Merge pull request #8720 from ministryofjustice/feat/plan-summary-as-…

…comment New PR and Branch for test
ministryofjustice · Dec 17, 2024 · 44bb11d · 44bb11d
2 parents d206d94 + 52e707b
commit 44bb11d
Show file tree

Hide file tree

Showing 15 changed files with 64 additions and 20 deletions.
diff --git a/.github/workflows/core-logging-deployment.yml b/.github/workflows/core-logging-deployment.yml
@@ -27,7 +27,7 @@ on:
 permissions:
   id-token: write # This is required for requesting the JWT
   contents: read # This is required for actions/checkout
-
+  pull-requests: write
 defaults:
   run:
     shell: bash

diff --git a/.github/workflows/core-network-services-deployment.yml b/.github/workflows/core-network-services-deployment.yml
@@ -28,7 +28,7 @@ on:
 permissions:
   id-token: write # This is required for requesting the JWT
   contents: read # This is required for actions/checkout
-
+  pull-requests: write
 defaults:
   run:
     shell: bash

diff --git a/.github/workflows/core-security-deployment.yml b/.github/workflows/core-security-deployment.yml
@@ -27,7 +27,7 @@ on:
 permissions:
   id-token: write # This is required for requesting the JWT
   contents: read # This is required for actions/checkout
-
+  pull-requests: write
 defaults:
   run:
     shell: bash

diff --git a/.github/workflows/core-shared-services-deployment.yml b/.github/workflows/core-shared-services-deployment.yml
@@ -33,7 +33,7 @@ on:
 permissions:
   id-token: write # This is required for requesting the JWT
   contents: read # This is required for actions/checkout
-
+  pull-requests: write
 defaults:
   run:
     shell: bash

diff --git a/.github/workflows/core-vpc-development-deployment.yml b/.github/workflows/core-vpc-development-deployment.yml
@@ -45,6 +45,7 @@ on:
 permissions:
   id-token: write # This is required for requesting the JWT
   contents: read # This is required for actions/checkout
+  pull-requests: write
 
 defaults:
   run:

diff --git a/.github/workflows/core-vpc-preproduction-deployment.yml b/.github/workflows/core-vpc-preproduction-deployment.yml
@@ -49,7 +49,7 @@ env:
 permissions:
   id-token: write # This is required for requesting the JWT
   contents: read # This is required for actions/checkout
-
+  pull-requests: write
 defaults:
   run:
     shell: bash

diff --git a/.github/workflows/core-vpc-production-deployment.yml b/.github/workflows/core-vpc-production-deployment.yml
@@ -45,7 +45,7 @@ on:
 permissions:
   id-token: write # This is required for requesting the JWT
   contents: read # This is required for actions/checkout
-
+  pull-requests: write
 defaults:
   run:
     shell: bash

diff --git a/.github/workflows/core-vpc-test-deployment.yml b/.github/workflows/core-vpc-test-deployment.yml
@@ -43,7 +43,7 @@ on:
 permissions:
   id-token: write # This is required for requesting the JWT
   contents: read # This is required for actions/checkout
-
+  pull-requests: write
 defaults:
   run:
     shell: bash

diff --git a/.github/workflows/modernisation-platform-account.yml b/.github/workflows/modernisation-platform-account.yml
@@ -29,12 +29,13 @@ defaults:
 permissions:
   id-token: write # This is required for requesting the JWT
   contents: read # This is required for actions/checkout
-
+  pull-requests: write
 jobs:
   modernisation-platform-account-plan-and-apply:
     uses: ./.github/workflows/reusable_terraform_plan_apply.yml
     with:
       working-directory: "terraform/modernisation-platform-account"
+      workflow_id: "modernisation-platform-account"
     secrets:
       modernisation_platform_environments: ${{ secrets.MODERNISATION_PLATFORM_ENVIRONMENTS }}
       SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
diff --git a/.github/workflows/reusable_terraform_plan_apply.yml b/.github/workflows/reusable_terraform_plan_apply.yml
@@ -20,6 +20,10 @@ on:
         required: false
         description: "The terraform version to use"
         default: "~1"
+      workflow_id:   # This is the unique ID of the calling workflow
+        description: 'Unique ID for the calling workflow'
+        required: false
+        type: string
     secrets:
       modernisation_platform_environments:
         required: true
@@ -108,9 +112,26 @@ jobs:
 
       - name: Run Terraform Plan
         if: github.event.ref != 'refs/heads/main'
+        id: show
         run: |
           bash scripts/terraform-plan.sh ${{ inputs.working-directory }}
 
+      - name: Post Comment
+        if: github.event.ref != 'refs/heads/main'
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const workflowId = "${{ env.WORKSPACE_NAME }}";
+            const identifier = workflowId ? `_${workflowId}_\n` : `_${{ inputs.workflow_id }}_\n`;
+            const summary = `\`${{ steps.show.outputs.summary }}\``;
+            const issue_number = context.payload.pull_request.number;
+            await github.rest.issues.createComment({
+              ...context.repo,
+              issue_number,
+              body: `### Terraform Plan Summary\n${identifier}${summary}`
+            });
+
       - name: terraform apply
         if: github.event.ref == 'refs/heads/main'
         run: bash scripts/terraform-apply.sh ${{ inputs.working-directory }}

diff --git a/.github/workflows/terraform-github.yml b/.github/workflows/terraform-github.yml
@@ -33,12 +33,13 @@ defaults:
 permissions:
   id-token: write # This is required for requesting the JWT
   contents: read # This is required for actions/checkout
-
+  pull-requests: write
 jobs:
   github-plan-and-apply:
     uses: ./.github/workflows/reusable_terraform_plan_apply.yml
     with:
       working-directory: "terraform/github"
+      workflow_id: "github"
     secrets:
       modernisation_platform_environments: ${{ secrets.MODERNISATION_PLATFORM_ENVIRONMENTS }}
       gh_workflow_token: ${{ secrets.TERRAFORM_GITHUB_TOKEN }}

diff --git a/.github/workflows/terraform-pagerduty.yml b/.github/workflows/terraform-pagerduty.yml
@@ -23,7 +23,7 @@ on:
 permissions:
   id-token: write # This is required for requesting the JWT
   contents: read # This is required for actions/checkout
-
+  pull-requests: write
 defaults:
   run:
     shell: bash
@@ -33,6 +33,7 @@ jobs:
     uses: ./.github/workflows/reusable_terraform_plan_apply.yml
     with:
       working-directory: "terraform/pagerduty"
+      workflow_id: "pagerduty"
     secrets:
       modernisation_platform_environments: ${{ secrets.MODERNISATION_PLATFORM_ENVIRONMENTS }}
       pagerduty_token: ${{ secrets.PAGERDUTY_TOKEN }}

diff --git a/.github/workflows/terraform-single-sign-on.yml b/.github/workflows/terraform-single-sign-on.yml
@@ -27,12 +27,13 @@ defaults:
 permissions:
   id-token: write # This is required for requesting the JWT
   contents: read # This is required for actions/checkout
-
+  pull-requests: write
 jobs:
   single-sign-on-plan-and-apply:
     uses: ./.github/workflows/reusable_terraform_plan_apply.yml
     with:
       working-directory: "terraform/single-sign-on"
+      workflow_id: "single-sign-on"
     secrets:
       modernisation_platform_environments: ${{ secrets.MODERNISATION_PLATFORM_ENVIRONMENTS }}
       SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
diff --git a/scripts/redact-output.sh b/scripts/redact-output.sh
@@ -2,10 +2,11 @@
 
 # Based on: https://github.com/ministryofjustice/opg-org-infra/blob/main/scripts/redact_output.sh
 
-sed -e 's/AWS_SECRET_ACCESS_KEY".*/<REDACTED>/g' \
-    -e 's/AWS_ACCESS_KEY_ID".*/<REDACTED>/g' \
-    -e 's/$AWS_SECRET_ACCESS_KEY".*/<REDACTED>/g' \
-    -e 's/$AWS_ACCESS_KEY_ID".*/<REDACTED>/g' \
-    -e 's/\[id=.*\]/\[id=<REDACTED>\]/g' \
-    -e 's/::[0-9]\{12\}:/::REDACTED:/g' \
-    -e 's/:[0-9]\{12\}:/:REDACTED:/g'
+sed -u -E \
+    -e "s/AWS_SECRET_ACCESS_KEY=.*/AWS_SECRET_ACCESS_KEY=<REDACTED>/g" \
+    -e "s/AWS_ACCESS_KEY_ID=.*/AWS_ACCESS_KEY_ID=<REDACTED>/g" \
+    -e "s/\$(AWS_SECRET_ACCESS_KEY)=.*/\$(AWS_SECRET_ACCESS_KEY)=<REDACTED>/g" \
+    -e "s/\$(AWS_ACCESS_KEY_ID)=.*/\$(AWS_ACCESS_KEY_ID)=<REDACTED>/g" \
+    -e "s/\[id=[^]]*\]/\[id=<REDACTED>]/g" \
+    -e "s/::[0-9]{12}:/::REDACTED:/g" \
+    -e "s/:[0-9]{12}:/:REDACTED:/g"
diff --git a/scripts/terraform-plan.sh b/scripts/terraform-plan.sh
@@ -18,9 +18,26 @@ if [ -z "$1" ]; then
   exit 1
 fi
 
+plan_output=""
+plan_summary=""
+
 if [ ! -z "$2" ]; then
   options="$2"
-  terraform -chdir="$1" plan -input=false -no-color $options | ./scripts/redact-output.sh
+  plan_output=$(terraform -chdir="$1" plan -input=false -no-color "$options" | ./scripts/redact-output.sh)  # Capture full output
+else
+  plan_output=$(terraform -chdir="$1" plan -input=false -no-color | ./scripts/redact-output.sh) # Capture full output
+fi
+
+
+plan_summary=$(echo "$plan_output" | grep -E 'Plan:|No changes. Your infrastructure matches the configuration.')  # Extract summary from full output
+
+
+if tty -s; then
+    echo "$plan_output" | tee /dev/tty    # Output full redacted plan to terminal if available
 else
-  terraform -chdir="$1" plan -input=false -no-color | ./scripts/redact-output.sh
+    echo "$plan_output"                   # Output full redacted plan to stdout (GitHub Actions logs)
 fi
+
+echo "summary<<EOF" >> $GITHUB_OUTPUT
+echo "$plan_summary" >> $GITHUB_OUTPUT
+echo "EOF" >> $GITHUB_OUTPUT