This repository was archived by the owner on Jun 14, 2026. It is now read-only.
Initial commit #16
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Terraform | |
| on: | |
| push: | |
| branches: [ main ] | |
| paths: | |
| - "infra/terraform/**" | |
| pull_request: | |
| branches: [ main ] | |
| paths: | |
| - "infra/terraform/**" | |
| workflow_dispatch: | |
| concurrency: | |
| group: terraform-${{ github.ref }} | |
| cancel-in-progress: false | |
| permissions: | |
| id-token: write | |
| contents: read | |
| pull-requests: write | |
| env: | |
| TOFU_VERSION: "1.11.5" | |
| TERRAGRUNT_VERSION: "0.99.4" | |
| TF_PLUGIN_CACHE_DIR: ${{ github.workspace }}/.terraform-plugin-cache | |
| jobs: | |
| detect-changes: | |
| name: Detect Changes | |
| runs-on: ubuntu-slim | |
| outputs: | |
| global: ${{ steps.filter.outputs.global }} | |
| prod: ${{ steps.filter.outputs.prod }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Detect changed paths | |
| uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 | |
| id: filter | |
| with: | |
| filters: | | |
| global: | |
| - "infra/terraform/live/global/**" | |
| - "infra/terraform/modules/**" | |
| - "infra/terraform/live/root.hcl" | |
| prod: | |
| - "infra/terraform/live/prod/**" | |
| - "infra/terraform/modules/**" | |
| - "infra/terraform/live/root.hcl" | |
| plan-global: | |
| name: Plan (global) | |
| needs: detect-changes | |
| if: >- | |
| needs.detect-changes.outputs.global == 'true' | |
| || github.event_name == 'workflow_dispatch' | |
| runs-on: ubuntu-slim | |
| environment: global | |
| env: | |
| AWS_REGION: us-east-1 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Configure AWS credentials | |
| if: ${{ !github.event.act }} | |
| uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_IAM_ROLE_ARN }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Create plugin cache directory | |
| run: mkdir -p "$TF_PLUGIN_CACHE_DIR" | |
| - name: Cache OpenTofu providers | |
| if: ${{ !github.event.act }} | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 | |
| with: | |
| path: ${{ env.TF_PLUGIN_CACHE_DIR }} | |
| key: ${{ runner.os }}-tf-plugins-global-${{ hashFiles('infra/terraform/live/global/**/.terraform.lock.hcl') }} | |
| restore-keys: | | |
| ${{ runner.os }}-tf-plugins-global- | |
| - name: Plan | |
| if: ${{ !github.event.act }} | |
| uses: gruntwork-io/terragrunt-action@5e86476ca61eaf74adb9c0525745f29f921f2199 # v3.1.0 | |
| with: | |
| tg_version: ${{ env.TERRAGRUNT_VERSION }} | |
| tofu_version: ${{ env.TOFU_VERSION }} | |
| tg_dir: infra/terraform/live/global | |
| tg_command: 'run --all plan -no-color' | |
| tg_comment: '1' | |
| github_token: ${{ github.token }} | |
| plan-prod: | |
| name: Plan (prod) | |
| needs: detect-changes | |
| if: >- | |
| needs.detect-changes.outputs.prod == 'true' | |
| || github.event_name == 'workflow_dispatch' | |
| runs-on: ubuntu-slim | |
| environment: prod | |
| env: | |
| AWS_REGION: us-east-1 | |
| CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Configure AWS credentials | |
| if: ${{ !github.event.act }} | |
| uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_IAM_ROLE_ARN }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Create plugin cache directory | |
| run: mkdir -p "$TF_PLUGIN_CACHE_DIR" | |
| - name: Cache OpenTofu providers | |
| if: ${{ !github.event.act }} | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 | |
| with: | |
| path: ${{ env.TF_PLUGIN_CACHE_DIR }} | |
| key: ${{ runner.os }}-tf-plugins-prod-${{ hashFiles('infra/terraform/live/prod/**/.terraform.lock.hcl') }} | |
| restore-keys: | | |
| ${{ runner.os }}-tf-plugins-prod- | |
| - name: Plan | |
| if: ${{ !github.event.act }} | |
| uses: gruntwork-io/terragrunt-action@5e86476ca61eaf74adb9c0525745f29f921f2199 # v3.1.0 | |
| env: | |
| CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} | |
| with: | |
| tg_version: ${{ env.TERRAGRUNT_VERSION }} | |
| tofu_version: ${{ env.TOFU_VERSION }} | |
| tg_dir: infra/terraform/live/prod | |
| tg_command: 'run --all plan -no-color' | |
| tg_comment: '1' | |
| github_token: ${{ github.token }} | |
| apply-global: | |
| name: Apply (global) | |
| needs: [ detect-changes, plan-global ] | |
| if: >- | |
| (github.event_name == 'push' | |
| && needs.detect-changes.outputs.global == 'true') | |
| || (github.event_name == 'workflow_dispatch' | |
| && github.ref == 'refs/heads/main') | |
| runs-on: ubuntu-slim | |
| environment: global | |
| env: | |
| AWS_REGION: us-east-1 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Configure AWS credentials | |
| if: ${{ !github.event.act }} | |
| uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_IAM_ROLE_ARN }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Create plugin cache directory | |
| run: mkdir -p "$TF_PLUGIN_CACHE_DIR" | |
| - name: Cache OpenTofu providers | |
| if: ${{ !github.event.act }} | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 | |
| with: | |
| path: ${{ env.TF_PLUGIN_CACHE_DIR }} | |
| key: ${{ runner.os }}-tf-plugins-global-${{ hashFiles('infra/terraform/live/global/**/.terraform.lock.hcl') }} | |
| restore-keys: | | |
| ${{ runner.os }}-tf-plugins-global- | |
| - name: Apply | |
| if: ${{ !github.event.act }} | |
| uses: gruntwork-io/terragrunt-action@5e86476ca61eaf74adb9c0525745f29f921f2199 # v3.1.0 | |
| with: | |
| tg_version: ${{ env.TERRAGRUNT_VERSION }} | |
| tofu_version: ${{ env.TOFU_VERSION }} | |
| tg_dir: infra/terraform/live/global | |
| tg_command: 'run --all apply -no-color' | |
| github_token: ${{ github.token }} | |
| apply-prod: | |
| name: Apply (prod) | |
| needs: [ detect-changes, plan-prod, apply-global ] | |
| if: >- | |
| always() | |
| && (needs.apply-global.result == 'success' | |
| || needs.apply-global.result == 'skipped') | |
| && needs.plan-prod.result == 'success' | |
| && ((github.event_name == 'push' | |
| && needs.detect-changes.outputs.prod == 'true') | |
| || (github.event_name == 'workflow_dispatch' | |
| && github.ref == 'refs/heads/main')) | |
| runs-on: ubuntu-slim | |
| environment: prod | |
| env: | |
| AWS_REGION: us-east-1 | |
| CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Configure AWS credentials | |
| if: ${{ !github.event.act }} | |
| uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_IAM_ROLE_ARN }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Create plugin cache directory | |
| run: mkdir -p "$TF_PLUGIN_CACHE_DIR" | |
| - name: Cache OpenTofu providers | |
| if: ${{ !github.event.act }} | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 | |
| with: | |
| path: ${{ env.TF_PLUGIN_CACHE_DIR }} | |
| key: ${{ runner.os }}-tf-plugins-prod-${{ hashFiles('infra/terraform/live/prod/**/.terraform.lock.hcl') }} | |
| restore-keys: | | |
| ${{ runner.os }}-tf-plugins-prod- | |
| - name: Apply | |
| if: ${{ !github.event.act }} | |
| uses: gruntwork-io/terragrunt-action@5e86476ca61eaf74adb9c0525745f29f921f2199 # v3.1.0 | |
| env: | |
| CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} | |
| with: | |
| tg_version: ${{ env.TERRAGRUNT_VERSION }} | |
| tofu_version: ${{ env.TOFU_VERSION }} | |
| tg_dir: infra/terraform/live/prod | |
| tg_command: 'run --all apply -no-color' | |
| github_token: ${{ github.token }} |