Skip to content
Terraform Plan

Add Service Account User role to Github Actions service account #589

Sign in to view logs

Add Service Account User role to Github Actions service account

Add Service Account User role to Github Actions service account #589

Workflow file for this run

.github/workflows/terraform-plan.yml at d10fb27
name: Terraform Plan
on:
pull_request:
paths:
- 'iac/**'
env:
SERVICE_ACCOUNT: 'github-actions-terraform@cal-itp-data-infra.iam.gserviceaccount.com'
WORKLOAD_IDENTITY_PROVIDER: 'projects/1005246706141/locations/global/workloadIdentityPools/github-actions/providers/data-infra'
PROJECT_ID: 'cal-itp-data-infra'
STAGING_SERVICE_ACCOUNT: 'github-actions-terraform@cal-itp-data-infra-staging.iam.gserviceaccount.com'
STAGING_WORKLOAD_IDENTITY_PROVIDER: 'projects/473674835135/locations/global/workloadIdentityPools/github-actions/providers/data-infra'
STAGING_PROJECT_ID: 'cal-itp-data-infra-staging'
jobs:
targets:
name: Find targets
runs-on: ubuntu-latest
outputs:
staging: ${{ steps.staging-changes.outputs.all_changed_files }}
production: ${{ steps.production-changes.outputs.all_changed_files }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Staging Changes
uses: tj-actions/changed-files@v46
id: staging-changes
with:
matrix: true
dir_names: true
files: 'iac/cal-itp-data-infra-staging/**/*.tf'
- name: Production Changes
uses: tj-actions/changed-files@v46
id: production-changes
with:
matrix: true
dir_names: true
files: 'iac/cal-itp-data-infra/**/*.tf'
staging:
name: Staging
needs: [targets]
if: ${{ needs.targets.outputs.staging != '[]' && needs.targets.outputs.staging != '' }}
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
pull-requests: write
strategy:
fail-fast: false
matrix:
path: ${{ fromJson(needs.targets.outputs.staging) }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Authenticate Google Service Account
uses: google-github-actions/auth@v2
with:
create_credentials_file: true
project_id: ${{ env.STAGING_PROJECT_ID }}
workload_identity_provider: ${{ env.STAGING_WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ env.STAGING_SERVICE_ACCOUNT }}
- name: Setup GCloud utilities
uses: google-github-actions/setup-gcloud@v2
- name: Terraform Formatting
uses: dflook/terraform-fmt-check@v1
with:
path: ${{ matrix.path }}
- name: Terraform Validation
uses: dflook/terraform-validate@v1
with:
path: ${{ matrix.path }}
- name: Terraform Plan
uses: dflook/terraform-plan@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
add_github_comment: changes-only
path: ${{ matrix.path }}
production:
name: Production
needs: [targets]
if: ${{ needs.targets.outputs.production != '[]' && needs.targets.outputs.production != '' }}
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
pull-requests: write
strategy:
fail-fast: false
matrix:
path: ${{ fromJson(needs.targets.outputs.production) }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Authenticate Google Service Account
uses: google-github-actions/auth@v2
with:
create_credentials_file: true
project_id: ${{ env.PROJECT_ID }}
workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ env.SERVICE_ACCOUNT }}
- name: Setup GCloud utilities
uses: google-github-actions/setup-gcloud@v2
- name: Terraform Format Check
uses: dflook/terraform-fmt-check@v1
with:
path: ${{ matrix.path }}
- name: Terraform Validate
uses: dflook/terraform-validate@v1
with:
path: ${{ matrix.path }}
- name: Terraform Plan
uses: dflook/terraform-plan@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
add_github_comment: changes-only
path: ${{ matrix.path }}