Update finaldemo.yaml #4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Terraform Workflow with OIDC, SNS Notification, and Logs Upload to s3 | |
| on: | |
| push: | |
| branches: | |
| - main | |
| jobs: | |
| terraform: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write # Required for OIDC | |
| contents: read # Required to access repository contents | |
| steps: | |
| # Step 1: Checkout the repository | |
| - name: Checkout Code | |
| uses: actions/checkout@v3 | |
| # Step 2: Setup Terraform | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v2 | |
| with: | |
| terraform_version: 1.5.6 | |
| # Step 3: Configure AWS Credentials using OIDC | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v2 | |
| with: | |
| role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.ROLE_NAME }} | |
| aws-region: ${{ secrets.AWS_REGION }} | |
| # Step 4: Initialize Terraform (INFO logging) | |
| - name: Terraform Init | |
| env: | |
| TF_LOG: INFO # Set Terraform logging to INFO for general info messages | |
| run: terraform init | |
| # Step 5: Terraform Validate (DEBUG logging) | |
| - name: Terraform Validate | |
| env: | |
| TF_LOG: DEBUG # Set Terraform logging to DEBUG for detailed logs | |
| TF_LOG_PATH: terraform_validate.log | |
| run: | | |
| terraform validate || echo "FAILURE_FLAG=true" >> $GITHUB_ENV | |
| true # Always continue execution | |
| # Step 6: Terraform Plan (INFO logging) | |
| - name: Terraform Plan | |
| env: | |
| TF_LOG: INFO # Set Terraform logging to INFO for plan-related logs | |
| TF_LOG_PATH: terraform_plan.log | |
| run: | | |
| terraform plan -out=tfplan || echo "FAILURE_FLAG=true" >> $GITHUB_ENV | |
| true # Always continue execution | |
| # Step 7: Terraform Apply (TRACE logging) | |
| - name: Terraform Apply | |
| env: | |
| TF_LOG: TRACE # Set Terraform logging to TRACE for detailed logs | |
| TF_LOG_PATH: terraform_apply.log | |
| run: | | |
| terraform apply -auto-approve tfplan || echo "FAILURE_FLAG=true" >> $GITHUB_ENV | |
| true # Always continue execution | |
| # Step 8: Ensure Logs Directory Exists (DEBUG logging) | |
| - name: Ensure Logs Directory Exists | |
| env: | |
| TF_LOG: DEBUG # Set Terraform logging to DEBUG for detailed process steps | |
| run: mkdir -p $GITHUB_WORKSPACE/logs | |
| # Step 9: Copy Logs to Logs Directory (WARN logging) | |
| - name: Copy Logs to Logs Directory | |
| env: | |
| TF_LOG: WARN # Set Terraform logging to WARN to capture potential issues | |
| run: | | |
| cp terraform_validate.log $GITHUB_WORKSPACE/logs/ || true | |
| cp terraform_plan.log $GITHUB_WORKSPACE/logs/ || true | |
| cp terraform_apply.log $GITHUB_WORKSPACE/logs/ || true | |
| echo "Files in logs directory:" | |
| ls -alh $GITHUB_WORKSPACE/logs/ | |
| # Step 10: Print Logs on Failure (ERROR logging) | |
| - name: Print Logs on Failure | |
| if: failure() # Only print logs if failure occurs | |
| env: | |
| TF_LOG: ERROR # Set Terraform logging to ERROR to capture critical failure messages | |
| run: | | |
| echo "Terraform failed. Logs are as follows:" | |
| cat $GITHUB_WORKSPACE/logs/terraform_validate.log || true | |
| cat $GITHUB_WORKSPACE/logs/terraform_plan.log || true | |
| cat $GITHUB_WORKSPACE/logs/terraform_apply.log || true | |
| # Step 11: Upload Terraform Logs as Artifacts (Always, even on failure) | |
| - name: Upload Terraform Logs as Artifacts | |
| if: always() # Ensure this runs even if the workflow fails | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: terraform-logs | |
| path: logs/ | |
| # Step 12: Upload Logs to S3 (Both Success and Failure) | |
| - name: Upload Logs to S3 | |
| if: always() # Ensure this runs even if the workflow fails | |
| run: | | |
| aws s3 cp $GITHUB_WORKSPACE/logs/ s3://${{ secrets.S3_BUCKET_NAME }}/logs/ --recursive | |
| # Step 13: Send SNS Notification (Success or Failure) | |
| - name: Send SNS Notification | |
| if: always() # Ensure this runs even if the workflow fails or succeeds | |
| run: | | |
| # Check the FAILURE_FLAG to determine whether the workflow failed | |
| if [[ "${{ env.FAILURE_FLAG }}" == "true" ]]; then | |
| SUBJECT="Terraform Workflow Status - failure" | |
| BODY="The Terraform workflow has failed. Please check the logs for details." | |
| else | |
| SUBJECT="Terraform Workflow Status - success" | |
| BODY="The Terraform workflow has completed successfully. Please check the logs for details." | |
| fi | |
| # Publish the SNS message with the status | |
| aws sns publish \ | |
| --topic-arn arn:aws:sns:${{ secrets.AWS_REGION }}:${{ secrets.AWS_ACCOUNT_ID }}:${{ secrets.SNS_TOPIC_NAME }} \ | |
| --message "$BODY" \ | |
| --subject "$SUBJECT" | |
| env: | |
| AWS_REGION: ${{ secrets.AWS_REGION }} | |
| # Step 14: Force Workflow Failure if Any Step Failed | |
| - name: Fail Workflow if Any Step Failed | |
| if: ${{ env.FAILURE_FLAG == 'true' }} | |
| run: | | |
| echo "One or more Terraform steps failed. Marking workflow as failed." | |
| exit 1 # Exit with failure status |