-
Notifications
You must be signed in to change notification settings - Fork 0
147 lines (134 loc) · 4.43 KB
/
bootstrap.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
name: Bootstrap setup
on:
workflow_dispatch:
inputs:
apply_plan:
description: "Apply plan?"
required: false
default: "no"
push:
paths:
- bootstrap/**
env:
TF_VAR_billing_account_id: ${{ secrets.BILLING_ACCOUNT_ID }}
TF_VAR_seed_sa_email: ${{ secrets.SEED_SA_EMAIL_ADDRESS }}
TF_VAR_github_admin_token: ${{ secrets.ADMIN_GITHUB_TOKEN }}
TF_VAR_project_postfix: ${{ secrets.GCP_PROJECT_POSTFIX }}
TF_IN_AUTOMATION: true
TF_INPUT: false
GITHUB_TOKEN: ${{ secrets.ADMIN_GITHUB_TOKEN }}
GH_TOKEN: ${{ secrets.ADMIN_GITHUB_TOKEN }}
CLOUDSDK_CORE_PROJECT: ${{ secrets.GCP_PROJECT_ID }}
permissions:
id-token: write
defaults:
run:
working-directory: ./bootstrap
jobs:
compliance-scan:
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Checkov action
id: checkov
uses: bridgecrewio/[email protected]
with:
framework: terraform
# we are fine with Google's Keys
# we are fine with basic roles (no org), we are fine with our own module
skip_check: CKV_GCP_84,CKV_GIT_4,CKV_GCP_117,CKV_TF_1
output_format: cli
download_external_modules: true
lint:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v4
- uses: terraform-linters/setup-tflint@v4
name: Setting up TFLint
with:
tflint_version: v0.29.0
- name: Initializing TFLint
run: tflint --init
- name: Linting
run: tflint -f compact --disable-rule=terraform_module_pinned_source
qa:
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Authenticating
uses: google-github-actions/[email protected]
with:
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.SEED_SA_EMAIL_ADDRESS }}
- name: Setting up GCP environment
uses: google-github-actions/[email protected]
- run: gcloud projects list
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
- name: Terraform Init
run: terraform init -backend-config="bucket=${{ secrets.TERRAFORM_STATE_BUCKET }}"
- name: Terraform Format
run: terraform fmt -check -recursive
- name: Terraform Validate
run: terraform validate -no-color
plan:
needs:
- compliance-scan
- lint
- qa
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Authenticating
uses: google-github-actions/[email protected]
with:
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.SEED_SA_EMAIL_ADDRESS }}
- name: Setting up GCP environment
uses: google-github-actions/[email protected]
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
- name: Init
run: terraform init -backend-config="bucket=${{ secrets.TERRAFORM_STATE_BUCKET }}"
- name: Terraform Plan
#run: terraform plan -no-color -var git_sha="${{ github.sha }}" -out=tfplan
run: terraform plan -no-color -out=tfplan
- name: Show Terraform Plan as Summary
run: |
{
echo "### Terraform Plan Output";
echo "\`\`\`";
terraform show -no-color tfplan;
echo "\`\`\`";
} > "${GITHUB_STEP_SUMMARY}"
apply:
if: ${{ github.event.inputs.apply_plan == 'yes' }}
needs: plan
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Authenticating
uses: google-github-actions/[email protected]
with:
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.SEED_SA_EMAIL_ADDRESS }}
- name: Setting up GCP environment
uses: google-github-actions/[email protected]
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
- name: Init
run: terraform init -backend-config="bucket=${{ secrets.TERRAFORM_STATE_BUCKET }}"
- name: Apply
run: terraform apply -auto-approve
- name: Show Terraform Output as Summary
run: |
{
echo "### Terraform Output";
echo "\`\`\`";
terraform output;
echo "\`\`\`";
} > "${GITHUB_STEP_SUMMARY}"