terraform-dbtcloud-as-yaml/examples/basic/.github/workflows/cd.yml at effff465c2c7bd5303ba5c1494f1b2dceabb96e8 · trouze/terraform-dbtcloud-as-yaml · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# CD — runs on merge to main and applies the Terraform plan.
#
# Uses a GitHub Environment ("production") which can be configured with
# required reviewers for an approval gate before apply:
#   Settings > Environments > production > Required reviewers
#
# Uses the same secrets as ci.yml — see that file for the full list
# and setup instructions, including AES_256_ENCRYPTION_KEY for state storage.

name: CD — Terraform Apply

on:
  push:
    branches: [main]
    paths:
      - "dbt-config.yml"
      - "**.tf"

permissions:
  contents: read
  actions: write  # required to upload state artifact

jobs:
  apply:
    name: Apply
    runs-on: ubuntu-latest
    environment: production  # remove this line if you don't need an approval gate

    env:
      TF_VAR_dbt_account_id: ${{ secrets.DBT_ACCOUNT_ID }}
      TF_VAR_dbt_token: ${{ secrets.DBT_TOKEN }}
      TF_VAR_dbt_pat: ${{ secrets.DBT_PAT }}
      TF_VAR_dbt_host_url: "https://cloud.getdbt.com"
      TF_VAR_environment_credentials: ${{ secrets.ENVIRONMENT_CREDENTIALS }}
      TF_VAR_connection_credentials: ${{ secrets.CONNECTION_CREDENTIALS }}
      TF_VAR_lineage_tokens: ${{ secrets.LINEAGE_TOKENS }}
      TF_VAR_oauth_client_secrets: ${{ secrets.OAUTH_CLIENT_SECRETS }}

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Download Terraform State
        uses: badgerhobbs/terraform-state@v2
        with:
          encryption_key: ${{ secrets.AES_256_ENCRYPTION_KEY }}
          operation: download
          location: artifact
          github_token: ${{ secrets.GITHUB_TOKEN }}
        continue-on-error: true  # OK to fail on first run — no artifact exists yet

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: "~1"

      - name: Terraform Init
        run: terraform init

      - name: Terraform Plan
        run: terraform plan -no-color -out=tfplan

      - name: Terraform Apply
        run: terraform apply -auto-approve tfplan

      - name: Upload Terraform State
        uses: badgerhobbs/terraform-state@v2
        if: always()  # upload even if apply partially succeeded, to preserve any changes
        with:
          encryption_key: ${{ secrets.AES_256_ENCRYPTION_KEY }}
          operation: upload
          location: artifact
          github_token: ${{ secrets.GITHUB_TOKEN }}