-
Notifications
You must be signed in to change notification settings - Fork 24
155 lines (139 loc) · 6.23 KB
/
workflow.pr.terraform.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
---
name: PR Deployment
on: # yamllint disable-line rule:truthy
pull_request:
types:
- opened
- synchronize
- reopened
branches:
- main
concurrency:
group: pr-${{ github.event.pull_request.number }}
# By default, this workflow will cancel a previous run when a new one is queued.
# Depending on when the workflow was cancelled, it may leave orphaned environments
# that will be cleaned up after the PR is closed.
#
# To change this behavior and wait for the previous run to finish executing, set
# cancel-in-progress to false
cancel-in-progress: true
env:
KEY_VAULT_NAME: "kv-symphony-environments" #GitLeaksIgnore
PR_ENVIRONMENT_DIRECTORY: "pr"
TERRAFORM_VERSION: "1.1.7"
RUN_LAYER_TESTS: true
jobs:
Setup:
if: ${{ !github.event.pull_request.draft }}
runs-on: ubuntu-latest
outputs:
keyVaultName: ${{ steps.setValues.outputs.keyVaultName }}
prEnvironmentDirectory: ${{ steps.setValues.outputs.prEnvironmentDirectory }}
environmentName: ${{ steps.setValues.outputs.environmentName }}
terraformVersion: ${{ steps.setValues.outputs.terraformVersion }}
runLayerTests: ${{ steps.setValues.outputs.runLayerTests }}
steps:
- name: Set Values
id: setValues
run: |
echo "keyVaultName=$KEY_VAULT_NAME" >> $GITHUB_OUTPUT
echo "prEnvironmentDirectory=$PR_ENVIRONMENT_DIRECTORY" >> $GITHUB_OUTPUT
echo "terraformVersion=$TERRAFORM_VERSION" >> $GITHUB_OUTPUT
echo "runLayerTests=$RUN_LAYER_TESTS" >> $GITHUB_OUTPUT
suffix=$(uuidgen)
# create a 6 character hash of the suffix
suffixHash=$(echo -n "$suffix" | md5sum | cut -c1-6)
echo "environmentName=$suffixHash" >> $GITHUB_OUTPUT
Validate:
needs: Setup
uses: ./.github/workflows/template.terraform.validate.yml
with:
environmentName: ${{ needs.Setup.outputs.environmentName }}
environmentDirectory: ${{ needs.Setup.outputs.prEnvironmentDirectory }}
terraformVersion: ${{ needs.Setup.outputs.terraformVersion }}
goVersion: "1.18.1"
runLayerTest: ${{ needs.Setup.outputs.runLayerTests }}
keyVaultName: ${{ needs.Setup.outputs.keyVaultName }}
branchName: ${{ github.head_ref }}
secrets:
azureEnviromentCredentials: ${{ secrets.AZURE_CREDENTIALS }}
permissions:
actions: read
contents: read
security-events: write
NewEnvironment:
needs: [Setup, Validate]
uses: ./.github/workflows/template.storeevent.yml
permissions:
pull-requests: write
with:
pipelineName: PR
eventName: NewEnvironment
eventGroupId: PR-${{ github.event.pull_request.number }}-${{ github.repository_id }}
data: Name=${{ needs.Setup.outputs.environmentName }} SHA=${{ github.event.pull_request.head.sha }} Directory=${{ needs.Setup.outputs.prEnvironmentDirectory }}
keyVaultName: ${{ needs.Setup.outputs.keyVaultName }}
comment: |
Creating environment with name: "${{ needs.Setup.outputs.environmentName }}" using commit: "${{ github.event.pull_request.head.sha }}".
${{
contains(github.event.pull_request.labels.*.name, 'preserve-pr-environment') &&
format('The environment will not be destroyed after the workflow completes.\nTo delete it, use the [Destroy workflow](../actions/workflows/workflow.destroy.bicep.yml) on the current branch with "{0}" as the environment name.', needs.Setup.outputs.environmentName)
||
'The environment will be destroyed after the workflow completes.\nTo preserve it, add the "preserve-pr-environment" label to the PR.'
}}
secrets:
azureEnviromentCredentials: ${{ secrets.AZURE_CREDENTIALS }}
PreviewDeployBaseBranch:
needs: [Setup, NewEnvironment]
uses: ./.github/workflows/template.terraform.previewdeploy.yml
with:
environmentName: ${{ needs.Setup.outputs.environmentName }}
environmentDirectory: ${{ needs.Setup.outputs.prEnvironmentDirectory }}
terraformVersion: ${{ needs.Setup.outputs.terraformVersion }}
keyVaultName: ${{ needs.Setup.outputs.keyVaultName }}
branchName: ${{ github.base_ref }} # First, deploy the base branch
secrets:
azureEnviromentCredentials: ${{ secrets.AZURE_CREDENTIALS }}
PreviewDeployPRBranch:
needs: [Setup, PreviewDeployBaseBranch]
uses: ./.github/workflows/template.terraform.previewdeploy.yml
with:
environmentName: ${{ needs.Setup.outputs.environmentName }}
environmentDirectory: ${{ needs.Setup.outputs.prEnvironmentDirectory }}
terraformVersion: ${{ needs.Setup.outputs.terraformVersion }}
keyVaultName: ${{ needs.Setup.outputs.keyVaultName }}
branchName: ${{ github.head_ref }} # Now, deploy the diff on top of it
secrets:
azureEnviromentCredentials: ${{ secrets.AZURE_CREDENTIALS }}
Test:
uses: ./.github/workflows/template.terraform.test.yml
needs: [Setup, PreviewDeployPRBranch]
with:
environmentName: ${{ github.event.inputs.environmentName }}
terraformVersion: ${{ needs.Setup.outputs.terraformVersion }}
goVersion: "1.18.1"
keyVaultName: ${{ github.event.inputs.keyVaultName }}
branchName: ${{ github.ref_name }}
secrets:
azureEnviromentCredentials: ${{ secrets.AZURE_CREDENTIALS }}
Report:
needs: Test
if: ${{ github.event.inputs.backupStateFiles == 'true' }}
uses: ./.github/workflows/template.terraform.report.yml
with:
environmentName: ${{ github.event.inputs.environmentName }}
keyVaultName: ${{ github.event.inputs.keyVaultName }}
branchName: ${{ github.ref_name }}
secrets:
azureEnviromentCredentials: ${{ secrets.AZURE_CREDENTIALS }}
Destroy:
if: ${{ always() && !contains(github.event.pull_request.labels.*.name, 'preserve-pr-environment') }}
needs: [Setup, Test]
uses: ./.github/workflows/template.terraform.destroy.yml
with:
environmentName: ${{ needs.Setup.outputs.environmentName }}
environmentDirectory: ${{ needs.Setup.outputs.prEnvironmentDirectory }}
terraformVersion: ${{ needs.Setup.outputs.terraformVersion }}
keyVaultName: ${{ needs.Setup.outputs.keyVaultName }}
branchName: ${{ github.head_ref }}
secrets:
azureEnviromentCredentials: ${{ secrets.AZURE_CREDENTIALS }}