feat: deploy IAM Identity Center to management account #85
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Infrastructure | |
on: | |
pull_request: | |
branches: | |
- main | |
push: | |
branches: | |
- main | |
jobs: | |
check: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
- name: Install Dependencies | |
uses: ./.github/actions/setup-terragrunt | |
- name: Check Formatting | |
working-directory: ${{ steps.extract-information.outputs.account }} | |
run: | | |
terragrunt hclfmt --teragrunt-check | |
prepare: | |
runs-on: ubuntu-latest | |
outputs: | |
accounts: ${{ steps.generate-matrixes.outputs.accounts }} | |
management_accounts: ${{ steps.generate-matrixes.outputs.management_accounts }} | |
governance_accounts: ${{ steps.generate-matrixes.outputs.governance_accounts }} | |
workload_accounts: ${{ steps.generate-matrixes.outputs.workload_accounts }} | |
sandbox_accounts: ${{ steps.generate-matrixes.outputs.sandbox_accounts }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
with: | |
token: ${{ secrets.INFRASTRUCTURE_PRIVATE_PAT }} | |
submodules: 'true' | |
- name: Extract Info | |
id: extract-information | |
uses: ./.github/actions/extract-account-info | |
with: | |
accounts-file: ./_private/accounts.json | |
- name: Generate Matrixes | |
id: generate-matrixes | |
env: | |
ACCOUNTS: ${{ steps.extract-information.outputs.accounts }} | |
MANAGEMENT_ACCOUNTS: ${{ steps.extract-information.outputs.management-accounts }} | |
GOVERNANCE_ACCOUNTS: ${{ steps.extract-information.outputs.governance-accounts }} | |
WORKLOAD_ACCOUNTS: ${{ steps.extract-information.outputs.workload-accounts }} | |
SANDBOX_ACCOUNTS: ${{ steps.extract-information.outputs.sandbox-accounts }} | |
run: | | |
# Create a string that looks like this: management_accounts=["account1", "account2"] | |
ACCOUNTS_STRING=$(echo $ACCOUNTS | jq -Rc 'split(" ")') | |
MANAGEMENT_ACCOUNTS_STRING=$(echo $MANAGEMENT_ACCOUNTS | jq -Rc 'split(" ")') | |
GOVERNANCE_ACCOUNTS_STRING=$(echo $GOVERNANCE_ACCOUNTS | jq -Rc 'split(" ")') | |
WORKLOAD_ACCOUNTS_STRING=$(echo $WORKLOAD_ACCOUNTS | jq -Rc 'split(" ")') | |
SANDBOX_ACCOUNTS_STRING=$(echo $SANDBOX_ACCOUNTS | jq -Rc 'split(" ")') | |
echo "accounts=$ACCOUNTS_STRING" >> $GITHUB_OUTPUT | |
echo "management_accounts=$MANAGEMENT_ACCOUNTS_STRING" >> $GITHUB_OUTPUT | |
echo "governance_accounts=$GOVERNANCE_ACCOUNTS_STRING" >> $GITHUB_OUTPUT | |
echo "workload_accounts=$WORKLOAD_ACCOUNTS_STRING" >> $GITHUB_OUTPUT | |
echo "sandbox_accounts=$SANDBOX_ACCOUNTS_STRING" >> $GITHUB_OUTPUT | |
plan: | |
uses: ./.github/workflows/_plan.yml | |
secrets: inherit | |
needs: prepare | |
permissions: | |
id-token: write | |
contents: read | |
strategy: | |
fail-fast: false | |
matrix: | |
account: ${{ fromJson(needs.prepare.outputs.accounts) }} | |
with: | |
accounts-file: ./_private/accounts.json | |
account: ${{ matrix.account }} | |
deploy-management: | |
uses: ./.github/workflows/_deploy.yml | |
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' | |
secrets: inherit | |
needs: [prepare, plan] | |
permissions: | |
id-token: write | |
contents: read | |
strategy: | |
matrix: | |
account: ${{ fromJson(needs.prepare.outputs.management_accounts) }} | |
with: | |
accounts-file: ./_private/accounts.json | |
account: ${{ matrix.account }} | |
deploy-governance: | |
uses: ./.github/workflows/_deploy.yml | |
if: github.event_name != 'pull_request' | |
secrets: inherit | |
needs: [prepare, plan, deploy-management] | |
permissions: | |
id-token: write | |
contents: read | |
strategy: | |
matrix: | |
account: ${{ fromJson(needs.prepare.outputs.governance_accounts) }} | |
with: | |
accounts-file: ./_private/accounts.json | |
account: ${{ matrix.account }} | |
# deploy-workload: | |
# uses: ./.github/workflows/_deploy.yml | |
# if: github.event_name != 'pull_request' | |
# secrets: inherit | |
# needs: [prepare, plan, deploy-management, deploy-governance] | |
# permissions: | |
# id-token: write | |
# contents: read | |
# strategy: | |
# matrix: | |
# account: ${{ fromJson(needs.prepare.outputs.workload_accounts) }} | |
# with: | |
# accounts-file: ./_private/accounts.json | |
# account: ${{ matrix.account }} | |
# deploy-sandbox: | |
# uses: ./.github/workflows/_deploy.yml | |
# if: github.event_name != 'pull_request' | |
# secrets: inherit | |
# needs: [prepare, plan, deploy-management, deploy-governance] | |
# permissions: | |
# id-token: write | |
# contents: read | |
# strategy: | |
# matrix: | |
# account: ${{ fromJson(needs.prepare.outputs.sandbox_accounts) }} | |
# with: | |
# accounts-file: ./_private/accounts.json | |
# account: ${{ matrix.account }} |