From f3be70ca7292c4f7af2b2b382849d94fb037a82f Mon Sep 17 00:00:00 2001 From: Doc Ritezel Date: Thu, 20 Feb 2025 12:25:33 -0800 Subject: [PATCH] Add Terraform for production environment [#3641] * Remove old IaC configuration * Manage Terraform Service Accounts in Terraform scripts * Add terraform validation workflow using Workload Identity Federation * Remove jupyterhub disks and instance group resources * Add makefile to run Terraform locally --------- Signed-off-by: Doc Ritezel Co-authored-by: Erika Pacheco --- .github/workflows/terraform-apply.yml | 106 + .github/workflows/terraform-deploy.yml | 48 - .github/workflows/terraform-plan.yml | 122 + .github/workflows/terraform-report.yml | 70 - iac/.engine | 1 - iac/.gitignore | 6 + iac/Makefile | 9 + iac/README.md | 46 + iac/cal-itp-data-infra-staging/Makefile | 28 + .../firewall/us/.terraform.lock.hcl | 22 + .../firewall/us/compute_firewall.tf | 71 + .../firewall/us/outputs.tf | 15 + .../firewall/us/provider.tf | 16 + .../firewall/us/variables.tf | 8 + .../gcs/us/.terraform.lock.hcl | 22 + .../gcs/us/outputs.tf | 139 + .../gcs/us/provider.tf | 16 + .../gcs/us/storage_bucket.tf | 91 + .../gcs/us/storage_bucket_acl.tf | 23 + .../gcs/us/storage_bucket_iam_binding.tf | 35 + .../gcs/us/storage_bucket_iam_member.tf | 35 + .../gcs/us/storage_bucket_iam_policy.tf | 181 + .../gcs/us/storage_default_object_acl.tf | 23 + .../iam/us/.terraform.lock.hcl | 22 + .../iam/us/iam_workload_identity.tf | 30 + .../iam/us/outputs.tf | 175 + .../iam/us/project_iam_custom_role.tf | 8 + .../iam/us/project_iam_member.tf | 231 + .../iam/us/provider.tf | 16 + .../iam/us/service_account.tf | 35 + .../networks/us/.terraform.lock.hcl | 22 + .../networks/us/compute_network.tf | 10 + .../networks/us/outputs.tf | 3 + .../networks/us/provider.tf | 16 + .../project/us/.terraform.lock.hcl | 22 + .../project/us/outputs.tf | 3 + .../project/us/project.tf | 7 + .../project/us/provider.tf | 16 + .../routes/us/.terraform.lock.hcl | 22 + .../routes/us/compute_route.tf | 9 + .../routes/us/outputs.tf | 3 + .../routes/us/provider.tf | 16 + .../routes/us/variables.tf | 8 + iac/cal-itp-data-infra/Makefile | 28 + .../disks/us/.terraform.lock.hcl | 22 + .../disks/us/compute_disk.tf | 1038 +++++ iac/cal-itp-data-infra/disks/us/outputs.tf | 207 + iac/cal-itp-data-infra/disks/us/provider.tf | 16 + .../firewall/us/.terraform.lock.hcl | 22 + .../firewall/us/compute_firewall.tf | 358 ++ iac/cal-itp-data-infra/firewall/us/outputs.tf | 71 + .../firewall/us/provider.tf | 16 + .../firewall/us/variables.tf | 8 + .../gcs/us/.terraform.lock.hcl | 22 + iac/cal-itp-data-infra/gcs/us/outputs.tf | 2911 ++++++++++++ iac/cal-itp-data-infra/gcs/us/provider.tf | 16 + .../gcs/us/storage_bucket.tf | 1533 +++++++ .../gcs/us/storage_bucket_acl.tf | 415 ++ .../gcs/us/storage_bucket_iam_binding.tf | 623 +++ .../gcs/us/storage_bucket_iam_member.tf | 623 +++ .../gcs/us/storage_bucket_iam_policy.tf | 3916 +++++++++++++++++ .../gcs/us/storage_default_object_acl.tf | 428 ++ .../gke/us/.terraform.lock.hcl | 22 + .../gke/us/container_cluster.tf | 101 + .../gke/us/container_node_pool.tf | 291 ++ iac/cal-itp-data-infra/gke/us/outputs.tf | 19 + iac/cal-itp-data-infra/gke/us/provider.tf | 16 + iac/cal-itp-data-infra/gke/us/variables.tf | 8 + .../httpHealthChecks/us/.terraform.lock.hcl | 22 + .../us/compute_http_health_check.tf | 23 + .../httpHealthChecks/us/outputs.tf | 7 + .../httpHealthChecks/us/provider.tf | 16 + .../iam/us/.terraform.lock.hcl | 22 + .../iam/us/iam_workload_identity.tf | 30 + iac/cal-itp-data-infra/iam/us/outputs.tf | 515 +++ .../iam/us/project_iam_custom_role.tf | 17 + .../iam/us/project_iam_member.tf | 549 +++ iac/cal-itp-data-infra/iam/us/provider.tf | 16 + .../iam/us/service_account.tf | 257 ++ .../us/.terraform.lock.hcl | 22 + .../us/compute_instance_group_manager.tf | 220 + .../instanceGroupManagers/us/outputs.tf | 71 + .../instanceGroupManagers/us/provider.tf | 16 + .../instanceGroups/us/.terraform.lock.hcl | 22 + .../us/compute_instance_group.tf | 80 + .../instanceGroups/us/outputs.tf | 35 + .../instanceGroups/us/provider.tf | 16 + .../kms/us/.terraform.lock.hcl | 22 + iac/cal-itp-data-infra/kms/us/kms_key_ring.tf | 5 + iac/cal-itp-data-infra/kms/us/outputs.tf | 3 + iac/cal-itp-data-infra/kms/us/provider.tf | 16 + .../logging/us/.terraform.lock.hcl | 22 + .../logging/us/logging_metric.tf | 12 + iac/cal-itp-data-infra/logging/us/outputs.tf | 3 + iac/cal-itp-data-infra/logging/us/provider.tf | 16 + .../networks/us/.terraform.lock.hcl | 22 + .../networks/us/compute_network.tf | 10 + iac/cal-itp-data-infra/networks/us/outputs.tf | 3 + .../networks/us/provider.tf | 16 + .../project/us/.terraform.lock.hcl | 22 + iac/cal-itp-data-infra/project/us/outputs.tf | 3 + iac/cal-itp-data-infra/project/us/project.tf | 7 + iac/cal-itp-data-infra/project/us/provider.tf | 16 + .../routes/us/.terraform.lock.hcl | 22 + .../routes/us/compute_route.tf | 9 + iac/cal-itp-data-infra/routes/us/outputs.tf | 3 + iac/cal-itp-data-infra/routes/us/provider.tf | 16 + iac/cal-itp-data-infra/routes/us/variables.tf | 8 + iac/terraform/.gitignore | 1 - .../gcp-components/.terraform.lock.hcl | 21 - .../deployments/gcp-components/terraform.tf | 21 - .../deployments/gcp-components/vars.tf | 29 - .../dev/gcp-components/target.tfbackend | 1 - .../targets/dev/gcp-components/target.tfvars | 3 - iac/terraform/targets/local/README.md | 5 - .../targets/local/gcp-components/.gitignore | 1 - .../local/gcp-components/target.tfvars | 3 - .../prod/gcp-components/target.tfbackend | 1 - .../targets/prod/gcp-components/target.tfvars | 3 - 119 files changed, 16630 insertions(+), 208 deletions(-) create mode 100644 .github/workflows/terraform-apply.yml delete mode 100644 .github/workflows/terraform-deploy.yml create mode 100644 .github/workflows/terraform-plan.yml delete mode 100644 .github/workflows/terraform-report.yml delete mode 160000 iac/.engine create mode 100644 iac/.gitignore create mode 100644 iac/Makefile create mode 100644 iac/README.md create mode 100644 iac/cal-itp-data-infra-staging/Makefile create mode 100644 iac/cal-itp-data-infra-staging/firewall/us/.terraform.lock.hcl create mode 100755 iac/cal-itp-data-infra-staging/firewall/us/compute_firewall.tf create mode 100755 iac/cal-itp-data-infra-staging/firewall/us/outputs.tf create mode 100755 iac/cal-itp-data-infra-staging/firewall/us/provider.tf create mode 100755 iac/cal-itp-data-infra-staging/firewall/us/variables.tf create mode 100644 iac/cal-itp-data-infra-staging/gcs/us/.terraform.lock.hcl create mode 100755 iac/cal-itp-data-infra-staging/gcs/us/outputs.tf create mode 100755 iac/cal-itp-data-infra-staging/gcs/us/provider.tf create mode 100755 iac/cal-itp-data-infra-staging/gcs/us/storage_bucket.tf create mode 100755 iac/cal-itp-data-infra-staging/gcs/us/storage_bucket_acl.tf create mode 100755 iac/cal-itp-data-infra-staging/gcs/us/storage_bucket_iam_binding.tf create mode 100755 iac/cal-itp-data-infra-staging/gcs/us/storage_bucket_iam_member.tf create mode 100755 iac/cal-itp-data-infra-staging/gcs/us/storage_bucket_iam_policy.tf create mode 100755 iac/cal-itp-data-infra-staging/gcs/us/storage_default_object_acl.tf create mode 100644 iac/cal-itp-data-infra-staging/iam/us/.terraform.lock.hcl create mode 100644 iac/cal-itp-data-infra-staging/iam/us/iam_workload_identity.tf create mode 100755 iac/cal-itp-data-infra-staging/iam/us/outputs.tf create mode 100755 iac/cal-itp-data-infra-staging/iam/us/project_iam_custom_role.tf create mode 100755 iac/cal-itp-data-infra-staging/iam/us/project_iam_member.tf create mode 100755 iac/cal-itp-data-infra-staging/iam/us/provider.tf create mode 100755 iac/cal-itp-data-infra-staging/iam/us/service_account.tf create mode 100644 iac/cal-itp-data-infra-staging/networks/us/.terraform.lock.hcl create mode 100755 iac/cal-itp-data-infra-staging/networks/us/compute_network.tf create mode 100755 iac/cal-itp-data-infra-staging/networks/us/outputs.tf create mode 100755 iac/cal-itp-data-infra-staging/networks/us/provider.tf create mode 100644 iac/cal-itp-data-infra-staging/project/us/.terraform.lock.hcl create mode 100755 iac/cal-itp-data-infra-staging/project/us/outputs.tf create mode 100755 iac/cal-itp-data-infra-staging/project/us/project.tf create mode 100755 iac/cal-itp-data-infra-staging/project/us/provider.tf create mode 100644 iac/cal-itp-data-infra-staging/routes/us/.terraform.lock.hcl create mode 100755 iac/cal-itp-data-infra-staging/routes/us/compute_route.tf create mode 100755 iac/cal-itp-data-infra-staging/routes/us/outputs.tf create mode 100755 iac/cal-itp-data-infra-staging/routes/us/provider.tf create mode 100755 iac/cal-itp-data-infra-staging/routes/us/variables.tf create mode 100644 iac/cal-itp-data-infra/Makefile create mode 100644 iac/cal-itp-data-infra/disks/us/.terraform.lock.hcl create mode 100755 iac/cal-itp-data-infra/disks/us/compute_disk.tf create mode 100755 iac/cal-itp-data-infra/disks/us/outputs.tf create mode 100755 iac/cal-itp-data-infra/disks/us/provider.tf create mode 100644 iac/cal-itp-data-infra/firewall/us/.terraform.lock.hcl create mode 100755 iac/cal-itp-data-infra/firewall/us/compute_firewall.tf create mode 100755 iac/cal-itp-data-infra/firewall/us/outputs.tf create mode 100755 iac/cal-itp-data-infra/firewall/us/provider.tf create mode 100755 iac/cal-itp-data-infra/firewall/us/variables.tf create mode 100644 iac/cal-itp-data-infra/gcs/us/.terraform.lock.hcl create mode 100755 iac/cal-itp-data-infra/gcs/us/outputs.tf create mode 100755 iac/cal-itp-data-infra/gcs/us/provider.tf create mode 100755 iac/cal-itp-data-infra/gcs/us/storage_bucket.tf create mode 100755 iac/cal-itp-data-infra/gcs/us/storage_bucket_acl.tf create mode 100755 iac/cal-itp-data-infra/gcs/us/storage_bucket_iam_binding.tf create mode 100755 iac/cal-itp-data-infra/gcs/us/storage_bucket_iam_member.tf create mode 100755 iac/cal-itp-data-infra/gcs/us/storage_bucket_iam_policy.tf create mode 100755 iac/cal-itp-data-infra/gcs/us/storage_default_object_acl.tf create mode 100644 iac/cal-itp-data-infra/gke/us/.terraform.lock.hcl create mode 100755 iac/cal-itp-data-infra/gke/us/container_cluster.tf create mode 100755 iac/cal-itp-data-infra/gke/us/container_node_pool.tf create mode 100755 iac/cal-itp-data-infra/gke/us/outputs.tf create mode 100755 iac/cal-itp-data-infra/gke/us/provider.tf create mode 100755 iac/cal-itp-data-infra/gke/us/variables.tf create mode 100644 iac/cal-itp-data-infra/httpHealthChecks/us/.terraform.lock.hcl create mode 100755 iac/cal-itp-data-infra/httpHealthChecks/us/compute_http_health_check.tf create mode 100755 iac/cal-itp-data-infra/httpHealthChecks/us/outputs.tf create mode 100755 iac/cal-itp-data-infra/httpHealthChecks/us/provider.tf create mode 100644 iac/cal-itp-data-infra/iam/us/.terraform.lock.hcl create mode 100644 iac/cal-itp-data-infra/iam/us/iam_workload_identity.tf create mode 100755 iac/cal-itp-data-infra/iam/us/outputs.tf create mode 100755 iac/cal-itp-data-infra/iam/us/project_iam_custom_role.tf create mode 100755 iac/cal-itp-data-infra/iam/us/project_iam_member.tf create mode 100755 iac/cal-itp-data-infra/iam/us/provider.tf create mode 100755 iac/cal-itp-data-infra/iam/us/service_account.tf create mode 100644 iac/cal-itp-data-infra/instanceGroupManagers/us/.terraform.lock.hcl create mode 100755 iac/cal-itp-data-infra/instanceGroupManagers/us/compute_instance_group_manager.tf create mode 100755 iac/cal-itp-data-infra/instanceGroupManagers/us/outputs.tf create mode 100755 iac/cal-itp-data-infra/instanceGroupManagers/us/provider.tf create mode 100644 iac/cal-itp-data-infra/instanceGroups/us/.terraform.lock.hcl create mode 100755 iac/cal-itp-data-infra/instanceGroups/us/compute_instance_group.tf create mode 100755 iac/cal-itp-data-infra/instanceGroups/us/outputs.tf create mode 100755 iac/cal-itp-data-infra/instanceGroups/us/provider.tf create mode 100644 iac/cal-itp-data-infra/kms/us/.terraform.lock.hcl create mode 100755 iac/cal-itp-data-infra/kms/us/kms_key_ring.tf create mode 100755 iac/cal-itp-data-infra/kms/us/outputs.tf create mode 100755 iac/cal-itp-data-infra/kms/us/provider.tf create mode 100644 iac/cal-itp-data-infra/logging/us/.terraform.lock.hcl create mode 100755 iac/cal-itp-data-infra/logging/us/logging_metric.tf create mode 100755 iac/cal-itp-data-infra/logging/us/outputs.tf create mode 100755 iac/cal-itp-data-infra/logging/us/provider.tf create mode 100644 iac/cal-itp-data-infra/networks/us/.terraform.lock.hcl create mode 100755 iac/cal-itp-data-infra/networks/us/compute_network.tf create mode 100755 iac/cal-itp-data-infra/networks/us/outputs.tf create mode 100755 iac/cal-itp-data-infra/networks/us/provider.tf create mode 100644 iac/cal-itp-data-infra/project/us/.terraform.lock.hcl create mode 100755 iac/cal-itp-data-infra/project/us/outputs.tf create mode 100755 iac/cal-itp-data-infra/project/us/project.tf create mode 100755 iac/cal-itp-data-infra/project/us/provider.tf create mode 100644 iac/cal-itp-data-infra/routes/us/.terraform.lock.hcl create mode 100755 iac/cal-itp-data-infra/routes/us/compute_route.tf create mode 100755 iac/cal-itp-data-infra/routes/us/outputs.tf create mode 100755 iac/cal-itp-data-infra/routes/us/provider.tf create mode 100755 iac/cal-itp-data-infra/routes/us/variables.tf delete mode 100644 iac/terraform/.gitignore delete mode 100644 iac/terraform/deployments/gcp-components/.terraform.lock.hcl delete mode 100644 iac/terraform/deployments/gcp-components/terraform.tf delete mode 100644 iac/terraform/deployments/gcp-components/vars.tf delete mode 100644 iac/terraform/targets/dev/gcp-components/target.tfbackend delete mode 100644 iac/terraform/targets/dev/gcp-components/target.tfvars delete mode 100644 iac/terraform/targets/local/README.md delete mode 100644 iac/terraform/targets/local/gcp-components/.gitignore delete mode 100644 iac/terraform/targets/local/gcp-components/target.tfvars delete mode 100644 iac/terraform/targets/prod/gcp-components/target.tfbackend delete mode 100644 iac/terraform/targets/prod/gcp-components/target.tfvars diff --git a/.github/workflows/terraform-apply.yml b/.github/workflows/terraform-apply.yml new file mode 100644 index 0000000000..e4cc76cad7 --- /dev/null +++ b/.github/workflows/terraform-apply.yml @@ -0,0 +1,106 @@ +name: Terraform Apply + +on: + push: + branches: + - 'main' + paths: + - 'iac/*' + +permissions: + contents: read + pull-requests: write + +jobs: + targets: + name: Find targets + + runs-on: ubuntu-latest + + outputs: + staging: ${{ steps.staging.outputs.paths }} + production: ${{ steps.production.outputs.paths }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Staging Terraform targets + id: staging + run: echo "paths=$(find iac -name 'provider.tf' | grep cal-itp-data-infra-staging/ | xargs dirname | jq --raw-input --slurp --compact-output 'split("\n")[:-1]')" >> ${GITHUB_OUTPUT} + + - name: Production Terraform targets + id: production + run: echo "paths=$(find iac -name 'provider.tf' | grep cal-itp-data-infra/ | xargs dirname | jq --raw-input --slurp --compact-output 'split("\n")[:-1]')" >> ${GITHUB_OUTPUT} + + staging: + name: Staging + + needs: targets + + runs-on: ubuntu-latest + + permissions: + contents: 'read' + id-token: 'write' + + strategy: + fail-fast: false + matrix: + path: ${{ fromJson(needs.targets.outputs.staging) }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - uses: 'google-github-actions/auth@v2' + with: + create_credentials_file: 'true' + project_id: cal-itp-data-infra-staging + workload_identity_provider: 'projects/473674835135/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' + service_account: 'github-actions-terraform@cal-itp-data-infra-staging.iam.gserviceaccount.com' + + - uses: google-github-actions/setup-gcloud@v2 + + - name: Terraform Apply + uses: dflook/terraform-apply@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + path: ${{ matrix.path }} + + production: + name: Production + + needs: targets + + runs-on: ubuntu-latest + + permissions: + contents: 'read' + id-token: 'write' + + strategy: + fail-fast: false + matrix: + path: ${{ fromJson(needs.targets.outputs.production) }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - uses: 'google-github-actions/auth@v2' + with: + create_credentials_file: 'true' + project_id: cal-itp-data-infra + workload_identity_provider: 'projects/1005246706141/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' + service_account: 'github-actions-terraform@cal-itp-data-infra.iam.gserviceaccount.com' + + - uses: google-github-actions/setup-gcloud@v2 + + - name: Terraform Apply + uses: dflook/terraform-apply@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + path: ${{ matrix.path }} diff --git a/.github/workflows/terraform-deploy.yml b/.github/workflows/terraform-deploy.yml deleted file mode 100644 index 0a76b1c303..0000000000 --- a/.github/workflows/terraform-deploy.yml +++ /dev/null @@ -1,48 +0,0 @@ -name: Deploy to a terraform target - -on: - push: - branches: - - 'main' - - 'targets/*' - paths: - - 'iac/terraform/*' - -jobs: - - deploy: - - runs-on: ubuntu-latest - steps: - - - uses: actions/checkout@v3 - with: - fetch-depth: 0 - submodules: true - - - uses: google-github-actions/setup-gcloud@v1 - with: - service_account_key: ${{ secrets.GCP_SA_KEY }} - export_default_credentials: true - - - uses: hashicorp/setup-terraform@v2 - with: - terraform_version: 1.1.7 - terraform_wrapper: false - - - name: terraform-deploy - shell: bash - env: - CONTENT_ROOT : ${{ github.workspace }}/iac - ENGINE_ROOT : ${{ github.workspace }}/iac/.engine - run: | - if [[ $GITHUB_REF == refs/heads/main ]]; then - export INFRA_TARGET_NAME=prod - else - export INFRA_TARGET_NAME=${GITHUB_BASE_BRANCH#targets/} - if [[ $INFRA_TARGET_NAME == prod ]]; then - echo "fatal: prod changes must be merged to main branch" >&2 - exit 1 - fi - fi - "$ENGINE_ROOT"/bin/terraform-deploy diff --git a/.github/workflows/terraform-plan.yml b/.github/workflows/terraform-plan.yml new file mode 100644 index 0000000000..8d2de3bffa --- /dev/null +++ b/.github/workflows/terraform-plan.yml @@ -0,0 +1,122 @@ +name: Terraform Plan + +on: + pull_request: + paths: + - 'iac/*' + +jobs: + targets: + name: Find targets + + runs-on: ubuntu-latest + + outputs: + staging: ${{ steps.staging.outputs.paths }} + production: ${{ steps.production.outputs.paths }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Staging Terraform targets + id: staging + run: echo "paths=$(find iac -name 'provider.tf' | grep cal-itp-data-infra-staging/ | xargs dirname | jq --raw-input --slurp --compact-output 'split("\n")[:-1]')" >> ${GITHUB_OUTPUT} + + - name: Production Terraform targets + id: production + run: echo "paths=$(find iac -name 'provider.tf' | grep cal-itp-data-infra/ | xargs dirname | jq --raw-input --slurp --compact-output 'split("\n")[:-1]')" >> ${GITHUB_OUTPUT} + + staging: + name: Staging + + needs: targets + + runs-on: ubuntu-latest + + permissions: + contents: 'read' + id-token: 'write' + + strategy: + fail-fast: false + matrix: + path: ${{ fromJson(needs.targets.outputs.staging) }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - uses: 'google-github-actions/auth@v2' + with: + create_credentials_file: 'true' + project_id: cal-itp-data-infra-staging + workload_identity_provider: 'projects/473674835135/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' + service_account: 'github-actions-terraform@cal-itp-data-infra-staging.iam.gserviceaccount.com' + + - uses: google-github-actions/setup-gcloud@v2 + + - name: Terraform Formatting + uses: dflook/terraform-fmt-check@v1 + with: + path: ${{ matrix.path }} + + - name: Terraform Validation + uses: dflook/terraform-validate@v1 + with: + path: ${{ matrix.path }} + + - name: Terraform Plan + uses: dflook/terraform-plan@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + add_github_comment: changes-only + path: ${{ matrix.path }} + + production: + name: Production + + needs: targets + + runs-on: ubuntu-latest + + permissions: + contents: 'read' + id-token: 'write' + + strategy: + fail-fast: false + matrix: + path: ${{ fromJson(needs.targets.outputs.production) }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - uses: 'google-github-actions/auth@v2' + with: + create_credentials_file: 'true' + project_id: cal-itp-data-infra + workload_identity_provider: 'projects/1005246706141/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' + service_account: 'github-actions-terraform@cal-itp-data-infra.iam.gserviceaccount.com' + + - uses: google-github-actions/setup-gcloud@v2 + + - name: Terraform Format Check + uses: dflook/terraform-fmt-check@v1 + with: + path: ${{ matrix.path }} + + - name: Terraform Validate + uses: dflook/terraform-validate@v1 + with: + path: ${{ matrix.path }} + + - name: Terraform Plan + uses: dflook/terraform-plan@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + add_github_comment: changes-only + path: ${{ matrix.path }} diff --git a/.github/workflows/terraform-report.yml b/.github/workflows/terraform-report.yml deleted file mode 100644 index c556bae81d..0000000000 --- a/.github/workflows/terraform-report.yml +++ /dev/null @@ -1,70 +0,0 @@ -name: Report pending terraform changes - -on: - pull_request: - branches: - - 'main' - - 'targets/*' - paths: - - 'iac/terraform/*' - -jobs: - - changed: - - runs-on: ubuntu-latest - steps: - - - uses: actions/checkout@v3 - with: - fetch-depth: 0 - submodules: true - - - uses: 'google-github-actions/auth@v2' - with: - credentials_json: '${{ secrets.GCP_SA_KEY }}' - - - uses: google-github-actions/setup-gcloud@v2 - - - uses: hashicorp/setup-terraform@v2 - with: - terraform_version: 1.1.7 - terraform_wrapper: false - - - name: terraform-report - shell: bash - env: - CONTENT_ROOT : ${{ github.workspace }}/iac - ENGINE_ROOT : ${{ github.workspace }}/iac/.engine - GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }} - GITHUB_PR_NUMBER : ${{ github.event.number }} - GITHUB_BASE_BRANCH : ${{ github.event.pull_request.base.ref }} - run: | - - if [[ $GITHUB_BASE_BRANCH == main ]]; then - export INFRA_TARGET_NAME=prod - else - export INFRA_TARGET_NAME=${GITHUB_BASE_BRANCH#targets/} - if [[ $INFRA_TARGET_NAME == prod ]]; then - echo "fatal: prod changes must be merged to main branch" >&2 - exit 1 - fi - fi - - . "$ENGINE_ROOT"/lib/sh/terraform-report.sh - - if [[ ${#target_endpoint_changes[*]} == 0 ]]; then - exit 0 - fi - - gh pr comment $GITHUB_PR_NUMBER --body-file - <