Fix policy (#13) #95
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Terraform CI - Integration | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| - 'rc-*' | |
| jobs: | |
| tf_integration: | |
| name: 'Terraform integration (on tf ${{ matrix.terraform_version }})' | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| terraform_version: [ '~1.4.0', '~1.5.0', '~1.6.0', '~1.7.0', 'latest' ] # haven't seen < 1.4 in the wild, so limit for sanity | |
| permissions: | |
| contents: 'read' | |
| id-token: 'write' | |
| env: | |
| CI_SA_EMAIL: [email protected] | |
| GCP_IDENTITY_POOL: 'projects/432357880585/locations/global/workloadIdentityPools/github-actions/providers/github' | |
| EXAMPLE_TENANT_SA_EMAIL: [email protected] | |
| EXAMPLE_TENANT_SA_ID: '104184075060961394622' | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| AWS_REGION: 'us-west-2' | |
| AWS_ACCOUNT_ID: '626567183302' | |
| steps: | |
| - name: Get timestamp | |
| id: timestamp | |
| run: | | |
| echo "timestamp=$(date +%Y%m%d'T'%H%M%S)" >> $GITHUB_ENV | |
| - name: Check out code | |
| uses: actions/checkout@v4 | |
| - name: 'setup Terraform' | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: ${{ matrix.terraform_version }} | |
| terraform_wrapper: false | |
| - id: 'auth-gcp' | |
| name: 'Authenticate to Google Cloud' | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| workload_identity_provider: ${{ env.GCP_IDENTITY_POOL }} | |
| service_account: ${{ env.CI_SA_EMAIL }} | |
| # see : https://github.com/aws-actions/configure-aws-credentials | |
| - name: configure aws credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: arn:aws:iam::626567183302:role/gh_action_ci_agent | |
| role-session-name: github_ci | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: 'Terraform - integration test examples/basic apply' | |
| id: terraform_apply | |
| working-directory: examples/basic | |
| run: | | |
| RESOURCE_PREFIX=$(echo -n "${{ matrix.terraform_version }}_${{ env.timestamp}}" | sha1sum | cut -c1-12) | |
| terraform init | |
| terraform apply -auto-approve \ | |
| -var="aws_account_id=${{ env.AWS_ACCOUNT_ID }}" \ | |
| -var="resource_name_prefix=ci_tf_aws_${RESOURCE_PREFIX}" \ | |
| -var="worklytics_tenant_id=${{ env.EXAMPLE_TENANT_SA_ID }}" | |
| echo "worklytics_export_bucket_id=$(terraform output -raw worklytics_export_bucket_id)" >> $GITHUB_OUTPUT | |
| echo "worklytics_tenant_aws_role_arn=$(terraform output -raw worklytics_tenant_aws_role_arn)" >> $GITHUB_OUTPUT | |
| - name: 'Terraform - integration test examples/basic s3 write' | |
| run: | | |
| ./test/rsync.sh ${{ env.EXAMPLE_TENANT_SA_EMAIL }} ${{ steps.terraform_apply.outputs.worklytics_export_bucket_id }} ${{ steps.terraform_apply.outputs.worklytics_tenant_aws_role_arn }} | |
| - name: 'Terraform - integration test examples/basic terraform destroy' | |
| if: always() # try to force this to ALWAYS happen, no matter if previous stuff failed | |
| working-directory: examples/basic | |
| run: | | |
| aws s3 rm s3://${{ steps.terraform_apply.outputs.worklytics_export_bucket_id }} --recursive | |
| terraform destroy -auto-approve \ | |
| -var="aws_account_id=${{ env.AWS_ACCOUNT_ID }}" \ | |
| -var="worklytics_tenant_id=${{ env.EXAMPLE_TENANT_SA_ID }}" \ | |
| -var="resource_name_prefix=tf_aws_w8s_export_ci_${{ env.timestamp}}" |