From d865c7c6eaf9aa1c8112e3d3e787678a50a308ef Mon Sep 17 00:00:00 2001 From: DaMandal0rian Date: Tue, 5 Dec 2023 13:52:42 +0300 Subject: [PATCH] remove tfvars secret and add branch input - remove tfvars secret and storing in github, use the encrypted terraform.tfvars file with transcrypt. - add branch as input - change API token name and remove vars secret file - change path for dedicated runners --- .../workflows/ephemeral_devnet_aws_deploy.yml | 5 +++++ .../ephemeral_devnet_hetzner_deploy.yml | 5 +++++ .github/workflows/terraform_gh_runner.yml | 19 +++++++------------ .../workflows/terraform_template_deploy.yml | 13 ++++--------- .../terraform_template_ephemeral_deploy.yml | 16 +++++++--------- 5 files changed, 28 insertions(+), 30 deletions(-) diff --git a/.github/workflows/ephemeral_devnet_aws_deploy.yml b/.github/workflows/ephemeral_devnet_aws_deploy.yml index 144cbf64..157aa7f5 100644 --- a/.github/workflows/ephemeral_devnet_aws_deploy.yml +++ b/.github/workflows/ephemeral_devnet_aws_deploy.yml @@ -2,6 +2,10 @@ name: Main CD for Ephememeral Devnet Deployment on: workflow_dispatch: + inputs: + branch: + required: true + type: string pull_request: branches: - main @@ -20,6 +24,7 @@ jobs: uses: ./.github/workflows/terraform_template_ephemeral_deploy.yml with: project: testing-framework + branch: ${{ github.event.inputs.branch }} instance: ec2 resource: network tf_workspace_name: ephemeral-devnet diff --git a/.github/workflows/ephemeral_devnet_hetzner_deploy.yml b/.github/workflows/ephemeral_devnet_hetzner_deploy.yml index 00e45753..5141ea5e 100644 --- a/.github/workflows/ephemeral_devnet_hetzner_deploy.yml +++ b/.github/workflows/ephemeral_devnet_hetzner_deploy.yml @@ -2,6 +2,10 @@ name: Main CD for Ephememeral Devnet Deployment on: workflow_dispatch: + inputs: + branch: + required: true + type: string pull_request: branches: - main @@ -20,6 +24,7 @@ jobs: uses: ./.github/workflows/terraform_template_ephemeral_deploy.yml with: project: testing-framework + branch: ${{ github.event.inputs.branch }} instance: hetzner resource: network tf_workspace_name: ephemeral-devnet-hetzner diff --git a/.github/workflows/terraform_gh_runner.yml b/.github/workflows/terraform_gh_runner.yml index f7623c09..d2a20e1d 100644 --- a/.github/workflows/terraform_gh_runner.yml +++ b/.github/workflows/terraform_gh_runner.yml @@ -6,7 +6,7 @@ on: branches: - main paths: - - "github-runners/terraform/base/**" + - "github-runners/terraform/dedicated/**" jobs: terraform_gh_runner: @@ -22,11 +22,11 @@ jobs: uses: hashicorp/setup-terraform@v1 with: terraform_version: "1.5.7" - cli_config_credentials_token: ${{ secrets.TF_CLOUD_TOKEN }} + cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} - - name: Install dependencies + - name: Decrypt the secrets run: | - # Install any dependencies required by your Terraform code + bash scripts/transcrypt -c aes-256-cbc -p ${{ secrets.TRANSCRYPT }} -y - name: Run Bash Script id: generate_runner_token @@ -54,14 +54,9 @@ jobs: # in subsequent steps with terraform for runner registration echo "::set-output name=runner_token::$runner_token" - - name: Fetch and write terraform.tfvars - run: | - echo ${{ secrets.TF_VARS_FILE }} > /tmp/terraform.tfvars - chmod 600 /tmp/terraform.tfvars - - name: Run Terraform - working-directory: ./github-runners/terraform/base + working-directory: ./github-runners/terraform/dedicated run: | terraform init - terraform plan -var-file=/tmp/terraform.tfvars - terraform apply -auto-approve -var "gh_token=${{ steps.generate_runner_token.outputs.runner_token }}" -var-file=/tmp/terraform.tfvars + terraform plan -var-file=terraform.tfvars + terraform apply -auto-approve -var "gh_token=${{ steps.generate_runner_token.outputs.runner_token }}" -var-file=terraform.tfvars diff --git a/.github/workflows/terraform_template_deploy.yml b/.github/workflows/terraform_template_deploy.yml index 7552725a..c09678ed 100644 --- a/.github/workflows/terraform_template_deploy.yml +++ b/.github/workflows/terraform_template_deploy.yml @@ -71,26 +71,21 @@ jobs: working-directory: ${{ inputs.project }}/${{ inputs.resource }} run: terraform validate - - name: Fetch and write terraform.tfvars - run: | - echo ${{ secrets.TF_VARS_FILE }} > /tmp/terraform.tfvars - chmod 600 /tmp/terraform.tfvars - - name: Terraform Plan for ${{ inputs.project }}/${{ inputs.resource }} if: ${{ (inputs.run_destroy == 'no') }} working-directory: ${{ inputs.project }}/${{ inputs.resource }} run: | - terraform plan -var-file=/tmp/terraform.tfvars + terraform plan -var-file=terraform.tfvars - name: Terraform Apply for ${{ inputs.project }}/${{ inputs.resource }} if: ${{ (inputs.run_apply == 'yes') && (inputs.run_destroy == 'no') }} working-directory: ${{ inputs.project }}/${{ inputs.resource }} run: | - terraform apply -auto-approve -var-file=/tmp/terraform.tfvars + terraform apply -auto-approve -var-file=terraform.tfvars - name: Terraform Destroy for ${{ inputs.project }}/${{ inputs.resource }} if: ${{ (inputs.run_destroy == 'yes') }} working-directory: ${{ inputs.project }}/${{ inputs.resource }} run: | - terraform plan -destroy -var-file=/tmp/terraform.tfvars - terraform destroy -auto-approve -var-file=/tmp/terraform.tfvars + terraform plan -destroy -var-file=terraform.tfvars + terraform destroy -auto-approve -var-file=terraform.tfvars diff --git a/.github/workflows/terraform_template_ephemeral_deploy.yml b/.github/workflows/terraform_template_ephemeral_deploy.yml index fb4f000a..cb77d3ca 100644 --- a/.github/workflows/terraform_template_ephemeral_deploy.yml +++ b/.github/workflows/terraform_template_ephemeral_deploy.yml @@ -6,6 +6,9 @@ on: project: required: true type: string + branch: + required: true + type: string instance: required: true type: string @@ -75,26 +78,21 @@ jobs: working-directory: ${{ inputs.project }}/${{ inputs.instance }}/${{ inputs.resource }} run: terraform validate - - name: Fetch and write terraform.tfvars - run: | - echo ${{ secrets.TF_VARS_FILE }} > /tmp/terraform.tfvars - chmod 600 /tmp/terraform.tfvars - - name: Terraform Plan for ${{ inputs.project }}/${{ inputs.instance }}/${{ inputs.resource }} if: ${{ (inputs.run_destroy == 'no') }} working-directory: ${{ inputs.project }}/${{ inputs.instance }}/${{ inputs.resource }} run: | - terraform plan -var-file=/tmp/terraform.tfvars + terraform plan -var-file=terraform.tfvars -var "branch_name=${{ inputs.branch }}" - name: Terraform Apply for ${{ inputs.project }}/${{ inputs.instance }}/${{ inputs.resource }} if: ${{ (inputs.run_apply == 'yes') && (inputs.run_destroy == 'no') }} working-directory: ${{ inputs.project }}/${{ inputs.instance }}/${{ inputs.resource }} run: | - terraform apply -auto-approve -var-file=/tmp/terraform.tfvars + terraform apply -auto-approve -var-file=terraform.tfvars -var "branch_name=${{ inputs.branch }}" - name: Terraform Destroy for ${{ inputs.project }}/${{ inputs.instance }}/${{ inputs.resource }} if: ${{ (inputs.run_destroy == 'yes') }} working-directory: ${{ inputs.project }}/${{ inputs.instance }}/${{ inputs.resource }} run: | - terraform plan -destroy -var-file=/tmp/terraform.tfvars - terraform destroy -auto-approve -var-file=/tmp/terraform.tfvars + terraform plan -destroy -var-file=terraform.tfvars -var "branch_name=${{ inputs.branch }}" + terraform destroy -auto-approve -var-file=terraform.tfvars -var "branch_name=${{ inputs.branch }}"