Skip to content

post-apply-prod-terraform #2277

post-apply-prod-terraform

post-apply-prod-terraform #2277

name: Post Apply Prod Terraform
run-name: post-apply-prod-terraform
concurrency:
group: ${{ github.workflow }}-${{ github.ref_name}}
on:
push:
branches:
- main
paths:
- "**.tf"
- "**.tfvars"
- "**.yaml"
- "**.yml"
jobs:
post-apply-prod-terraform:
permissions:
contents: "read" # needed for gcp_auth
id-token: "write" # needed for gcp_auth to create id token
issues: "write" # needed for tfcmt to post comments
pull-requests: "write" # needed for tfcmt to post comments
runs-on: ubuntu-latest
steps:
- name: Checkout
id: checkout
uses: actions/checkout@v4
- name: Wait for other terraform executions
id: wait_for_terraform
uses: ahmadnassri/action-workflow-queue@0144da6a252d1986d817826d963ad3a9af1e7fdf
- name: Authenticate to GCP
id: gcp-auth
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ vars.GH_COM_KYMA_PROJECT_GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER }}
service_account: ${{ vars.GCP_TERRAFORM_EXECUTOR_SERVICE_ACCOUNT_EMAIL }}
- name: Retrieve Terraform Executor github PAT
id: secrets
uses: google-github-actions/get-secretmanager-secrets@v2
with:
secrets: |-
gh-terraform-executor-token:${{ vars.GCP_KYMA_PROJECT_PROJECT_ID }}/${{ vars.GH_TERRAFORM_EXECUTOR_SECRET_NAME }}
# Build tofu CLI from source until setup-opentofu action will become stable
- name: Download the tofu source
uses: actions/checkout@v4
with:
repository: opentofu/opentofu
path: opentofu
ref: 89ca50f3fe8c5327ec9943e9590bdb7b023fd4eb # v1.6.1
- name: Install tofu tooling
uses: actions/setup-go@v5
with:
go-version-file: opentofu/go.mod
cache-dependency-path: opentofu/go.sum
- name: Prepare the tofu command
working-directory: opentofu
run: |
go build -ldflags "-w -s -X 'github.com/opentofu/opentofu/version.dev=no'" -o bin/ ./cmd/tofu
echo $(pwd)/bin >> $GITHUB_PATH
# - name: Setup Terraform
# id: setup_terraform
# uses: opentofu/setup-opentofu@b06654f7ba51088e987c0a454d042360df3ebe86
- name: setup tfcmt
id: setup-tfcmt
uses: shmokmt/actions-setup-tfcmt@0d2b0c4cc4b5edc9c2dfdf7eb0c33ee7b23a7c85
with:
version: v4.7.1
- name: Terraform Init
id: terraform_init
run: tofu -chdir=./configs/terraform/environments/prod init -input=false
- name: Terraform Apply
env:
GITHUB_TOKEN: ${{ steps.secrets.outputs.gh-terraform-executor-token }}
id: terraform_apply
run: tfcmt -owner $GITHUB_REPOSITORY_OWNER -repo ${{ github.event.repository.name }} -sha ${{ github.sha }} apply -- tofu -chdir=./configs/terraform/environments/prod apply -input=false -no-color -auto-approve