb_table=${{ vars.TERRAFORM_DYNAMODB_LOCK_TABLE }}" + + - name: Terraform Validate + run: terraform validate + + - name: Terraform Destroy for Dev + if: steps.read-destroy-config.outputs.destroy_dev == 'true' && github.ref == 'refs/heads/develop' && github.event_name == 'push' + id: terraform-destroy-dev + run: cd infra && + terraform workspace select dev || terraform workspace new dev && + terraform destroy -var-file="./envs/dev/terraform.tfvars" -auto-approve + + - name: Terraform Plan for Dev + if: steps.read-destroy-config.outputs.destroy_dev != 'true' && github.ref == 'refs/heads/develop' && github.event_name == 'push' + id: terraform-plan-dev + run: cd infra && + terraform workspace select dev || terraform workspace new dev && + terraform plan -var-file="./envs/dev/terraform.tfvars" -out=dev.plan + + - name: Terraform Apply for Dev + id: terraform-apply-dev + if: steps.read-destroy-config.outputs.destroy_dev != 'true' && github.ref == 'refs/heads/develop' && github.event_name == 'push' + run: cd infra && + terraform workspace select dev || terraform workspace new dev && + terraform apply "dev.plan" \ No newline at end of file diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform-prod.yml similarity index 58% rename from .github/workflows/terraform.yml rename to .github/workflows/terraform-prod.yml index 6a07abd..be3f462 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform-prod.yml @@ -1,11 +1,14 @@ -name: Terraform Deployment +name: "[PROD] - Terraform Deployment" on: push: branches: - - develop - main +permissions: + id-token: write + contents: read + jobs: terraform: runs-on: ubuntu-latest @@ -16,18 +19,18 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 + uses: hashicorp/setup-terraform@v3 with: terraform_version: 1.8.3 - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::179916804929:role/BuildRun-GithubActions-Role #change to reflect your IAM role’s ARN + role-session-name: GitHub_to_AWS_via_FederatedOIDC aws-region: ${{ vars.AWS_REGION }} - name: Read destroy configuration @@ -35,8 +38,8 @@ jobs: run: | DESTROY_DEV="$(jq -r '.dev' ./infra/destroy_config.json)" DESTROY_PROD="$(jq -r '.prod' ./infra/destroy_config.json)" - echo "::set-output name=destroy_dev::$DESTROY_DEV" - echo "::set-output name=destroy_prod::$DESTROY_PROD" + echo "destroy_dev=$(echo $DESTROY_DEV)" >> $GITHUB_OUTPUT + echo "destroy_prod=$(echo $DESTROY_PROD)" >> $GITHUB_OUTPUT - name: Terraform Init run: | @@ -49,27 +52,6 @@ jobs: - name: Terraform Validate run: terraform validate - - name: Terraform Destroy for Dev - if: steps.read-destroy-config.outputs.destroy_dev == 'true' && github.ref == 'refs/heads/develop' && github.event_name == 'push' - id: terraform-destroy-dev - run: cd infra && - terraform workspace select dev || terraform workspace new dev && - terraform destroy -var-file="./envs/dev/terraform.tfvars" -auto-approve - - - name: Terraform Plan for Dev - if: steps.read-destroy-config.outputs.destroy_dev != 'true' && github.ref == 'refs/heads/develop' && github.event_name == 'push' - id: terraform-plan-dev - run: cd infra && - terraform workspace select dev || terraform workspace new dev && - terraform plan -var-file="./envs/dev/terraform.tfvars" -out=dev.plan - - - name: Terraform Apply for Dev - id: terraform-apply-dev - if: steps.read-destroy-config.outputs.destroy_dev != 'true' && github.ref == 'refs/heads/develop' && github.event_name == 'push' - run: cd infra && - terraform workspace select dev || terraform workspace new dev && - terraform apply "dev.plan" - - name: Terraform Destroy for Prod if: steps.read-destroy-config.outputs.destroy_prod == 'true' && github.ref == 'refs/heads/main' && github.event_name == 'push' id: terraform-destroy-prod