gruntwork-io · Resonance1584 · Jan 17, 2025 · Jan 17, 2025 · Jan 17, 2025
diff --git a/.github/workflows/pipelines-vend-existing.yml b/.github/workflows/pipelines-vend-existing.yml
@@ -0,0 +1,158 @@
+name: Pipelines
+run-name: Run Gruntwork Pipelines
+on:
+  workflow_call:
+    inputs:
+      # This field can be overriden to customize the runner used for pipelines
+      # workflows.
+      #
+      # IMPORTANT: To use self-hosted runners this workflow must be hosted in
+      # the same GitHub organization as your infra-live repository.
+      # See https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-self-hosted-runners
+      #
+      # The value must be an escaped JSON string that will be decoded to the
+      # jobs.runs-on field
+      # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on
+      #
+      # For example:
+      # - A simple github runner: "\"ubuntu-22.04\""
+      # - A list of labels: "[\"self-hosted\", \"linux\"]"
+      # - A map: "{group: \"ubuntu-runners\", labels: \"ubuntu-20.04-16core\"}"
+      runner:
+        type: string
+        default: '"ubuntu-latest"'
+      api_base_url:
+        type: string
+        default: "https://api.prod.app.gruntwork.io/api/v1"
+      account_name:
+        type: string
+        required: true
+      management_account_id:
+        type: string
+        required: true
+      child_account_id:
+        type: string
+        required: true
+
+    secrets:
+      PIPELINES_READ_TOKEN:
+        required: true
+      INFRA_ROOT_WRITE_TOKEN:
+        required: true
+      ORG_REPO_ADMIN_TOKEN:
+        required: false
+
+env:
+  PIPELINES_CLI_VERSION: v0.34.0
+  PIPELINES_ACTIONS_VERSION: 2025-01-17_vend_existing_workflow
+  BOILERPLATE_VERSION: v0.5.16
+  GRUNTWORK_INSTALLER_VERSION: v0.0.40
+
+  # Disables all executions of terragrunt. This is useful for debugging
+  # specifics of pipelines actions/workflows and bypassing the (usually time consuming)
+  # actual IaC execution.
+  SKIP_TERRAGRUNT: false
+
+  # GitHub Actions tends to hit resource exhaustion and kill running jobs
+  # if we leave parallelism unbounded, so we set the max to 10 for a sane default.
+  TERRAGRUNT_PARALLELISM: 10
+
+jobs:
+  pipelines_setup_delegated_repo:
+    name: "Vend Existing Account Delegated Repo"
+    runs-on: ${{ fromJSON(inputs.runner) }}
+    steps:
+      - name: Fetch Gruntwork Read Token
+        id: pipelines-gruntwork-read-token
+        uses: gruntwork-io/pipelines-credentials@v1
+        with:
+          PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io"
+          FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
+          api_base_url: ${{ inputs.api_base_url }}
+
+      - name: Fetch Org Read Token
+        id: pipelines-customer-org-read-token
+        uses: gruntwork-io/pipelines-credentials@v1
+        with:
+          PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }}
+          FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
+          api_base_url: ${{ inputs.api_base_url }}
+
+      - name: Fetch Org Repo Admin Token
+        id: pipelines-org-repo-admin-token
+        uses: gruntwork-io/pipelines-credentials@v1
+        with:
+          PIPELINES_TOKEN_PATH: org-repo-admin/${{ github.repository_owner }}
+          FALLBACK_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }}
+          api_base_url: ${{ inputs.api_base_url }}
+
+      - name: Checkout Pipelines Actions
+        uses: actions/checkout@v4
+        with:
+          path: pipelines-actions
+          repository: gruntwork-io/pipelines-actions
+          ref: ${{ env.PIPELINES_ACTIONS_VERSION }}
+          token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }}
+
+      - name: Check out repo code
+        uses: actions/checkout@v4
+        with:
+          path: infra-live-repo
+          fetch-depth: 0
+          token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }}
+
+      - name: Bootstrap Workflow
+        id: gruntwork_context
+        uses: ./pipelines-actions/.github/actions/pipelines-bootstrap
+        with:
+          PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }}
+          PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }}
+          change_type: AccountsAdded
+          branch: main
+          terragrunt_command: run-all apply
+          working_directory: ${{ inputs.account_name }}
+          account_id: ${{ inputs.management_account_id }}
+          # additional_data: Might need something like {"AccountRequestType": "sandbox", "ChildAccountId": "id"}
+          child_account_id: ${{ inputs.child_account_id }}
+          new_account_name: ${{ inputs.account_name }}
+
+      - name: "Create Access Control PR"
+        id: access_control_pr
+        uses: ./pipelines-actions/.github/actions/pipelines-provision-access-control-action
+        with:
+          gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }}
+          PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }}
+          PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }}
+          ORG_REPO_ADMIN_TOKEN: ${{ steps.pipelines-org-repo-admin-token.outputs.PIPELINES_TOKEN }}
+
+      - name: "Create and bootstrap delegated Repo"
+        id: provision_delegated_repo
+        uses: ./pipelines-actions/.github/actions/pipelines-provision-repo-action
+        with:
+          gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }}
+          access_control_pull_request_url: ${{ steps.access_control_pr.outputs.pull_request_url }}
+          PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }}
+          PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }}
+          ORG_REPO_ADMIN_TOKEN: ${{ steps.pipelines-org-repo-admin-token.outputs.PIPELINES_TOKEN }}
+
+      # To learn more about customizing Pipelines see our documentation at https://docs.gruntwork.io/pipelines/maintain/extending/
+      - name: "Post create delegated repo custom actions"
+        uses: ./pipelines-actions/.github/custom-actions/post-create-delegated-repo
+        with:
+          gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }}
+          access_control_pull_request_url: ${{ steps.access_control_pr.outputs.pull_request_url }}
+          PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }}
+          PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }}
+          ORG_REPO_ADMIN_TOKEN: ${{ steps.pipelines-org-repo-admin-token.outputs.PIPELINES_TOKEN }}
+
+      - name: "Create Delegated Repo PR"
+        uses: ./pipelines-actions/.github/actions/pipelines-new-pr-action
+        with:
+          gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }}
+          GH_TOKEN: ${{ steps.pipelines-org-repo-admin-token.outputs.PIPELINES_TOKEN }}
+          path: ${{ steps.provision_delegated_repo.outputs.path }}
+          new_branch_name: ${{ steps.provision_delegated_repo.outputs.new_branch_name }}
+          commit_message: ${{ steps.provision_delegated_repo.outputs.commit_message }}
+          pr_body: ${{ steps.provision_delegated_repo.outputs.pr_body }}
+          requesting_pr_number: ${{ steps.provision_delegated_repo.outputs.requesting_pr_number }}
+          step_summary_content: ${{ steps.provision_delegated_repo.outputs.step_summary_content }}